Google Records Over 750,000 'Hijacking' Breaches In One Year

An anonymous reader writes: A new study by Google and the University of California, Berkeley, claims over 700,000 websites were breached between June 2014 and June 2015. The research shows that "miscreants" had routinely hijacked thousands of vulnerable web servers for "cheap hosting and traffic acquisition." The exact number of recorded "hijacking incidents" within the period was 760,935 but google has been said they were able to curb the amount of breaches through direct communication with webmasters. Google's Safe Browsing Alerts sends notifications to network admins when potentially dangerous URLs are detected on their networks. These have reportedly increased the likelihood of a "cleanup" by more than 50 percent and reduced "infection lengths" by at least 62 percent. According to The Next Web, WordPress topped the chart of platforms that experienced the most breaches (almost half of all attacks). English websites experienced the most attacks, with Chinese, German, Japanese and Russian language websites following closely behind.

but google has been said

[thebes]

umm, wut?

Context, correlation, etc etc

[wbr1]

According to The Next Web, WordPress topped the chart of platforms that experienced the most breaches (almost half of all attacks). English websites experienced the most attacks, with Chinese, German, Japanese and Russian language websites following closely behind.

Uh... http://trends.builtwith.com/cm... [builtwith.com]
https://en.wikipedia.org/wiki/Languages_used_on_the_Internet [wikipedia.org]

Wordpress is the single most used CMS on the web and English is the most used language. The hijack rate corresponds closely to that. So Wordpress haters, go away before you open your mouth. I see more computers with Norton also have viruses. This stands to reason due to its market share. Does this mean norton doesn't suck, no. But raw numbers are misleading. WordPress may suck, but the primary thing is not updating, using poorly written and unmaintained modules/plugins and crossing your fingers. This is a recipe for disaster on any system.

What we need is people to take ownership of their systems, be it a PC or a website or anything else. This however takes time, thought and money. People want cheap and now, so they hire a cheap designer, pay for a cheap hosting platform, then wonder why the iranian datacoders league defaced their site with militant Islamic messages, or elitehackers.ru is delivering cryptolocker with theit webserver.

Professionalism has costs in dollars and other resources. Do not be surprised when you skimp.

Re:

[RabidReindeer]

Actually, I like WordPress. But it's not the only web application in the world. There are many others, some quite popular.

So I'm thinking that the percentage of WordPress sites that have been pwned is probably much higher than most of the other platforms.

That may be in part because WordPress is one of those platforms geared start-to-finish for non-technical people - which is to say people who use the product without any understanding of things like industry best practices for security.

Re:Context, correlation, etc etc

[KGIII]

Having played, a lot, with WordPress lately, I've noticed a few things...

It's easy if you just point and click. It's good for that. However, if you start digging into the framework then it's no longer easy and it really isn't designed that well. You can keep it reasonably secure but it takes some effort and you need to start the whole process with security in mind. I've installed a number of plugins but I've actually been really careful about it and have stopped to actually read each of them - and to at least skim their code, to make sure I know what I'm doing and what they are doing.

The thing is, I don't think people do that. I went through the list of the most popular stuff and I made it a few pages into the list. As I was reading them, I was thinking "WTF?" So, I looked at some of the code for some of them. I remained thinking, "WTF?" At one point, I was reading about some of the footer instances and I played with that for a bit. One of the pages I was reading had the advice, "If you get an error, just CHMOD the whole themes folder and the files in it to 777 and it should go away." Or something like that. That's not verbatim, I don't think.

So, there are a variety of problems. This is JUST a guess but it looks like someone originally wrote it just to do a few things. Then, someone decided to add plugins so they added that feature. Then, they added the next feature, then they added another feature, and now it is on 4.5.x and somewhere along the lines, it got popular. So, it looks like things have just been bolted on as they went.

Read through the WordPress Developer Resources site. Take a look at the functions list. Look at the things they do and how they're called. It's also capable of being a hell of a resource hog. I mean a whole lot of resources... It happily eats any RAM it can find and, best of all, they've got a plugin that will help you find and use all the RAM. You know, in case your hosting company limits RAM use per script or something and you don't want to live with those paltry resources - why not find a way to bypass that and push it to the limits? It's only shared hosting so that 500 error you see will get blamed on someone else unless the hosting company's admins actually look deep enough to see who was figuring out how to use more RAM than they were allotted. I mean, it's not like the hosting company had a good reason when they put those limits in there...

So, there are some issues and I really think WP would do well with a complete rewrite. I've actually read a whole lot of the code for WordPress. All in the past few months. I'm now well over 200 hours into it and that 200 hours is not including a whole bunch of hours spent on just researching. It probably would have been less time but I've not poked or played with much of anything since about 2007. I had a lot to relearn and a lot of new stuff to catch up on - I still do. It has changed, a lot.