Hacked Website Report – 2016/Q2

Today we’re releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights and analysis performed by our Incident Response Team (IRT) and Malware Research Team (MRT).


CMS Analysis

Our analysis consisted of over 9,000 infected websites. The graphs below show a side-by-side comparison with our 2016/Q1 report.

The four open-source Content Management Systems (CMS) we focus on in our report include WordPress (78%), Joomla! (14%), Magento (5%), and Drupal (2%).

CMS hack distribution by platform - WordPress. Joomla. Magento. Drupal

We dive into specific information about out-of-date software found on websites going through our cleanup process. Some interesting datasets include that WordPress installations were out-of-date 55% of the time while Joomla! (86%), Drupal (84%), and Magento (96%) continue to lead the way with out-of-date software.

Out of Date CMS Distribution chart for Q2 2016

We briefly cover specific extensible components within the WordPress platform. As it makes up the largest sampling in our environment (78%), we place special emphasis on the top three plugin vulnerabilities contributing to 22% of WordPress site hacks.

Top 3 vulnerable WordPress plugins 2016-Q2

In this report, we also include a new telemetry dataset that shows the most popular WordPress and their distribution amongst the sample set. On average, we found that WordPress installations had 12 plugins installed at any given time.

Blacklist Analysis (New)

We introduced a new data set highlighting the number of websites that were blacklisted. We felt this was an important bit of data to include as the impacts to website owners can be devastating.

Per our data, 18% of the infected websites we analyzed were blacklisted, which means that 82% of the infected websites we worked on were not flagged. The most prominent blacklist was Google Safe Browsing with 52% of blacklisted sites. Here is a more complete distribution of the blacklist APIs we monitored:

Percent of Sites Blacklisted by Google, Norton, Yandex, and McAfee

Malware Analysis

We also focused on understanding what attackers were doing once they successfully hacked a website, specifically the payloads they were using.

Our analysis shows that SEO spam continues to be a go-to for attackers, with a 6% increase over Q1. In total, 38% of sites had some form of SEO spam injection. Backdoors continue to be one of the many post-hack actions attackers take, with 71% of the infected sites having some form of backdoor injection.

2016 Website Malware Family Distribution Trends for Q2

Hacked Website Report – TL;DR – Cliffsnotes

Some quick takeaways that you might find interesting:

  • WordPress continues to lead the infected websites we worked on (at 74%), and the top three plugins affecting that platform are still Gravity Forms, TimThumb, and RevSlider.
  • WordPress saw a 1% decrease in out-of-date core software and infected websites, while Drupal had a 3% increase. Joomla! and Magento website deployments continue to show the most out of date instances of any platform.
  • New data points show that on average, WordPress installations have 12 plugins, and the report provides a list of the most popular plugins within our set of compromised sites.
  • New data points were introduced showing what percentage of infected websites were blacklisted. Only 18% were blacklisted, and Google made up 52% of that grouping (or 10% of the total infected sites).
  • Analyzing the malware families showed that SEO spam continues to be on the rise, increasing to 38% this quarter (a 6% increase) and backdoors rose to 71% of compromised sites.


The report is available both on our site and in PDF format.

I’m especially proud of our ability to continue to share this type of information and hope you find it insightful. We will continue to expand on the data we collect and report on, but as usual, if you have recommendations let us know.

  1. When I add all the percentages in the CMS Analysis for Q1 and Q2 respectively, I get 105% (for Q1 as well as Q2). How come?

Comments are closed.

You May Also Like

Lots of sites reinfected – Now using holasionweb.com

Update2: Reply from GoDaddy: https://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html Update: Code used to exploit found: https://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html We just got reports this morning of hundreds of sites getting reinfected at…
Read More