CISPA
Browse
- No file added yet -

The (Un)usual Suspects – Studying Reasons for Lacking Updates in WordPress

Download (289.08 kB)
conference contribution
posted on 2024-09-16, 09:00 authored by Maria Hellenthal, Lena Gotsche, Rafael Mrowczynski, Sarah Kugel, Michael Schilling, Ben StockBen Stock
The widespread use of Content Management Systems (CMS) like WordPress has made these systems attractive targets for adversaries, with the vulnerabilities in the code posing serious risks to website visitors, hosters, operators, and the wider online public. Despite being the most effective way to reduce these risks, more than half of all CMS installations lack the latest security patches. Researchers have tried to notify website operators about vulnerabilities using vulnerability notifications, which often exhibit limited impact. In this paper, we use a qualitative inductive approach to investigate the reasons why website owners do not update their CMS. To gain a holistic view on lacking update behavior, we interviewed website owners with outdated WordPress-based systems as well as individuals involved in website creation and hosting. On the one hand, we could confirm issues known from other ecosystems, such as lack of risk awareness, perceived risks of updates, and update costs, as factors for lacking CMS updates. More importantly, though, we identified previously unaccounted factors: (1) the subjective value of a website to its owner and (2) the delegation of website operations, which influence updating behavior far more decisively. Furthermore, we showed that website owners perceive a potential compromise of their CMS only as a risk to themselves and not as a threat to the wider online community. These findings may partly explain the limited success of previous efforts to notify operators about vulnerabilities in their systems. Our study not only offers valuable insights for future research, testing the effectiveness of vulnerability notifications and studying updating behavior in general, but it also offers practical suggestions on how to reduce the number of outdated systems on the web.

History

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Journal

NDSS

Open Access Type

  • Gold

BibTeX

@conference{Hellenthal:Gotsche:Mrowczynski:Kugel:Schilling:Stock:2025, title = "The (Un)usual Suspects – Studying Reasons for Lacking Updates in WordPress", author = "Hellenthal, Maria" AND "Gotsche, Lena" AND "Mrowczynski, Rafael" AND "Kugel, Sarah" AND "Schilling, Michael" AND "Stock, Ben", year = 2025, month = 2, journal = "NDSS" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC