Cybercriminals exploit security vulnerabilities in websites to steal data, use servers with outdated WordPress installations for spam campaigns or DDoS attacks, or use foreign websites to build fake online shops. To close vulnerabilities and minimize risks, CMS providers regularly offer security updates to their customers. “Unfortunately, many website owners don’t do these updates, or not on a regular basis”, explains Maria Hellenthal. The researchers explored the reasons for this avoidable risk based on outdated WordPress sites and interviews with their owners. The team also spoke with web developers and hosting providers to include their professional perspectives. “We chose WordPress because with over 60% market share worldwide, it is currently the most widespread CMS”, says Hellenthal.
Missing Updates: Causes and Obstacles
The issue of missing security updates is not limited to WordPress. “We see this phenomenon across the entire online ecosystem”, Hellenthal explains. A frequently mentioned reason, which also appears in Hellenthal’s study, is a lack of risk awareness. “Many website owners do not realize that cyberattacks not only harm them but the entire network community. When a site is hacked, not only can its visitors be harmed, but also other website owners and hosting providers – in other words, the entire online community”, says the researcher. Additional obstacles to regular updates include the fear that updates might cause problems, such as compatibility issues with plugins, or that additional costs might arise due to updates.
Two of the reasons identified in Hellenthal’s study were not explicitly mentioned in previous literature on the lack of updating: “An important factor in update behavior seems to be what the website means to its owners. A business owner running an online store, for example, and relying on the site as their main source of income, values it differently than a small business owner who only provides information and relies more on word of mouth. In both cases, updates can be neglected, but website owners who care more about their site are more likely to be persuaded to update by targeted, clear warnings about potential vulnerabilities”, the researcher explains.
According to the study, another problem arises when website management is outsourced to external parties. “Delegating website management to a more experienced person should bring advantages, but it can also bring disadvantages. For example, we have seen in several cases that there can be a diffusion of responsibility when the maintenance tasks are not clearly defined, compensated, and described in the contract. Nobody really feels responsible”, Hellenthal says. One interviewee also mentioned feeling overwhelmed when an external person added plugins with which they were not familiar, causing the system to become more complex. “And of course, money plays a role. Many cannot afford an agency to handle these tasks, and tech-savvy friends are only asked when there is no other option”, Hellenthal explains.
Security Warnings Are Often Ignored
Security experts have long tried to push website owners to update by sending vulnerability notifications – often with moderate success. “There are studies that examine why notifications are so often ignored and how they should be designed to have a greater impact. Our study, which investigates why system security is neglected in the first place, can help us better understand whom we can still reach with notifications”, says Hellenthal. However, according to her, relying solely on security warnings is not enough to sustainably improve the security of WordPress-based websites.
How Can Risks Be Minimized?
Hellenthal also sees responsibility with CMS providers. “They could make security solutions like static site generators, which do not contain unnecessary security-relevant components, much more user-friendly. They should also better educate their customers, in a way that is more understandable for non-experts, about the risks they take when they disable automatic security updates”, Hellenthal suggests. She also thinks that public recognition programs for secure websites could be helpful.
Qualitative Research Provides New Insights
The study was based on 19 interviews. How representative is this? “In qualitative research, it’s not about generalizability, but rather about identifying behavioral patterns”, explains Hellenthal. “On this basis, we can develop theories and test them in further quantitative studies or – as in this case – develop initial improvement strategies, taking into account the reasons for missing updates.” The interdisciplinary project grew out of a shared research idea by IT security researcher and CISPA-Faculty Dr. Ben Stock and Dr. Michael Schilling, psychologist and Head of Empirical Research Support at CISPA. The research is based on the master’s theses of Lena Gotsche and Sarah Kugel, both of whom are psychologists. Sociologist Dr. Rafael Mrowczynski contributed his expertise in qualitative research methodology. “We complemented each other perfectly on a methodological and technical level”, concludes Hellenthal, who works in the CISPA Empirical Research Support team, assisting IT security researchers with methodology and study design. “I come from experimental cognitive psychology and have always done more applied research. For a long time, I was a bit of an outsider at my former university. At CISPA, I can contribute my skills to a highly interesting field.”
