Every developer, agency or website owner should be aware of the alarming state of website hacking statistics and cyber security statistics. Almost every software built can be “hacked” in some way and statistics will give some insight on where to point your focus to.

Cybersecurity is now an every-day issue for companies. Websites get hacked every day and some of those hacks are fatal to businesses attacked.

“Cybercrime is the greatest threat to every company in the world.” IBM’s chairman, president and CEO

In order to give you a better idea of the current website hacking statistics, we’ve compiled the must-know website hacking statistics.



Let’s dig in.

Website Hacking Statistics of 2019

A study was made that stated that there is an attack every 39 seconds on average on the web and the non-secure usernames and passwords that are being used give attackers more chance of success. (Source: Security Magazine)

An attack does not always mean something is hacked. For example, we at WebARX see thousands of attacks targeted to the websites we protect every day. These attacks are logged and monitored by our firewall system and the web application firewall on the website is to make sure the attacks won’t be successful.

Hackers steal 75 records every second. (Source: Breach Level Index)

These facts show us the average number of records stolen per second. Breaches, in general, are actually rare, but when they happen, as we have seen, there are a lot of records that get stolen all at once.

73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete. (Source: Thycotic.com)

This is true, but only when we talk about targeted attacks. Under a targeted attack, we mean that a hacker has specifically chosen your site and now tries to find an entry point.

The attacks that are usually targeted at websites or web applications are being implemented by using bots. This means usually that an automated tool has been told to search for a specific vulnerability or software that has a vulnerability. Hacking website with automatic tools is one of the most popular ways.

This is most often happening with WordPress sites where hackers try to exploit vulnerabilities in popular plugins. This is where you need a firewall with virtual patches to be protected.

Hackers create 300,000 new pieces of malware daily. (Source: McAfee)

Actually, only in 2017 alone, there were more than 317 million new pieces of malware – computer viruses or other malicious software created (Source: CNN). Unfortunately, we do not know the statistics of how many were created daily in 2019 yet.

On average 30,000 new websites are hacked every day. (Source: Forbes)

These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware. You can read about why would anyone hack a small business website here.

Website Hacking Statistics for WordPress

WordPress is one of the main targets for hackers and it may be because it has a massive user-base. The main threat as it is seen is not WordPress itself, but the wide range of third-party plugins that are used by WordPress users.

A lot of developers or WordPress site owners have had the experience of getting their site built with WordPress hacked.

Whether WordPress makes its core more secure or not, the effectiveness of these security tactics does not apply to its plugins. It’s because WordPress allows users to extend the basic functionalities of the platform using all these different kinds of components.

The vulnerabilities most commonly found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.

Since WordPress is used by over 35% of all websites it is unsurprisingly also registered as the one with the highest number of vulnerabilities (542) in 2018, which is a 30% increase from 2017 (Figure 5).

According to the WordPress official site, the current number of plugins is 57,365 and the number of plugins has actually decreased since the end of 2018.

Despite the slow growth or decrease of new plugins, the number of WordPress vulnerabilities is still increasing. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivates more attackers to develop attack tools and try their luck in searching for security holes in the code.

A very worrisome fact about website hacking statistics and hacking websites is that 98% of WordPress vulnerabilities are related to plugins. (See Figure 7 below.)

The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.

According to CVE Details, XSS attacks are the biggest threat to WordPress sites. The second most popular type of attack is code execution and third are different bypass vulnerabilities.

What is even the most worrisome is that in these top 10 WordPress plugins listed you can see 5 commercial plugins, they have around 21 million downloads and one of these plugins is a security plugin. (Source: WP WhiteSecurity)

Source: WP WhiteSecurity

To top it off, even more, the sad part is that anyone can create a plugin and publish it — WordPress is open source and nobody is performing a code analysis before the new plugin is sent out for the world. Also, there are no serious security standards for these plugins hence, WordPress plugins are unfortunately prone to vulnerabilities.

Website Hacking Statistics: Web Application Vulnerabilities

According to statistics, web applications have become the #1 target for the exploitation of vulnerabilities and unfortunately, all kinds of software are prone to security breaches.

In 2018 researchers found around 70 types of weaknesses in web applications. As always, cross-site scripting (XSS) vulnerabilities are present in many web applications. (Source: PT Security)

46% of web applications have critical vulnerabilities. Acunetix’s report “Web Application Vulnerability 2019”

Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (Source: PT Security)

30% of web applications are vulnerable to XSS. Acunetix’s report “Web Application Vulnerability 2019”

Usually, the attacker’s goals are to make the victim involuntarily run a maliciously injected script, which is executed by a trusted web application. In this way, the cybercriminal can steal the user’s data, or even modify the applications to send sensitive data to any recipient.

Do you have any vulnerable plugins on your site?

Scan to find out! Try WebARX for free

87% of websites have mid-level weaknesses. Acunetix’s report “Web Application Vulnerability 2019”

There are different sources for cyber security statistics that we found information from and some of the information varies. According to ENISA Threat Landscape Report made in 2018 the most popular type of attacks were SQL injections which were leading with 51%. Local File Inclusion comes in second place with 34% and cross-site scripting comes in third with 8%.

Web Professionals Worry About Website Security in 2020

In the second quarter of 2020, we surveyed more than 300 web developers, freelancers, and digital agencies. The aim was to understand if they are worried about website security, which makes them worry, and what are the challenges they want to overcome.

The responses were actually shocking. Two hundred forty-three (243) respondents in the survey stated that they are increasingly worried about website security.

More than 73% of digital agencies and freelancers are increasingly worried about website security. This number was slightly higher (75%) among WordPress users. WebARX website security survey 2020

The data also revealed that while agencies and web professionals are both increasingly worried and have challenges with website security – only a little less than half of them (45%) take proper measures to protect the sites they are responsible for.

During the first half of the year, we at WebARX noticed an increased amount of attacks targeted to websites. Since COVID-19 demanded a change in our lifestyle, it also made us use the internet much more than before. That resulted also in a higher amount of cyber attacks and attacks targeted to websites, which meant for us – more work.

Have you seen a change in the number of attacks targeted against your websites?

(Source)

Over half of the respondents of our survey stated that while they are concerned about their sites’ security and they also see the concern being justified due to an increased number of attacks targeted to their sites during the crisis.

Close to 43% of the respondents have seen an increase in attacks targeted to the websites they are responsible for. We also discovered that 25% of the responders have seen a hacked website in the past month prior to participating in the survey.

Want to read more about our findings? Download the free PDF report here.

People Are More Worried About Cyber Attack Than Real-Life Attack

According to a study, Americans are more worried about cybercrime than violent crimes (including terrorism, being murdered, and being sexually assaulted). Not only are Americans more worried about cybercrime than other crimes, but their worries about cyber crimes has been consistent for about a decade now. (Source: news.gallup.com)

As you also can see from the picture above, the study states that out of 13 crimes measured, Americans continue to worry most about cybercrimes. 71% worry about the hacking of personal data while 67% about identity theft.

To put in perspective only 24% of people participating in the study were worried about being a victim of terrorism, 22% were worried about being attacked while driving, 20% about being sexually assaulted, and 17% about being murdered.

The study of more than 4,000 organizations across the US, UK, Germany, Spain, and the Netherlands found that most organizations are unprepared and would be seriously impacted by a cyber attack. It states that a whopping 73 percent of companies are not ready for a cyber attack. (Source: hiscox.co.uk)

Conclusion

These statistics are highlighting how important it is to always be on top of what happens with your company, the people and the software you are using.



To be alert and secured you should always keep the software you use updated and monitored. Make sure you are always aware of the components you are using on your web applications and always remove the ones that you are not using.

Choose a trustworthy hosting provider. You can learn about how to choose a hosting provider here.

It is also very important to choose the right security provider for your WordPress site or any web application. When it comes to WordPress security plugins, first I recommend you to get a better understanding of the WordPress security plugins ecosystem and how they all work. Find one that can offer virtual patching and before enabling a firewall on your web app, take a look at the code.

If you haven’t got technical skills to evaluate the chosen firewall code, let a professional help you out. Always remember that when it comes to security – make your research before buying a fancy bucket of hope. Be critical and be smart.

How many websites are hacked every day? On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware.

How much does cybercrime cost? Cybercrime will cost the world $6 trillion by 2021.

How many people use WordPress sites? WordPress is used by over 35% of all websites and it is unsurprisingly also registered as the one with the highest number of vulnerabilities. About 98% of WordPress vulnerabilities are related to plugins.

How often do web hacks take place? Hackers attack every 39 seconds, on average 2,244 times a day.

What are the most hacked websites? It’s hard to say which sites are the most hacked, but statistics say that about 30 000 new websites are hacked every day. WordPress is one of the main targets for hackers and it may be because it has a massive user-base. The main threat as it is seen is not WordPress itself, but the wide range of third-party plugins that are used by WordPress users.

Resources used in the article: