At least 15,769 WordPress websites - and probably more - have been compromised this year, half slipping past Google's Safe Browsing checks, says security researcher Daniel Cid.
The world's most popular content management system represented the lion's share of some 21,821 sites studied in the second 2016 Sucuri report on compromised web properties that found 3099 Joomla! sites were hacked in the same period.
Statistics plummeted for hacked Magento, Drupal, vBulletin, and Modx sites.
Almost three quarters of all compromised sites in the study were backdoored, providing criminals a means to load various malicious payloads, target visitors, and use the web sites for further attacks.
Those backdoors are often harder for web integrity scanners to detect. Google blacklisted 52 per cent of the total compromised sites, outpacing Norton Safeweb at 38 per cent and McAfee SiteAdvisor flagging a paltry 11 per cent of hacked sites as such.
It is not known what the sites were used for but many serve as staging posts that help fuel attacks by obfuscating command and control networks or providing a source for payloads to be downloaded. Plenty are hacked simply to compromise visitors.
"A hacked site can have multiple files modified with different families of malware in them," Cid says.
"It depends on the attacker’s intent or goal in how they plan to leverage their new asset.
"This report confirms what is already known; vulnerable software continues to be a problem and is the leading cause of today’s websites hacks."
Most sites were hacked thanks to poorly secured extensions, but half of WordPress sites and many more of the lesser-hacked web site types were hosed thanks to an un-patched content management system
Gravity Forms, TimThumb, and RevSlider were the most at-risk WordPress extensions. ®