WordPress accounts for the vast majority of compromised CMS platforms, with vulnerable plugins the prime attack vector, Sucuri has revealed in a new report.

The GoDaddy-owned security vendor analyzed 18,302 infected websites and over 4.4m cleaned files to compile its latest Hacked Website Trend report.

It revealed that WordPress accounted for 90% of hacked websites in 2018, up from 83% in 2018. There was a steep drop before Magento (4.6%) and Joomla (4.3%) in second and third. The latter two had dropped from figures of 6.5% and 13.1% respectively in 2017.

The problems associated with WordPress appeared not to have come from users running old versions of the platform. In fact, just 37% of infected sites on this platform were outdated, versus 97% for PrestaShop, 91% for OpenCart and 87.5% for Joomla.

“This data demonstrates that the work WordPress continues to do with auto-updates has a material impact. The one area that requires considerable attention, however, are the extensible components of the platform such as plugins,” said Sucuri.

“These extensible components are the real attack vectors affecting tens of thousands of sites a year. The primary attack vector abused when infecting WordPress are plugins with known and unknown vulnerabilities. This makes the role of third-party components more significant for this CMS.”

The firm also warned that e-commerce sites like those running on PrestaShop and OpenCart have an obligation under PCI DSS to improve security.

“Attackers have a high interest in targeting e-commerce websites with valuable customer data i.e. credit card and user information,” explained Sucuri. “It’s imperative these website owners update their software to ensure their sites have the latest security enhancements and vulnerability patches.”

The vendor highlighted several security challenges leading to risk exposure, including: backwards compatibility problems; reuse of leaked passwords; cross-site contamination; customized deployments; use of pirated software containing backdoors; and a lack of security knowledge and resources.

In 2018, 68% of all clean-up requests dealt with by the vendor contained at least one hidden PHP-based backdoor.