Security Experts:

WordPress Is the Most Attacked CMS: Report

Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications.

The report, which is based on the analysis of 99 applications over a period of nine months (August 1, 2013 - April 30, 2014), determined that WordPress is the most targeted content management system (CMS). In fact, WordPress websites were attacked 24.1% more than sites running on all other CMS platforms combined.

"WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet," the report reads. 

This year's WAAR also makes a comparison between attacks targeting PHP and .NET applications. It turns out that PHP apps suffer almost three times more cross-site scripting (XSS) attacks than ASP applications, and nearly two times more directory traversal attacks. On the other hand, Imperva has determined that ASP applications suffer twice as many SQL injection attacks than PHP applications.

When it comes to websites, unsurprisingly, ones that have login functionality and implicitly store consumer-specific information are the most targeted.

Nearly half of all the attacks observed by Imperva during the nine month period targeted the retail sector, followed at a distance by financial institutions which accounted for 10% of all Web application attacks.

Compared to the previous period reviewed by the company (June 1, 2012 - November 30, 2012), attacks have been 44% longer. A 10% increase was also observed in SQL injection attacks, and a 24% increase in remote file inclusion (RFI) attacks.

As far as attack sources are concerned, Imperva found that the United States generates most of the Web application attack traffic.

"In our educated opinion, based on years of analyzing attack data and origins, we propose that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets," the report reads.

"While this may be overwhelming, we believe that there is more to this picture. Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines, etc., and so this information needs to be looked at in proportion. What it potentially teaches us is the quality of targets. It makes sense for an attacker to execute the attack as close to the target as possible, to remain undetected or to maximize the available bandwidth of the attack."

Attackers are increasingly leveraging cloud and infrastructure-as-a-service (IaaS) hosted applications and servers. Imperva has found that 20% of all known vulnerability exploitation attempts and 10% of all SQL injection attempts originated in Amazon Web Services (AWS) source IPs.

The complete Web Application Attack report from Imperva is available here.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.