Websites belonging to small- to midsized (SMB) businesses experienced an astonishing 63 attacks per day in the second quarter of this year, a study by SiteLock showed.

That number, which extrapolates to some 23,000 attacks annually, represented an increase of 186% over the 22 attacks per day that websites averaged during the same period last year. Automated bots were responsible for more than 85% of these attacks.

Despite the steep increase in attacks, many websites were inadequately protected and site owners instead relied heavily on search engines and third parties, such as Web hosting providers, to alert them about potential security issues and breaches. Four in 10 site owners continued to erroneously believe their hosting provider was responsible for website security, SiteLock found.

SiteLock's report is based on an analysis of data from more than 6 million websites and from a survey of over 20,000 website owners.

"Many website owners are unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they’ve been compromised," says Logan Kipp, Wordpress evangelist at SiteLock. That sort of alerting typically only happens after a breach has occurred - when it is too late, he says. "Bottom line; website owners need to take proactive secure measures."

The tendency by website owners to rely on search engines and browser-makers to warn about security issues had another downside as well. Browsers correctly flagged only 23% of infected websites in SiteLock's study as being dangerous for visitors. The remaining 77% of infected websites provided no warning to users at all because search engine and browser makers tend to be overly cautious about marking sites as being potentially unsafe, SiteLock said.

For purposes of the study, SiteLock described a website attack as any activity prohibited by administrator-configured security preferences or prohibited by SiteLock's global security rules. Some common examples of activities that were considered a website attack included SQL injection and cross-site scripting attacks, cross-site request forgery (CSRF), and local and remote file inclusion and other common attacks such as those outlined by the Open Web Application Security Project (OWASP).

As has been the case for several years now, many website compromises in Q2 resulted from common, well-known Web application vulnerabilities. SQL injection (SQLi) and cross site scripting (XSS) errors once again topped the list of most commonly occurring Web application vulnerabilities.

Over 300,000 of the six million-plus websites that SiteLock considered for the survey had either a high-risk SQL injection bug or a high-risk XSS issue. On average, a website with an SQLi vulnerability had 20 vulnerable URLs each across their site, while those with XSS flaws averaged 74 vulnerable URLs site-wide. The survey's results suggest that there may be as many as 90 million websites worldwide that have similar issues.

The numbers are especially significant because they pertain only to high-risk SQLi and XSS flaws of the sort that can be detected quickly, SiteLock said.

CMS Mess

SiteLock's analysis also showed that a website's content management system had an impact on overall security. Websites running Joomla, for instance, tended to be more than twice as vulnerable to attacks compared to websites running WordPress or Drupal. Nearly one in five of the sites running Joomla had a version that stopped receiving security updates as many as five years ago.

"One of the reasons that Joomla websites demonstrated an elevated risk profile in our analysis was the low adoption rate for updates we observed in the sample," Kipp says. "The largest single version subgroup for Joomla was those running v1.5, which has not been supported since September of 2012, and demonstrated an infection rate of 6.31%," he says.

Interestingly, even when a CMS had the latest security updates, it often ended up being vulnerable because of buggy plug-ins. This was especially true in the case of WordPress, which supports the ability to integrate a wide variety of third-party plugins, SiteLock said in its report. Some 44% of those plugins had not been updated for over a year at the time that SiteLock was doing its report. Not surprisingly, nearly 7 in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

The SiteLock analysis also showed that websites infected with spam generally tend to have a lot more infected files compared to other websites. In Q2 2017, spam-infested websites averaged some 1, 967 malware infested files: 62% of which consisted of spam; 23%, backdoors; and 8%, malicious redirects.

"Spam infections are notorious for dumping a lot of files into websites," Kipp says. Only eight percent of the total infected website sites in the SiteLock study contained spam. Even so, spam accounted for 62% of all the infected files that SiteLock discovered.

"This means that spam infections are characteristically much more disruptive in terms of their scope of impact with regard to file structure," he says. "For example, your average infected website may only have a handful of files directly impacted by malware, but spam infections may create hundreds or thousands of files and directories, making them a very one of the noisier infection types."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.