StopBadware and Commtouch have published an interesting report on Compromised Websites. The report talks of how site owners navigate the process of learning their sites have been hacked and repairing the damage and presents interesting statistics on this issue.
The study found that in most cases, legitimate websites get compromised without the site-owner even becoming aware that his website had been compromised. Over 90% did not even notice any strange activity, despite the fact that their sites were being abused to redirect visitors to other links, send spam, host phishing pages, or distribute malware. Over 66% did not know how the hack had occurred.
Do website hackers target specific website software? Is there a particular Content Management System (CMS) that is more vulnerable than others? The answers received seem to identify WordPress (28%) as a strong favorite for cybercriminals, possibly because of its popularity and the plug-ins culture.
Other statistics of interest:
- Around 50% of the site owners discovered the hack only when they visited their own site and received a browser warning
- 26% of site owners had no idea on how to resolve the problem
- 40% changed their opinion of their web hosting provider following a compromise.
Cybercriminals can significantly improve their open and click-through rates by distributing badware via legitimate domains. Many site owners are either unaware of the compromise or struggle to remove the infection, which directly contributes to the persistence of, and increase in active badware URLs.” said Amir Lev, Commtouch’s chief technology officer. The survey results highlighted several aspects of webmasters’ experience with site compromise that may prove eye-opening for the security community, said StopBadware Executive Director Maxim Weinstein.
The report includes many examples of hacked websites and provides the following basic tips to help webmasters prevent their sites from being compromised:
- Keep your CMS software and plug-ins updated.
- Use strong and different passwords and login credentials.
- Scan your PC for malware.
- Check and use appropriate file permissions on your web server.
Also read: Have I been Hacked?
This Infographic illustrates the interesting statistics very nicely.
Download : PDF report from StopBadware.
Incidentally, I recently blogged about WebsiteDefender. If you are looking out for a free online security monitoring service, which helps you secure your website or blog against malware or any hacking activity, check it out!