2019 Website Threat Research Report

An analysis of the latest trends in malware and hacked websites detected (or remediated) by Sucuri.

Our 2019 Threat Research Report is a deep dive into our logs, experiences, and collected analysis. It summarizes and identifies the latest tactics, techniques, and procedures seen by the Malware Research, Vulnerability Research and Threat Intelligence teams, and Remediation Groups at Sucuri/GoDaddy.

Download Report (PDF)

Editorial Commentary

Given the ever-changing nature of the threat landscape, remaining aware of trends is critical. After all, how do you protect yourself from emerging threats when you don’t know they exist. That’s why resources like this report are so important. When we share information as a community, it becomes a safer place for all of us. Consider that when discussions about internet security surface, they’re usually one of two perspectives: website security is really important, or it’s never gonna happen to me.

Website attacks usually derive from a lack of knowledge or complete denial about the threat landscape and the common mindset is: Attackers only target large corporations or famous websites. “I’m only a small website, so there’s no way I’m going to be a target. There’s nothing to worry about.”

In reality, these assumptions couldn’t be farther from the truth. We analyze hundreds of emerging security incidents every day. One of the most common factors is the exploitation of known vulnerabilities in software applications and extensible components, which are typically identified and abused using automated attacks — and can impact a website regardless of its size, traffic volume, or the amount of monthly revenue it generates.

This year’s analysis revealed that, compared with past years, threats are becoming increasingly more complex — and attackers are leveraging known vulnerabilities in massive, automated campaigns to take advantage of websites big and small.

In order to address this complexity of attacks, it is essential that both website owners and the information security community join forces to make the internet a safer place. To accomplish this, we regularly update our technologies and solutions to scale with emerging threats by handling every single security incident with a well-defined process: identify the attack and its derivations, analyze its behavior, create rules to protect our client base, and write about our discoveries to help educate researchers and website owners.

As part of our contributions to the community, we’ve been regularly releasing data and analysis for the security landscape. These reports include insights and data about emerging threats and website compromises, along with practical takeaways for you and your website.

If you’re a researcher or part of the infosec community and want to collaborate with us on research or get involved with upcoming reports, we want to hear from you. Find us on Twitter @sucurilabs or email us at labs@sucuri.net.

When it comes to security, it’s important to remember that there is no shame in being a little too paranoid. Be safe.

Estevao Avillez

Senior Director of Security Engineering


Our 2019 Threat Research Report is a deep dive into our logs, experiences, and collected analysis. It summarizes and identifies the latest tactics, techniques, and procedures seen by the Malware Research team, Vulnerability Research team, Threat Intel Research team and Remediation Groups at Sucuri/GoDaddy.

We examined trends in our user base to identify the most common malware families and threats facing our customers. Our data revealed that a large majority of compromised environments were linked to SEO spam (62%) and website reinfections from backdoors (47%).

During 2019, we saw that over 60% of websites were vulnerable at the point of infection — a 4% increase from 2018. This trend indicates that website owners continue to fall behind on patching and maintaining core CMS files and extensible components.

Our research team tracked a massive ongoing campaign which leveraged over 54 vulnerable plugins, themes and components during the 2019 calendar year. This campaign was responsible for redirecting site visitors to fake tech support and push notification scams.

Credit card stealers and ecommerce related website infections were also on the rise in 2019, with over 1700 client-side and 600 server-side credit card stealers removed from infected websites in 2019 by the Sucuri remediation team.