Today we will address a key news topics, articles, and some of the associated risks around WordPress and Information Security for businesses.
Like all weeks there has been a lot going on in the WordPress Security arena and some key statistics have come out around WordPress thay may surprise you!
In this podcast we are going to be covering the following:
- [WORDPRESS] Blog Vault talks about daily backups and the importance of doing them –
- [WORDPRESS] Ensuring the bug is fixed
- [WORDPRESS] WP gets CMS of the Year for 2016 – 7th straight year
- [WORDPRESS] WP Security 2017
- [VULNERABILITIES] Check out WPScan Vulnerability Database for updates on WordPress
- [NEWS] FTC’S IoT Challenge
- [NEWS] Koolova doesn’t just cut up (encrypt) your files it will put them back together if you learn cybersecurity
- [ARTICLE] Vulnerability Disclosure Standard
- [WORDPRESS] Sucuri hacked website report for 2016/Q3 – WordPress most hacked!
- And many more!
Other associated links and resources mentioned in today’s show:
I hope you enjoyed the podcast and it provides you value securing your business and WordPress site!
Click here to leave us an iTunes review and subscribe to the show!
I know you will enjoy this episode.
Thank you for listening!
“WordPress Security Daily”
BONUS – Don’t forget you can use the content in the podcast/training for Continuing Professional Education (CPE) credit!
Can’t listen right now – Read the transcript below.
Shon: Welcome. Hope you all been doing wonderful this past week. Now, we’re now right into the New Year of 2017. I hope you’ve all set your New Year’s resolutions and those are going well for you. I don’t really do New Year’s resolution but — because you can do it many time but I started working out with the fill the day and yeah, that was quite interesting endeavor. I realized how fat I am and how out of shape I am and she’s — they’re just doing push ups and set ups and I’m going — I’m just sucking wind like there’s no tomorrow going. Yeah, this isn’t good. This is not good, so I need to fix that. But outside of that, it’s been a wonderful week here in the wonderful state of Kansas in United States. I just saw a post out there by Troy Haunt and he puts it on YouTube, and he’s sitting there on the beach. Well, actually on the beach, in his backyard, looking on the pool and there’s a nice canal goes in his backyard, out to the ocean. I assume, and I’m like, “Oh, just so wish that was me. It’s so nice. I’m here in 10 degree temperatures in the middle of Kansas,” so yeah, it’s wonderful, but that’s alright. It could be worse that’s for sure. It could be in North Dakota when it’s 30 below.
So, before we get going here, let’s go ahead and we’re going to real quickly throughout of this episode of WordPress Security Daily is sponsored by Sucuri, at sucuri.net. Have you ever had your website hacked and felt that the sinking feeling in your stomach and think to yourself, oh-oh, now what? Right? Well, are you totally confused about security and how to best protect your site, ensuring your brand, and the one you worked hard for is safe and then potentially your livelihood is safe? Well, Sucuri can help you out. They offer a wide-range of products and services that can clean hack or to face websites providing the actual protection that you need for your site. Here are just a few examples of what they can do, website malware removal and cleanup, website application firewalls, distributive denial of service mitigation which I — we’ve talked about all these things in numerous times on WordPress Security Daily. Check them out at Sucuri.net. That’s Sucuri.net. Make sure it’s a dot net, alright? Dot com will take you to site that has snakes on it, which I did not know that Sucuri means snakes in I think Spanish, yeah, or Portuguese, down south, so it’s very cool. It’s actually I did not know that at all but that’s really what it mean.
So, back here, let’s just roll right back into our podcast. So, it’s been interesting week here in WordPress security daily. So, there’s an article in vulnerabilities.com, and they talk about how it’s important if you’re a developer to make sure that the vulnerability that you’ve found is fixed. He discovered a recent sides request forgery vulnerability, they called SSRF. It’s seria-, yeah, most on the serial right now. So seira, seira, romeo foxtrot, okay? That’s a Side Request Forgery Vulnerability. Well, they found this when they were doing some testing on a plugging called Nelio A/B. When they found this issue, they thought they had reported it that there was a — it was fixed. So they had found a vulnerability. They reported to the plugin company or the people decided to fix it which is great, awesome. They fixed it, but what happened was they didn’t actually run enough testing on it to make sure that they actually fixed the whole. It was interesting how the fact that developers — now, I see this on a daily basis as well. Developers are really good at developing, and that’s awesome. So they’re out there. They’re typing on their stuff and they’re making the changes. We talked about a podcast a while back that when it comes to the amount of code that is actually hopping on the site, it’s amazing. Now, that I had noticed in the news, there was — Uber is going to be having completely self-automated cars driving people starting the end of 2017.
So now, we’ve got cars, we’ve got millions, I means hundreds of millions of lines of code and they find vulnerability. So they find a vulnerability, do the responsible thing but it’s closing it, people go in and they fixed it, but as a developer, how do you know you fixed the problem? We talked about how if there’s only 1% or 2% that you still a vulnerabilities within 100 or within 400 million lines of code. You’re still talking tens of thousands of vulnerabilities could still exist even if you fixed that one. So it’s important that if you are a developer, that you understand what are some of the tools that you can use to help fix, again, once you find your vulnerabilities to test it and to run it and to make sure that you fixed it, that means kind of goes back to what Troy Haunt talks about is hack yourself. You need to hack yourself and know how to hack your site to see if you can find vulnerability that might still exist. So it’s a really good post but again, it talks about from security risk to standpoint that if you hack a site or if you find there’s an issue of the site, you then fix the problem that you need to actually go back and make sure that you double check. Then, when you do double check, be open to the fact that you could also find something else is wrong, so good particle from plugin vulnerabilities.com.
Okay. In this article talks about daily backups and the importance of doing them, and this is from — comes from Blog Volt at Blogvolt.net. We talked about backups in WordPress Security Daily a few times in the past. That one thing that talks about is that when should you do your backups? Now, if you have a situation where you — or just a blog and I say just but you know, some people that’s what they have. They just put out some information about that, and they just like update them maybe once a month, once every couple of weeks. Your daily backups depends upon the situation with you. You may or may not want to do those but if you have a site that it is dealing with — it’s your livelihood or maybe you put more content out there, you update it at least probably maybe daily or once every two or three days, a daily backup is really a good option, just in the fact that it really does reduce your data loss, and they talked about this in the article, reduce your data loss, it provides options for multiple backup versions to test and restore. That’s the key point in the fact that when you do a backup, they do different version numbers. So, let’s just say you create a plug in or you’ve add some content to your site, and if you don’t have a daily back up and say you’re with a one backup, you do once a month. You turn around. You go out there to open up your site, your site dies, oh, bummer, alright, so let’s — you got to go to this entire hustle of bringing back your site. Well, in the process of doing that, you realized your backup is broke. It’s not good. There’s something wrong with it.
So having a daily backup in that case, you could potentially go back, so if that one version is corrupted, you could go back to a couple different versions and update your sites, even if you did lose some data, the simple fact of it is you can bring your site back. It’s pretty hard to bring your site back if you have nothing, right? If you haven’t done any sort of back up at all, it’s really hard to bring your site back. So it’s important to think about do you really want to do the daily backups to your system? Because there are some pros and cons to that but bottom line is what your data work to you. Do you really want to mess with them? They’ve made a point but it requires some tinkering once restored and updates, made the plug-ins and themes can be retain. You can do that. It just depends on what kind of backup do you do. Do you do a site that’s a server side backup that’s specifically your server or do you do actually do one that covers the — your databases plus your plugins, plus your themes and so forth? So, you can have a couple different companies do it. You can have a manual backup system. You can have a web hosting service do it for you or you can actually have the plugin that will be setup to do it. If you’ve got a site that’s setup for some time and maybe it’s not huge as far as the web goes, you can consider looking at a WordPress backup plug in. I mean, that will take care of 95% of what you need, the bottom line is if you feel that you need a hosting servers to do that for you, then it will cost you a bit, but if your site is need to I don’t want to mess with it and it just make sure it’s ready. It’s there. It’s always working, then a hosting service would be potentially just something for you. So you just got to kind of decide in your use-case of what’s the best for you in regards to what kind of service should you use, but it’s a good article. It kind of goes over to the basics of it but if you really are interested in backups, check out WordPress Security Daily. I’ve got some content out there on backups as long as you check out this article from blogvolt.net.
Alright, so let’s get into the next articles on. The WordPress gets the CMS of the year for 2016. This is the seventh straight year that this has occurred and it was released recently by W3 Text, basically talking about web technologies of the year for 2016. For the seventh consecutive year, WordPress earned that spot as a coveted CMS of the year. I think that’s interesting in that you know, people don’t necessarily hear a lot about WordPress unless you’re in the community I mean, because honestly, I had heard of it briefly but not in depth, and now, it’s becoming a big factor on the web. I mean, really is. With getting the rest API that it’s amazing and how that — it can now can integrate with so many other software solutions out there, and so, they kind of talk about on that web. They’re — the article was the leading the web technologies or Google Analytics or Bo2 Amazonic Cloudflare. I’ve been recently getting deep into the Amazon AWS platform and realizing holy cow, how huge that is. Well, they’ve built in there from Lightsail in WordPress or Lightsail from Amazon. They have talked about how they’re making a WordPress kicked up. They’re basically a product that it — you can go ahead and just smashing the easy button and you will have a WordPress site up and rocking and rolling.
So, they’re pushing into the space because they’re saying as about 25.6% of all website, started off in 2016 this way. Then, by the time it was all said and done. It was about 27.3. So, that’s one — they just called the 1.7% growth. That’s pretty good, considering how many websites are out there on the web. I mean, that’s huge. So, you know, WordPress is growing. Well, because you know, WordPress Security Daily. We noticed that this well in the fact that not a lot of people understand the security behind it. So, with that level of growth, they’re seeing at a 60% of the top 100 websites of inks 5,000. I mean, that’s 60 of the top 100 sites, right? Of their 50, 000 in 2016 use a WordPress. It’s true. It really is. It’s called — they’re talking about all kinds of industries, from Greenpeace to Microsoft, and that’s amazing that they’re all using WordPress. So, if you’re a developer who’s in that space, that’s a good thing to be. It’s a very good thing to be. You might have full time job. One of the things I realized is that, we are dealing more and more with WordPress as well. So it’s important that if you’re a company, so if you’re a small medium size business and you haven’t really gone on the WordPress path, you need to consider it, just because at a minimum, it gives you flexibility with building out your site. Now, there are other options out there but if — there’s 27% of the world is on WordPress, from that blogging standpoint, from a website standpoint. You need to consider, is it something that can give you the kind of the power that you need for your site?
Now, if you’re small business and you just want to throw something out there, Wix.com can help you with that, but if you want the level that you can do integrate ecommerce I mean, not saying Wix can’t but you can have full of hands on integration with many different aspects to include the rest of API, then that is amazing. It allows you to give you that flexibility. So, I think it’s really cool, the fact that they — WordPress is the CMS of the year for 2016, the seventh straight year. I think it’ll be interesting a work 2018 grows. I’ve noticed that if the growth has been consistent and steady, but at some point, it’ll be interesting to see if it — if it just takes off and goes even further and how fast. So, anyway, good article about from Torque magazine, that torquemag.io, they have a really good post out there about that, so go, check about and see what you got.
Alright, this next article is from a gentleman by name of John Hughes at torquemag. — torquemagazine.io, out there, and it’s a WordPress Security in 2017, what it means for your website? They’re talking about — kind of following on to what we talked about the first part of the WordPress being the CMS for seventh straight year, the number one CMS as far as site scope. This kind of follows along those lines in the fact that they’re — you’re saying that there’s 74.6 million websites are powered by WordPress, a 74 million sites, okay, so that is amazing that you can believe that there’s that many sites out there for WordPress doing this. Well, they talked about — there’s been no major vulnerabilities have been discovered in their course since 2013 and yet, that just shows how strong that is. Well, the interesting part of that though is back in 2012, there was more than 170,000 WordPress websites that were hacked. I mean, so if you think about it, so that the evolution is gone from whatever that amount was in 2012 to where we’re at today and there was so many sites getting hacked. Well, a lot of it comes down to this size just they stand them up and that people walk away, just kind of a brochure wear site. Check out my little site. Well, you know, my church website, my personal blogging site, and then they walked away and they don’t keep them updated. It ends up having issues but also cause a lot of problems for the rest of the web.
Well, they talked about this. There’s a good article as far as how different bullet points that you could kind of look at, and by protecting your WordPress site, and they talked about this in the article, it’s really — it’s good for your business in the fact that if you use this for your business, you want to make sure that you do protect it because it does — your reputation is tied to that, right? Your business reputation could be dramatically affected. If you’re just one of these guys that kind of puts up aside to your business then walks away and then, don’t realize that someone maybe hacked it and use it to doing other things, or real quickly, you can be blocked from Google. You can have information put up on your site that maybe is bad for you and it’s one of things where it’s — you need to make sure that you do the security. He kind of goes into details about all the different things that you can consider. One of the points that I like to stress on is the data, about sensitive data. Do you have sensitive data on your site? So if you’re collecting credit card information or just addresses of people, you need to make sure that you do the proper thing to protect all of that.
He also had a really good point that I don’t think we talked enough about because he kind of has a five security measures that will important as ever in 2017 and he rolls through those as far as creating regular backups is number one, keeping your WordPress updated, that’s number two, and those again, we’ve talked about those. Those are the basics at the foundational stuff, the fundamentals. They also — optimizing file and folder permissions. I thought that was interesting because from a security space, we talked a lot about doing the blocking and tackling, the backups, the updates, the account permissions, but here, he talks about WordPress default file permissions are worth exploring for any developer. It’s true that if you are a developer, you need to — because you’re now getting the granularity down to the actual folder and file as far as who you’re going to allow in. He talks in there about 644 and 755 file permissions and how you should kind of look at those. There’s some different links and some different sites that you should look at. The biggest thing is that when you’re dealing with the different files, whatever they may be, is you need to avoid the — all that users being able to read, write or delete folders. That’s so — that’s sending specific restrictions, two folder within your site so that someone can’t just go and then make modifications and changes to it.
Now, that takes a little bit more ‘umph’, a little bit more background than just going and being a person who just wants to start up a site but there’s so many tutorials out there on how to do this, that it could be — it’s definitely useful for someone who’s just looking to even put their site together. If you really want to get into the nitty gritty of securing your WordPress site, those are one of the aspects to do that. Now, the downside of that, if you do make these changes to your — the different files and folders, if you do them incorrectly, you could start breaking stuff, so my recommendation is if you don’t have a lot of experience in doing this, and you do make those changes to your files, make sure you make the changes and then, run your site for a little bit and see if something breaks. Don’t go make like four or five different changes on your site, changing permissions to their files and folders and then, walk away because what’ll happen is then maybe it won’t break right away and then, all of the sudden it breaks down the road. Yeah, that’s not good, so, something to consider about hat end of it. He also talks about securing a log in and admin screens and we’ve talked about that routinely that your admins is the door to your site. It’s super important that you do protect that. We talked about as well, do not — your admin that you had that setup your WordPress site, make sure you delete it after you created a new admin account. So it’s important to make sure that you control the access to your WordPress site. He also talks about hiding your back in URLs as well, so like a WUP admin, so you should hide that and change it.
Now, I will also say that is that important? Okay, it’s useful and it’s good in the butts that are out there will go ahead and they’ll scan for that and they’ll keep running their WordPress-admin but if it’s any hacker were to solve, he’ll blow right through that. He’ll figure out how to get into your site. So, it does — it is important to hide some of those things, however, just keep in mind, it’s not a panacea. It’s not a [inaudible] bullet.
Okay, I also like to throw out there. This is kind of a plug for them, is a WordPress — the WUP scans vulnerability database for WordPress. You can catch that at wupvuldb.com. I liked this site just in the fact that if you have vulnerabilities and you’re looking for vulnerabilities for your site, they’ll come up on here. Now, you had to scan through there to find out what is particularly for your site. You can get a newsletter or newsfeed from them. I highly recommend you do that because using them along with NIST, N-I-S-T, NIST, common vulnerability and exploitation database, CVE numbers, you can find that a lot about your WordPress site and what could be vulnerable. There’s also other people out there that will send you and get you on the newsletters and they’ll send you updates and then hopefully, your site or the plugins that you have on your site are giving you updates as well, but wupvuldb.com is a good place to check out any vulnerabilities that you may have for WordPress. Now, well, everyone, while I throw some of the — that’s up there they have if it’s something that’s important or critical but there’s always something new, getting posted every single day.
krebsonsecurity.com put out a new post on the FTC’s Internet Of Things, IOT challenge. We know we’ve talked about here at WordPress Security Daily, IOT issue, and if you haven’t probably talk about it, Internet Of Things is IOT. That comes down to everything from your NIST, controller for your air-conditioning and heating and air-conditioning systems to the stereo systems to — you name it. It is everywhere because they’re putting remote concept camp or devices in everything. So the agency is offering up a cash price of 25 grand. So hey, if you’re listening to this and you want that, there’s some big money there, right? With up to $3,000 available for as many as three honorable mentioned winners, so they’re trying to fix this problems. So what they do is they come up with the cash price. You can help them to determine how to best secure the Internet of Things, that you can give to it at ftc.gov/iothomeinspecturechallenge. The reason for this is be IOT is becoming a huge, huge factor in everything we do. Gartner, I don’t know if they’re independent research company that they go out and they had their Gartner magic quadrant and which tells where companies are acting, where they’re working and how good they are. In there, they forecast their intelligence and research company that is [inaudible] all the new trends and where it’s going. Well, in their article, they talked about that 6.4 billion connected things will be in use worldwide in 2016, okay? So that — just past, right?
Well, that was 30% from 2015. They said it has reached of 20.8 billion by 2020. That’s amazing. 20.8 billion devices are going to be connected to the web by 2020. So from a security guys point of view, oh, that I think so good because now, you got different ways that people can get into your network or can get your data. These companies are not putting the level of security into them. They need too. Just there was recent web cam that came out in China that have default passwords that were hard coded into the actual device itself. So you can’t break it. You can’t change it no matter what you do. That stuff is getting shift out all the time. So if you could imagine that there’s 20.8 billion by 2020, that’s only three years away now. That’s amazing. So, it’s important that we find a fix to this problem but if you are a developer that wants to get into that challenge for the IOT and come up with their own solution , check them out. Ftc.gov/iothomeinspecturechallenge, and see if you can put your name in a hat for winning 25 grand, not too shabby.
Alright, so this is a quick time to get in a word from our sponsors for today’s podcast. Again, that is Sucuri.net. So as you know, WordPress Security Daily is all about security. With over 10,000 WordPress sites being hack each in every day, and that’s old number is around 2013 if I’m not mistaken. As you know, it’s imperative that you get the security of in the help you need, well, security is just the company that help you with your security needs whether you’re a small or 1% startup or medium to large multinational company, they can help you get what you need. It’s nice to have that. Especially we talked about as WordPress is growing as the way it is, you need someone that can help you with this. So, are you developer or person who’s responsible for the installation and management of your website? Have you been concerned by the overwhelming and management of security for your site? A lot of people deal with that. Have you ever been hacked or have had no idea who to turn to to clean your site to trust that it gets done right? Lastly, do you have multiple types of platforms that you’re dealing with WordPress [inaudible]? Any of those? I mean, all those things, if you have those issues that you’re dealing with, Sucuri.net can help you with that. It’s a multi-platform company that can help you 24/7, 365 in any location globally. They’ve also got now a CDN capability that they’re building up within their organization, so I mean, they are globally.
Here are just a few of the products that they offer. Some website malware cleanup which we talked about, basically continue scans for malware and hack attempts which they can do after they plugin as well. Website blacklist, monitoring removal. They had a really good article about that out just recently, web application firewalls and denial as service protection. Another points that that was really interesting is that they do offer PCI compliance help. So if you deal with PCI, they can help you with that as well. So, a lot of those issues are really, really cool and it’s important for WordPress developers and WordPress business owners to understand all of that and let them help you with this stuff because that’s what they’re there for. So again, the offer the three options for the WordPress site. They have the website security stuck. They’re basic, pro and business options. Each option has different levels associated. You need to really check out and see which one is the best for you and your business. Lastly, you know, I’ve talked with Tony and Dray and they are down to earth dudes that really want to help out the entire community while providing a great servers to entrepreneurs and business owners. So check them out, Sucuri.net. that’s Sucuri, Sucuri.net.
Alright, let’s get back to our podcast. Alright, this is an interesting article that coming from tripwire.com. It’s a Ransomware that offers free decryption if you learn about cyber security. I thought it was really interesting, and basically what it does is it will — if you go ahead and click on the link, it will encrypt your hard drive. However, if you will take the courses or down where — not the courses but download the two articles they have and read them, then it will unlock your computer and give you back what you want. So it’s basically trying to teach you some level of cyber security so that you won’t do this again. Here is a quote that I was interesting out of there. It says, ” Hello. I’m nice Jigsaw or more commonly known as Jigsaws twin. Unfortunately all of your personal files (pictures, documents, etc…) have been encrypted by an evil computer virus known as Ransomeware.” Right? So it was talking through all of that. It basically says, “I’m going to let you restore them but only if you to stop downloading unsafe applications off the internet.” So don’t be click happy basically, right? “If you continue to this by the end, with a virus way worse than me.” Okay, I don-, that didn’t quite — “If you continue to do this, this may be worse more than a virus than me. You might even end up meeting my infamous brother called Jigsaw.” Not good, right? So, this is called Koolova, K-O-O-L-O-V-A, Koolova. So that’s interesting.He also talks about — if you read the security articles from Google security team on how to stay safe online, it’ll take care it for you.
So, bottom line is use your powers for good on teaching. So just encrypt your buddy’s computer and then that way you say, “Hey, if you do this, we will unlock it.” I like their entrepreneurial spirit with this, however, I questioned a little bit of their — the ethics behind it. What happens if somebody says, “Well, I don’t want to read this stupid article.” Right? Not stupid but that’s they say. So what’s going to happen, right? You’re going to leave it encrypted? I don’t know. Good on them for trying to do something to try to help fix this problem. It’s definitely a huge issue that we’re all dealing with on the web. So, Koolova, that is the Ransomware, so if you get that one out of the gazillions that are out there, count your blessings and take the course. You know, you could be — you can get your stuff unlocked and then, your wife will be happy with you or girlfriend or [inaudible] other.
So we talked about in an article up above with — if you’re a developer, how do you deal with the responsible disclosure?You end up getting some disclose, you tell what’s the problem and then, there were still issues. Well, this article is going to talk about the responsible, vulnerability disclosure, then that came out of dark readings. If you haven’t check them out before they had some really good techy stuff on that, it’s darkreading.com, and they had — they talked about how the importance of doing the responsible both vulnerability disclosure. This will range and what I mean by that is okay, so say you’re developer, you find a problem within or some code and you disclose it to whomever that might be, whoever owns the code, and typically there’s a different type of timeline that goes. So if you disclose it, you want to let them fix it. So you give them a period of time to fix it and then, you eventually disclosed it to the populous. The good part about that is if you know, if you’re a security researcher, it helps get your name out on your doing good working and you want them to do that, that the challenges is that you don’t always get good developer feedback. You don’t know what should you do. Is there a standard behind this? Is it 30 days? Is it 60 days? Recently, Google kind of did this a little bit with Microsoft where they let Microsoft know of an issue and they released it pretty quickly versus, in other cases, I’ve seen this as long as of 690, 120 days before the vulnerability is actually released to the public.
The response to the disclosure piece was that okay, so I’m telling them. I contacted them. I let them know. I now waited a period of time and I released the code to the world, and then, because as soon as you released the code, if there’s an issue, there’s going to be some level of people going back and re engineering that vulnerability to make weapons with it potentially, right? So, the goals that you let them know, well, they’re talking about in Dark Readings, talk about how — what is a standard for this? Because it really isn’t at a standard. So, they have a link that’s really interesting to a full disclosure analysis of a cross site scripting vulnerability by the — in the Yahoo mail by researcher Jouko Pynnönen, like J-O-U-K-O P-Y-N-N-Ö-N-E-N. I just probably destroyed his name, so, but they talk — he talks about that and how you should do full disclosure. So, in the post, they’re talking about the timeline of Google recommends 60 days for fix or public disclosure, so if you don’t fix in 60 days, do public disclosure. Well, then, hacker wan — they do their vulnerability platform. They look for — they have a bug bounding situation set up, so if you find the bug, they’ll pay you for it, right? Well, they default to a 30 day disclosure period
So the challenge with that is this — okay, there’s 30 days enough time to fix it. What happens if you don’t get the right person? Now if your company is doing this for a living and you go, I’m going to disclose this vulnerability, do you set the company up for some issues if you disclosed too soon? What if you’ve contact to the guy at X company.com, whatever that might be and you have got the wrong person, and you spent two weeks just dealing with the wrong person before they past you on the right person and they haven’t spent that time fixing the vulnerability? So it’s just kind of talks about it will be good to have some level of standardization because back in the 2000s, it makes that reference back to it, before full disclosure responsibility, disclosure was the norm, vendors had incentives too high and downplays security issues, and that’s true. I still thinks some of them do that but it’s now getting out where you need to come up with what is you if a company is a small business owner or medium size business owner, what is your company for full disclosure? You may want to post that of going, “Hey, if you find an issue, this is where you contact, this is who you contact, and please give us an extra amount of days to help us fix our code?
Now, it’s up to the security researcher at the end to decide how long they want to give you. I mean, they don’t have to give you anything because there’s no standard for that but you may wanted to put that on your site and just stood up there and say, “Is it a possibility for you to give me 30, 60, 90 days?” Whatever that might be. So something to consider when looking at responsible disclosure for your site.
Okay, in this last article, we’re going to talk about Sucuri put out a post about a hack website report for 2016 Q3, Quarter 3. Their group did an analysis of over 8,000 different infected website. They compare the datas from Q1 and Q2 as well. The interesting part is that we know — it’s kind of known. Through this entire podcast, we’ve talked about the growth and WordPress and the size of it, a majority of the hacks that they saw affected WordPress about 74%, followed by Joomla and Magento. That makes sense with Magento especially with the money aspects of this but that — as we know that it’s important that we keep the security up to date, just because of all the changes that are happening and all the growth, well, the first part that they annotate at some of the big points of infection come down is an out of date CMS. We talked about how important it is for you to update your plugins, update WordPress. Well, that’s one of the main things how people are getting in, it’s an out of date CMS issue. WordPress is about 50% of that. Joomla had from their situation and Magento is about 85% to 97% of magento that was hit from out of date CMSs, so if you think abtou it, so if you just keep it updated. So again, we talked the debate roles about do I do auto-updates or do I just do it manually? Or bottom line, if you just auto-update, you cut out a humongous part of the affects that could affect your WordPress site or the amount of hacks that could affect it. They notice a 6% increased just from last year. That makes sense because if WordPress is growing at 1.7%, you got 6% increase, that makes sense that there’s just people that are not updating their site and you got the increase of people that are getting on WordPress.
So, it’s just amazing how that many people are dealing with out of date and vulnerable sites. So if we just focus as a community on auto-updates or updating on a routine basis, that’s dramatic impact on affects that people from basically hacking your site. So we do a plugins. They are about 74% of their sampling, the top three WordPress plugins involved in the hacks were Timthumb, Revslider and Gravity Forms. We know that we’ve seen this last summer that there was a lot of that that was going on. There is just — nothing else really stood up like those three which is amazing and the fact that those three plugins can create such havoc within there. Then one of the quotes they talked about of the top three plugins remain the same, we saw an improvement on Revslider which is good, from dropping 1.5% to 8.5%, and then, Gravity Forms dropping from 2% to 4%. So those are interesting stats but there’s — What they also said is that there’s still being exploited even after all of this, there’s still being exploited. So patches, okay, update your system, avoid those plugins, right?
They also talked about blacklist analysis. They’ve got a good post out about how to remove blacklist warnings, but it’s basically talks about Google Safe Browsing, Northern Safe Web, and McAfee SiteAdvisor. They said 15% of the infected sites were blacklist and — which is approximately 85% of the thousands of infected sites were analyze a score were freely distributing malware without being blacklisted. So only 15% of the actual malware infected sites were blacklisted, were stopped from the internet while there are remaining 85% are spinning out junk. So it just comes down to how you need to continually monitor your site and keep it up and watch what’s going on with your site. If you do get blacklisted, use the product they have to help kind of clean that up, but it just malware running rampant and it’s kind of interesting.
So here are some of the key bullets that they had from the site, WordPress continues to lead the infected sites as they work at 74%. The top three plugins are Gravity Forms, Timthumb and Revslider. WordPress installations that were out of date at the point of infection increased from 55% to 61%. Then that’s Joomla and Magento just continue to lead the pack in that area. That 85% of malware sites up there are still getting through the blacklist, and so, they’re not actually getting blacklisted. SCO spam continues to be an important issue at 37%. So basically it was a 12% increase in the mailer scripts, so we saw that recently, that it was going on with WordPress. So, it’s very, very interesting good article out there. It’s a blog at Sucuri.net. You can kind of get the details and download the whole report yourself.
Alright, so as we pull off this week show, WordPress Security Daily’s podcast, I want to express my appreciation once again to Sucuri at Sucuri.net. They are the real deal, and if you need security services, they can help it out. I wouldn’t recommend it if I didn’t feel they could meet or exceed your expectations. Check them out at Sucuri, S-U-C-U-R-I.net. Alright, feel free to stop by WordPress Security Daily for all of our free content as we close this thing out and I hope we have a wonderful week. If you get a chance ranks us on iTunes, we greatly appreciate any feedback that you may have to help make the podcast better. Last one I want to say is have a blessed day in the rest of the week. Alright. Well, see you.