Website Security Stats You Should Know

Is it important to know website security stats? Only if you don’t want to become one. Cybersecurity is at the forefront of issues that every company needs to pay attention to, especially if your website is critical to your business.

Why? Every day, an average of 30,000 websites get hacked. This means every 39 seconds, a brand new cyberattack is occurring somewhere on the Internet. In fact, it’s really not a matter of if your site will become a target. It’s more a matter of when.

To give you a clear idea on the current state of cyber threats in 2021 and beyond, we’ve decided to compile this guide to website security stats so you can better arm yourself. Let’s take a look.

[pullquote]“Cybercrime is the greatest threat to every company in the world.” This is a direct quote from the Chairman of IBM, Ginni Rometty, when discussing website security stats and the threat that cyberattacks pose for every website owner.[/pullquote]

In 2021 alone, malicious cyberattacks have increased by 300%. And did you know that almost half of all cyberattacks prey on small to medium-sized businesses? Hackers are fully aware that most smaller website owners don’t have solid security measures protecting their websites. In fact, only 45% of small to medium sized businesses say that they are prepared for a cyberattack.

Website Security Stats Regarding Cyber Attacks

An 18-year old study from 2003 revealed that attacks happen every 39 seconds throughout the entire web. And that was 18 years ago.

Here are just a few of the grim website security stats you should know:

• In 2021 alone, malicious cyberattacks have increased by 300%
• Cyber threats in 2020 increased by nearly 6x their normal levels.
• In 2019, a full 73% of hackers, according to Thycotic.com, reported that traditional antivirus security and firewalls are obsolete and irrelevant.
• In 2019, that more than 56% of all content management system applications, such as plugins and themes, were not fully updated when the hack happened.
• Cyber hackers were able to hack 9 out of every 10 web applications that they analyzed. And sensitive data breaches are a significant threat in 68% of all web applications.
• One study showed that 46% of all web applications had what are called critical vulnerabilities, while a frightening 87% had medium vulnerabilities.
• Only 45% of small to medium-sized businesses say that they are prepared for a cyberattack.
• Over 90% of WordPress vulnerabilities are related to themes and plugins. 

Are Cyber Security Breaches Becoming More Common?

A 2019 report by Accenture shows that cybersecurity breaches throughout the Internet went up by 67% from 2014-2019. And of those hacks, a full 73% of hackers, according to Thycotic.com, report that traditional antivirus security and firewalls are obsolete and irrelevant.

This is especially true when dealing with direct targeted attacks. This is when a hacker singles out your website and seeks a point of entry to gain unauthorized access.

Other types of attacks broadly target apps and websites using automated tools. These tools are pre-programmed to seek out specific software vulnerabilities in themes and plugins that hackers can exploit.

According to Forbes, an average of 30,000 new sites are hacked on a daily basis. Most hackers will use automated tools for this, because it allows them to cast their net wider, with not a lot of effort.

And that’s exactly what happens to so many WordPress sites.

One of the biggest problems is that insecure passwords and usernames give hackers the perfect backdoor entry into your website. And while attacks could very well be happening on a larger scale today, the reality is that the Internet has grown to the point where it’s almost impossible to determine exactly how often cyber attacks are happening in 2021.

This is especially true because a lot of attacks and hacks are never disclosed to the public.

Of course, an attack doesn’t always end with a hacked site. For example, the WordPress security plugin iThemes Security Pro helps stop thousands of attackers every day from gaining unauthorized access to websites.

How Do Hackers Succeed?

In most situations, if you’ve been hacked, it was probably done by some sort of automated tool or bot. If you’re using WordPress as your content management system, you’ve likely been hacked due to an exploited vulnerability in a theme or plugin that you’re using on your WordPress site.

This is why you need a powerful WordPress security plugin like iThemes Security Pro that knows exactly how to protect you.

• It’s difficult to comprehend that hackers had created well over 65 million new versions of malware just in 2019, according to McAfee.
• And a detailed 2019 report from Kaspersky tells us that they identified 24,610,126 malicious objects on their platform alone. That was an increase of 14% over the prior year.

But can’t a security breach be isolated and repaired very quickly? Unfortunately, the answer is no.

In a report from IBM in 2020, they found that, on average, it takes 280 days to identify a breach. And that doesn’t include the time it takes to repair it and distribute it to users.

Has COVID-19 Had An Impact On Cybersecurity?

As you well know, last year was an incredibly unusual year. The COVID-19 scare really turned a lot of things upside down.

And the regular life disturbances most of us experienced during the year were directly reflected in website security.

In fact, according to Info Security Magazine, cyber threats in 2020 increased by nearly six times their normal levels.

Beyond that, the FBI reported an increase of 300% in total cybercrimes. Their reports show that cybercrimes increased from about 1,000 cases per day, to between 3,000-4,000 per day.

By what do these stats tell us about how the hacks are actually happening?

In 2019, Sucuri reported that 47% of websites that are hacked had at least one backdoor vulnerability that allowed the hacker to gain unauthorized access. This can happen because of WordPress core vulnerabilities, or with other applications you use on your site.

In most cases, the vulnerabilities are found and repaired by the software developers. However, all too many WordPress site owners fail to run all of the required updates on their plugins, themes, and WordPress core.

If you’re serious about stopping hacks, running those updates on a timely basis is your first step to site security.l

Sucuri also found, in 2019, that more than 56% of all content management system applications, such as plugins and themes, were not fully updated when the hack happened.

Why WordPress Websites Are Popular Targets For Hackers

When it comes to considering website security stats, it’s worth taking a look specifically at stats related to WordPress. Why? WordPress has an absolutely massive user base. According to W3Techs, WordPress now powers over 40% of all websites worldwide.

But the major threat isn’t with the WordPress platform. Rather, it’s the huge range of third-party themes and plugins that WordPress site owners employ on their sites.

And while WordPress is always working to keep its core software up-to-date, the improved security these updates give you don’t extend to the themes and plugins you run. WordPress is open-source and relies on third-party developers to run. But without employing plugins, WordPress users can’t extend beyond the basic functions of WordPress core.

WordPress plugin vulnerabilities can be varied. They’ll range from SQL injections, to remote code execution, to disclosure of highly sensitive information.

Since the WordPress platform is so widely used, it’s also registered the highest number of overall vulnerabilities among the other popular content management systems, such as Joomla.

For example, in 2018 WordPress reported 542 core vulnerabilities, which was a 30% increase over the prior year.

As for plugins, WordPress currently reports that there are over 55,000 plugins in their repository. And while that is certainly a lot, the number has actually decreased over the last few years. This means that hackers can find vulnerabilities in any one of these 55,000 plugins, then use it to access your site.

While failing to keep all site software updated is one of the mistakes that a lot of WordPress site owners make, another big mistake is using insecure passwords.

For example, it takes less than a second for a hacker to gain access to your site if a user has a password of 654321. Using the password “Password1!” wouldn’t take much longer.

Even a password like “picture10” can be hacked in less than three hours by a skilled hacker.

Poor or insecure passwords are one of the top reasons why so many sites get hacked. So you’ll want to use a tool like iThemes Security Pro that will force users to choose strong passwords that are almost impossible to hack.

Are WordPress Vulnerabilities Increasing Or Decreasing Overall? 

In spite of having fewer new plugins in the WordPress repository, unfortunately, vulnerabilities in WordPress have been increasing of late.

One potential explanation to what this is could be that plugin authors are using less secure code than in the past.

Another possibility is simply that hackers have become more motivated because of how large the WordPress user base has become. And they know that many of those sites are run by individuals or small businesses that don’t pay a lot of attention to site security.

[pullquote]The problem is that over 90% of WordPress vulnerabilities are related to themes and plugins. In fact, one report says that the number is as high as 98%. While others indicate that the number is closer to 95%.[/pullquote]

Either way, you can see where your security needs to be focused.

In WordPress plugins, the most common types of vulnerabilities are SQL injection and cross-site scripting (XSS). CVE Details reports that WordPress websites are most vulnerable to cross-site scripting attacks. 

Always keep in mind that literally anybody can build and publish a WordPress plugin. The WordPress platform is open source, which means that there isn’t any governing body doing extensive code analysis on new plugins before they’re published to the WordPress repository.

As such, the security protocols on some of the plugins you’ll find are not as high as they need to be, which makes them prone to vulnerabilities and attacks.

Vulnerabilities in Web Applications

Web applications are software programs that run on a web server. These are different from computer-based programs that you run locally on your machine. Web applications can only be accessed by users through an internet connection and web browser.

According to a 2018 PT Security study, there were over 70 different types of weaknesses found in web applications. Cross-site scripting vulnerabilities were the most common.

In 2019, PT Security also found that cyber hackers were able to hack 9 out of every 10 web applications that they analyzed. And sensitive data breaches are a significant threat in 68% of all web applications.

Another study done in 2019, this one by Acunetix, showed that 46% of all web applications had what are called critical vulnerabilities, while a frightening 87% had medium vulnerabilities.

What’s more, 80% of these applications had configuration errors that could be exploited by people looking to gain unauthorized access to your site.

Some of these configuration errors included:

• Default settings
• Simple standard passwords
• Full path disclosure
• Error reporting
• Additional information leaks

Web Applications and Cross-Site Scripting Attacks

According to a 2019 report from Acunetix called “Web Application Vulnerability 2019,” about 30% of all web applications are vulnerable to cross-site scripting attacks.

But what is the goal of the hacker when they attack web applications?

Typically, a hacker is looking to get the hacking victim to run a malicious script that they’ve injected. That script is then executed by a web application that you trust.

By doing this, the hacker is able to steal sensitive data or modify applications to have data sent to another recipient.

The most recent study in the ENISA Threat Landscape Report shows that about 66% of all attacks on web applications included attacks of SQL injections. 

Unfortunately, there was a steep increase in web application attacks from 2018 to 2019. In fact, ENISA reports that the number actually went up a full 52%. Beyond that, 84% of the vulnerabilities they observed were due to security misconfigurations.

WordPress Site Owners Are Taking Notice

[pullquote]In a recent study of more than 300 freelancers, digital agencies, and web developers, 243 of them (about 70%) reported that they were more concerned about site security than they have been in the past.[/pullquote]

Among WordPress users, the number was even higher. A full 75% reported that they are concerned about site security.

The data from this study also showed an alarming trend: While so many professionals are becoming aware of the dangers of cyberattacks, only about 45% have taken the measures needed to keep their own sites protected.

For many of us, COVID-19 caused us to move into working remotely rather than in a corporate office. This means that people are using the Internet at home more than ever before. The result of this has been a dramatic increase in cyberattacks and hacking attempts on websites of all kinds.

The study of 300 professional developers seems to back this up. Nearly 45% of the 300 respondents have witnessed an increase in targeted attacks on the websites they manage.

Amazingly, 25% of the respondents also reported that they have dealt with getting their site hacked within one month of responding to the survey.

People Worry More About Cyber Attacks Than Attacks In Real Life

That might sound unbelievable, but it’s true: people are more worried about cyber attacks than attacks in real life.

A Gallup study in 2018 showed that Americans actually worry more about cybercrimes than they do violent crimes. This even includes crimes such as murder, terrorism, or being assaulted.

And that doesn’t just apply to the present day. The study showed that this fear has been consistent for an entire decade.

The study says that, of the 13 different crimes taken into consideration, 71% people in America are concerned with personal data hacks, while 67% worry about the possibility of identity theft.

For perspective, the same survey showed that only 24% were concerned about being a terrorism victim, 22% about being attacked behind the wheel of a motor vehicle, 20% about assault, and 17% about murder.

Perhaps this is because the median cost of fixing the damage after a cyberattack has gone up from $10,000 to $57,000 from 2018 to 2020, according to Hiscox.

What You Should Know About WordPress Site Security

The website security stats we’ve shared with you today have shown how incredibly important it is to stay on top of what’s happening with your website, your business, the people who help you run it, and the software applications you use on your site.

To keep your site secure, always keep the software you’re running updated. Monitor it on a regular basis to ensure that you’re running a current version.

Beyond that, it’s important to remove components from your site that you’re no longer using. If you have old, unused plugins that you haven’t removed, make sure to remove them. Also be sure that your hosting provider is one that you trust.

And most importantly, choose a WordPress security plugin like iThemes Security Pro that will monitor your site in real time and keep it locked down and protected from malicious cyberattacks.

And remember that when it comes to the security of your website, make sure to do some research before settling on an ultimate solution. Choose critically, and go with the one with a proven track record of security success.

In this current world of attackers looking to exploit you and your work, the future of your website and business will depend on it.

Don’t Become One of These Website Security Stats!

If you’re not already running the best WordPress security plugin to keep your site safe from hackers and malicious attacks, it’s a great time to start doing so. iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro Now