Sucuri’s Website Hacked Report for Q1 2016

Today, web security services company Sucuri released its Website Hacked report for the first quarter of 2016. There’s some really interested and important info in here for WordPress site owners and managers – you can get the report yourself here, but I’ll summarize some of the key findings below.

Over a third of the websites on Earth are powered by one of three CMS (content management system) platforms: WordPress, Drupal, and Joomla. Of those three CMS platforms, WordPress has a 60% market share.

This report included data from over 11,400 websites Sucuri worked on during January-March of 2016. Of those, 78% were using WordPress; Joomla was second at 14%.

Over 50% of those hacked WordPress sites were out of date.

Key point: Sucuri says that “in all instances, regardless of platform, the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components, not its core. Extensible components directly relate to the integration of plugins, extensions, components, modules, templates, themes and other similar integrations.”

This means that it’s not WordPress core files that are the cause of these infections, instead it’s plugins and (secondarily) themes.

Image by Sucuri from Website Hacked report Q1 2016
Image by Sucuri from Website Hacked report Q1 2016

The top three outdated plugins for WordPress, accounting for 25% of all vulnerabilities, were RevSlider, Gravity Forms and TimThumb. Each of these has had a fix available for at least a year, and sometimes for multiple years, but hadn’t been updated.

Sucuri says this shows “and reiterate(s) the challenges the community faces in making website owners aware of the issues, enabling the website owners to patch the issues, and facilitating the everyday maintenance and administration of websites by their webmasters.”

If you’d like to read more, view the complete report here.


This is one of the reasons WP Minder exists – to keep things up to date so that the risk of being hacked is reduced. WP Minder also uses Sucuri’s excellent Website Firewall (WAF) for our Small Business, Business and Premium Plans to help stop exploitation of plugin and theme vulnerabilities and keep sites from getting infected. Check out our Plans here.

Leave a Reply

Your email address will not be published. Required fields are marked *