Over 10% of Alexa TOP Million Websites Found Not Safe – Infographic Report

We scan a lot of websites per day. Through our daily work we see all sizes and types of websites compromised, blacklisted, and filled with various security issues. But, we don’t often aggregate the results to provide a public report of what we are seeing.

So last month, we decided to do just that. We decided to scan the most popular websites on the internet to see how bad, or good, they are in terms of web security.

Our testing was very simple. We chose the top 1 million sites (according to Alexa), and checked the sites for those 4 issues:

  • Is the site Blacklisted? Sites were checked on Google, Norton, McAfee, ESET and Sucuri Labs.
  • Is the site infected with hidden SPAM?
  • Is the site infected with malware like drive-by-downloads, exploit kits, and similar issues?
  • Is the site running outdated software?

If the site passed those 4 tests, it would be considered safe for our testing purposes. Let’s see how the sites did.

Blacklisting results

Sucuri Blacklisted

A site generally ends up blacklisted when an engine detects something malicious on it. Being blacklisted is one of the worst things that can happen to a webmaster because it means less users will visit their site. If a user is blacklisted by Google for example, anyone using Chrome or Firefox will get a big red warning page when trying to enter the site.

From the top 1,000,000 sites, 18,557 of them are currently blacklisted. That’s almost 2%.

McAfee (Siteadvisor) is the most aggressive of them all, having almost 11,000 of the sites blacklisted under their engine. They are followed by Sucuri Labs and Yandex, with almost 2,000 sites each.

What is surprising is that Google is way at the bottom, with only 357 sites currently flagged by them.

SPAM Results

SEO SPAM is one of the most common type of injections we see on compromised sites. SPAM is often very hard to be detected by website owners because it doesn’t cause any short-term impact or warning. In the long-term however, webmasters will notice the PR (page ranking) decrease, and their search engine results poisoned with incorrect keywords, and redirects.

Not surprisingly, 4,836 (0.5%) of the sites had some type of hidden SPAM. We found anything from sneaky links, to conditional redirections.

Malware Results

Any type of injection that could harm the end user visiting the site, we classified as malware. The number of sites that were flagged was very high.

44,317 (4%) of all the sites tested had some type of malicious injection. The most popular injection was related to the Blackhole Exploit kit, covering almost 3,000 websites. That was followed by iFrame injections and conditional redirections, generally done by changes to the .htaccess file.

Running outdated software

The results of the this test really scared us. 67,509, yes, 67 thousand websites out of the top 1,000,000 are running outdated software. That’s almost 7% of all of them.

The most common platform running outdated software was WordPress with 55,000 outdated sites, followed by Joomla and vBulletin.

Sucuri Outdated Software

   1789 Drupal
   5334 Joomla
   2550 Magento
    106 osCommerce
   1875 vBulletin
  55837 WordPress

Please note that we did not include outdated plugins or components in our testing. What’s really scary is that most website compromises actually happen because of vulnerable software that is not patched in time. We even released our own Cloud-based WAF to help people that can not update their sites, in an effort to provide virtual patching for them.

Final results

The very alarming final number is that 108,781 (more than 10%) of the 1 million sites tested had some type of issue, and didn’t get a healthy/safe result. The overall numbers are very close to what we reported in our 2012 Web Malware Trends Report

Share the results

We have put together a cool infographic tallying up all the numbers. Feel free to share the numbers to your network, awareness is the key to reducing these issues:

Sucuri - TOP 1 Million Infographic

PDF Version – Sucuri Infographic

Here’s a video breakdown of the report:


Please let us know if you have any questions below in the comments, and if you need a hand, feel free to email us at info@sucuri.net.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://www.parafriv.net/ Para Friv

    This is an issue I do not really care, but also through post gave me many different knowledge.

  • http://www.minecraftjuegos.com/ Minecraft Juegos

    10% is a significant number to, and it says a lot of things. This figure but I think it will stop there.

  • rajatsharma1111

    great news!! can you tell me who are these websites?
    Author: Hindustan Jobs Portal