Back in January we noted that that a good rule of thumb is that security statistics are probably not accurate, we were quickly proved right about the particular stat that caused that observation. Here is another stat that you are likely to be seeing a lot of despite not being accurate:

But it’s also the most hacked, with a report from security firm Sucuri earlier this month revealing that 90% of compromised sites in 2018 were powered by the platform.

That comes from an article from the The Daily Swig, which we got notified of through a Google Alert we have set related to keeping track of WordPress plugin vulnerabilities.

If you follow the link there to the Sucuri Website Hack Trend Report 2018
and read what is written you find there is a different story.

First it is actually a claim about hacked websites that Sucuri cleaned:

WordPress continues to be the leading infected website CMS (90% of all websites cleaned by Sucuri in 2018).

Unless they are get a perfect sample of all hacked websites, that percentage will be somewhat and maybe far off from the overall percentage (due to things like the moderators of the WordPress Support Forum violating the guidelines they are supposed to enforcing to promote Sucuri), but that isn’t the only issue.

By websites they apparently are counting if a WordPress installation is just in the hosting account where there is a hacked website:

Note: The data in this graph exceeds 100% due to the fact that some websites may have multiple CMS installations. For example, it’s common to see both WordPress and Joomla! installed on the same server account.

Considering that an account could have numerous websites in it and that WordPress is very popular that could make the percentage significantly less accurate.

What seems even more important to note is what is missing from the linked report, which is any actually data on how websites were actually hacked. That is a huge red flag when it comes to a company cleaning up hacked since trying to determine how websites are hacked is a basic part of a proper hack cleanup. There is a good reason why that is missing, Sucuri doesn’t properly clean up hacked websites. You don’t have to take our word for that, they admit that they don’t try to figure out how they are hacked.

That isn’t a small issue as over at our main business we are repeatedly brought in to re-clean hacked websites previously cleaned by Sucuri and what we find again and again is if they had tried to figure out why the website had been hacked they would have seen that they had miss malicious files on the website, but they didn’t, so the website remained hacked.

The other big problem with that is that if you don’t how websites are being hacked you are going to have a hard time protecting websites from being hacked, which is the other part of Sucuri’s service, and one they don’t seem to do a good job of (which might explain why they make such a big deal of including “unlimited” cleanups with a service that is supposed to be protecting websites from being hacked in the first place).