Hacking is not random: a case-control study of webserver-compromise risk

We describe a case-control study to identify risk factors that are associated with higher rates of webserver compromise. We inspect a random sample of around 200 000 webservers and automatically identify attributes hypothesized to affect the susceptibility to compromise, notably content management system (CMS) and webserver type. We then cross-list this information with data on webservers hacked to serve phishing pages or redirect to unlicensed online pharmacies. We find that webservers running WordPress and Joomla are more likely to be hacked than those not running any CMS, and that servers running Apache and Nginx are more likely to be hacked than those running Microsoft IIS. We also identify several WordPress plugins and Joomla extensions that associated with compromise. Furthermore, using a series of logistic regressions, we find that a CMS’s market share is positively correlated with website compromise. Surprisingly, we find that webservers running outdated software are less likely to be compromised than those running up-to date software. We present evidence that this is true for core WordPress software (the most popular CMS platform) and many associated plugins. Finally, we examine what happens to webservers following compromise. We find that under 5% of hacked WordPress websites are subsequently updated, but those that do are recompromised about half as often as those that do not update.