Imperva WAAR Report 2015: WordPress attacks highest of all CMS’s

Secu­ri­ty attacks on web­sites and blogs are high­er than ever before. Accord­ing to Imper­va’s new Web Appli­ca­tion Attacks Report, Con­tent Man­age­ment Sys­tems (CMS’s) were attacked three times more often than oth­er Web appli­ca­tions. The data secu­ri­ty firm con­firmed that Word­Press has unfor­tu­nate­ly been the vic­tim 3.5 times more than the oth­ers.

It comes as no sur­prise that Word­Press is the most attacked CMS. Not only is the most pop­u­lar ser­vice but new data from W3Techs, which mea­sures both usage and mar­ket share, report­ed last week that Word­Press accounts for a quar­ter of the web. They said,“WordPress is used by 58.7% of all the web­sites whose con­tent man­age­ment sys­tem we know. This is 25.0% of all web­sites.”

As 2015 draws to a close, Word­Press has tak­en a real beat­ing this year with an increase in brute-force attacks. Hack­ers and mal­ware are doing a lot of dam­age by tak­ing advan­tages of vul­ner­a­bil­i­ties caused by weak­ness­es in the 30,000+ plu­g­ins on Word­Press.

Imper­va’s report said,“CMS frame­works are most­ly open source, with com­mu­ni­ties of devel­op­ers con­tin­u­ous­ly gen­er­at­ing sequences of plu­g­ins and add-ons, with­out con­cert­ed focus towards secu­ri­ty. This devel­op­er mod­el con­stant­ly increas­es the vul­ner­a­bil­i­ties in CMS appli­ca­tions, espe­cial­ly for Word­Press which is also PHP based.”

Non-CMS appli­ca­tions were less sus­cep­ti­ble to remote com­mand exe­cu­tion (RCE) attacks than CMs’s accord­ing to the report’s find­ings. Fur­ther­more, the report found that Word­Press is five times like­li­er than oth­er CMS’s to be hit by remote file inclu­sion (RFI) attacks.

Some of the trends dis­cov­ered in Imper­va’s annu­als report were con­tin­u­ing from last year’s report, such as increased SQL Injec­tion (SQLi) and Cross-Site-Script­ing (XSS) attacks and more attacks on Word­Press. A new­com­er this year is the mega trend of Shell­shock Remote Code Exe­cu­tion (RCE) attacks, scan­ning web appli­ca­tions on an equal basis.

The report said, “We con­clude that the increas­ing avail­abil­i­ty of web attack tools and services—with com­pu­ta­tion­al pow­er becom­ing less expen­sive and ubiquitous—are dri­ving the new wave of vol­u­met­ric mali­cious attacks. The evo­lu­tion of attacks against web appli­ca­tions has con­tin­ued with increased sophis­ti­ca­tion, mag­ni­tude, and veloc­i­ty. How­ev­er, there is hope thanks to the grow­ing effec­tive­ness of rep­u­ta­tion-based detec­tion mech­a­nisms, and their abil­i­ty to iden­ti­fy attacks by track­ing pre­vi­ous­ly iden­ti­fied mali­cious activ­i­ty to its ori­gins.”


4 Simple Ways to Protect your WordPress Site from Viruses, Malware and Hackers

Almost all of our clients have been tar­get­ed by a mali­cious attack on their Word­Press site. When they first come to us, they are in utter pan­ic, stressed and quite con­fused on what to do. Only after we do our job and restore their site to its for­mer virus-free glo­ry, does col­or return to their face and they begin to calm down.

It pains us to see our clients go through so much wor­ry, when they could have avoid­ed the dis­as­ter by tak­ing only a few pre­ven­ta­tive steps. You can save your­self from a major fias­co if fol­low some of the steps we’ve out­lined below to help pro­tect your Word­Press site from virus­es, mal­ware and hack­er attacks:

1. Update your site’s theme & plu­g­ins

Updates for Word­Press and its plu­g­ins are fre­quent­ly released by their offi­cial teams. These updates con­tain fix­es for fresh­ly dis­cov­ered secu­ri­ty loop­holes to pre­vent pos­si­ble attacks. So make sure you reg­u­lar­ly update your site.


2. Back­up

An extreme­ly impor­tant task in man­ag­ing your site is reg­u­lar­ly back­ing it up, espe­cial­ly before mak­ing new changes. You can use a plu­g­in or do it man­u­al­ly. So if your site does unfor­tu­nate­ly get com­pro­mised, then with the help of your back­up files you can switch hosts and be back up and run­ning in no time.


3. Change the login and pass­word from admin

By default the user­name for Word­Press is admin. Cre­ate a unique user­name which isn’t too obvi­ous nor easy to guess; includ­ing num­bers would be good. The same goes for the pass­word. Set a long pass­word with a mix of upper and low­er keys, num­bers and sym­bols.


4. Hide or secure wp-config.php 

The wp-config.php file holds all sen­si­tive data and the con­fig­u­ra­tion of your web­site, and is quite vul­ner­a­ble to attacks. You can secure it by adding the fol­low­ing code to the .htacess file in the root direc­to­ry — chang­ing the cod­ing denies any­one access to the file:

# pro­tect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

You can also have it moved to the root direc­to­ry — your_host/wp-config.php — from its default loca­tion at host/wordpress/wp-config.php for added pro­tec­tion.