Top 25% of hacked WP websites uses these three plugins

In the latest article from Sucuri, they released some interesting data about the hacked websites they clean. 25% of the WordPress websites that were hacked were using one of three (not updated) plugins: Revslider, Gravity forms, or timthumb.

Another interesting fact: 78% of the hacked websites was WordPress. I’m confident that WordPress is as safe as any other platform, but is just very popular (about 25% of all websites are WordPress these days 78 million, with 50.000 new WP websites each day). Furthermore, when comparing with other platforms like Drupal and Magento, it is especially popular with “non-techies”, which increases the risk of lazy update management.

“In all instances, regardless of platform, the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components, not its core”

What this means is that the plugins are causing all issues. And I suspect that most issues were fixed in the plugin before the site was hacked. The following quote confirms this:

“All three plugins (Gravity forms, Revslider and TimThumb) had a fix available over a year, with TimThumb going back multiple years (four to be exact, circa 2011)”

Which shows us once more that continuous updating of your platform is one of the most powerful methods to increase security!


Related Articles

  • Really Simple SSL and GDPR

    As a consequence of the upcoming new privacy regulations, the GDPR, some users have been asking if Really Simple SSL is compliant. Because Really Simple SSL and Really Simple SSL...
  • Really Simple SSL 2.5.23

    WordPress 4.9 was released this week. So we tested with the new version last week. No compatiblity issues with WordPress 4.9 were found. Additionally, we’ve added a test for the...
  • Really Simple SSL 2.5.26

    In Really Simple SSL 2.5.26 a few minor multisite issues were fixed. When a multisite environment has a main site without SSL, the network SSL menu didn’t show. This is...
  • Really Simple SSL 3.0.5

    Thursday a new update for Really Simple SSL has been released. This version includes a number of minor tweaks: The mixed content fixer will no longer fire when it detects...