Zone-h published a new statistics report about registered attacks. In 2007, Apache websites were defaced 319,439 times whereas IIS sites (IIS 6.0 + IIS 5.0) were attacked only 137,599 times. Of course, one has to take into account that there are (still) more Apache sites out there. So, I used the latest Netcraft data to calculate what I call the Apache/IIS website security ratio.
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
According to Netcraft 76,591,442 sites were running on Apache in December 2007 and IIS hosted 55,502,886 which corresponds to a ratio of 1.38. In January 2007 the ratio was 1.95. Despite the fact that IIS is catching up continuously, it also seems that IIS sites are more secure than those running on Apache.
The average Apache/IIS ratio should be about 1.66. I only used January and December to calculate this number because I was too lazy to add all months. But since Apache is continually losing ground against IIS I think that this number should be the mean value for 2007.
So in 2007, there were 1.66 more Apache sites than IIS sites and there were 2.32 times more Apache sites defaced than IIS sites. The Apache/IIS security ratio is just 2.32/1.66=1.40.
This number tells us that the probability of a certain website getting hacked is 1.4 times higher if it is running on Apache. It does not necessarily mean that Apache is more secure than IIS, though. The number one reason why websites get defaced is because of weak passwords. Shares misconfiguration is second.
So one might be tempted to conclude that Apache admins are just sloppier or don’t care that much about security. This might be due to the fact that Apache hosts mostly private sites where IIS is stronger in corporate environments. It could also be that configuring Apache is more complicated, therefore more prone to errors. I personally find password configuration a bit cumbersome with Apache. So my guess is that Apache admins change their passwords less often. Hmm, this reminds me that I didn’t change my Apache passwords for quite a while. 😉