According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Ever wondered why WordPress is such a popular target for malicious hackers? Why in 2012 more than 117,000 WordPress installations were hacked? The statistics in this article explain why.

The statistics are from a research held between the 12th and 15th of September 2013, just 1 day after the release of WordPress 3.6.1, which contained several fixes to critical exploitable vulnerabilities, such as remote code execution. The research was done by Sandro Gauci, CEO and Founder of EnableSecurity. Mr Gauci also built all the tools for this research. We would like to thank Mr Gauci for sharing the results with us and allowing us to come up with such statistics.

WordPress Versions Statistics | The Shocking Truth

The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.

  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

Top 10 Most Popular Installed WordPress Versions

As explained in the above section, we have identified 74 different versions of WordPress running in Alexa’s top 1 million websites, and 1.82% of these are still running a sub version of WordPress 2.0. We could not list all the versions, so below are the top 10 most popular WordPress versions found in 42,106 WordPress installations:

WordPress VersionNo. of InstallationsNo. of Known Vulnerabilities
3.613,0345
3.6.1 (latest)7,8140
3.5.16,8598
3.5.24,0310
3.4.22,20412
3.51,65510
3.3.182024
3.2.182010
3.3.273214
3.429515
Total (Excl 3.6.1)30,823

WordPress Installations Vulnerable to Hacker Attacks

From the table above we can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities. Note that the above is just from the top 10 most popular WordPress versions installed.

This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools. Considering the number of vulnerable WordPress installations out there, and the popularity of such websites, we are still surprised how come most of them haven’t been hacked yet.

It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them.

Keep WordPress Up to Date and Stay Secure

There are several security measures one can take, or tweaks one can implement to improve the security of a WordPress installation, and we recommend you to doing so. But if you don’t use the latest version of WordPress, you will always be vulnerable whatever you do (unless you manually fix the WordPress code).

Note: The tools used for this research are still being developed therefore some statistics might not be accurate.

Comments

  1. There always has been and always will be plenty of exploits for WordPress, simply because it’s a very well known open source CMS. The most important thing is to always keep your installation up to date, even though many webmasters don’t seem to follow that advise. If you can’t do that manually, at least automate the process by using a plugin that does that. Furthermore the security can be increased a lot by using “BulletProof Security”, which is a WP plugin which uses .htaccess rules to block most hacking attempts.

    • Hi Alex,

      Correct. If only most users keep their WordPress up to date and use very strong passwords they are already safe from most of the automated attacks we see.

    • Wrong. Open source does not make something insecure. Any open source package can be secure if properly written.
      Joomla! is much more secure than WordPress. It uses a framework that has security built in to it.
      Also of importance is the plugins (WordPress) or extensions (Joomla!) that you use to extend your CMS or blog. Those must be properly maintained as well. Joomla! maintains a list of vulnerablilities and removes extensions that are unpatched.
      Customization can introduce problems as well. If the CMS doesn’t do what is needed, a coder can write code to do so. In WordPress, the code gets changed directly, and an upgrade can cause those changes to be overwritten. In Joomla!, the system is written with Model View Controller design priciples. That means that when the system code needs to be changed, you can write those changes to a protected area and upgrades to the core system don’t overwrite that code. This is called over-rides, and it is a benefit of the MVC design.
      The important point here is that open source does not make something insecure. Linux is very secure and is open source. Microsoft Windows is notoriously insecure and vulnerable, and that is closed source. The culture of a project development environment will have a significant influence on the security of the system.

      • Hi Mark,

        Thank you for visiting our blog.

        I think there is some misunderstanding here; we never said that just because a software is open source, it is insecure. The issue about being vulnerable or not is not related to being an open source software or not. Almost every system has security problems and very few are secure in an out of the box installation. I think what previous comments meant, simply because WordPress is very popular then of course it is of a bigger target, hence the chances of finding issues in it are more.

Trackbacks

  1. […] just came across an interesting post on WP White Hat Security, which says that 70% of the top 40,000 ranked WordPress websites are vulnerable to hacking […]

  2. […] ani nawet tego, czy są one publicznie dostępne. Ekipa WP WhiteSecurity przygotowała nieco inne zestawienie – przeanalizowała ponad 42 tysiące najpopularniejszych według serwisu Alexa stron opartych […]

  3. […] to the statistics recently published by WP WhiteSecurity, more than 70% of WordPress installations are vulnerable to hackers out of the World’s Top 1 […]

  4. […] Institute of Technology and The Pennsylvania State University. According to statistics proposed by WP WhiteSecurity, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations […]

  5. […] Statistik der WP WhiteSecurity nach, sind mehr als 70% aller WordPress Installationen der Top 1 Million Webseiten angreifbar und […]

  6. […] recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are […]

  7. […] recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are […]

  8. […] recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are […]

  9. […] recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are […]

  10. […] آماری که به تازگی ارائه شده از مجموع ۴۲۱۰۶ وب سایت وردپرسی که […]

  11. […] recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are […]

  12. […] recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are […]

  13. […] de bloquer toutes les connexion malveillantes. Selon les statistiques récemment publiées par WP WhiteSecurity, plus de 70 % des installations WordPress sont vulnérables aux pirates informatiques dans le top 1 […]

  14. […] 73% of WordPress installs are on a backlevel version due to the website owner not maintaining their system. A unmaintained system can be vulnerable to […]

  15. Kommentare zur IE-0-Day-Schwachstelle und Angriffen auf und über WordPress-Blogs

    Es gibt (wenig) Neues zur aktuellen 0-Day-Schwachstelle im Internet Explorer, und jetzt wissen wir auch, wofür im Frühjahr von einem Botnet WordPress-Installationen kompromittiert wurden. Die 0-Day-Schwachstelle im IE Einen Hinwei

  16. […] av mer än 40 000 av de största WordPress-sidorna på nätet, visade det sig att över 70 % av alla WordPress-sidor är sårbara. Samtidigt används WordPress för 20 % av alla hemsidor på […]

  17. […] le site de wpwhitesecurity, 117 000 sites sous WordPress ont été piratés en 2012. Il est difficile d’avoir un chiffre […]

  18. […] 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be det… […]

  19. […] a blog post, Abela reported that of the 42,106 WordPress sites from the Alexa index identified, 19% had already […]

  20. […] are running an outdated version of WordPress with known vulnerabilities. WordPress security expert Robert Abela, who used Gauci’s data further reported that of the 42,106 WordPress sites identified in the […]

  21. […] recent analysis of the 40,000-plus most popular WordPress sites found that 73% of installations run on a version […]

  22. […] study of 42,106 WordPress sites listed in Alexa’s top one million in a three-day period earlier this month, found that an […]

  23. […] μελέτη διεξήχθη στις 12 Σεπτεμβρίου, μόλις μία ημέρα μετά την […]

  24. […] trouble is that it seems a lot of people don't bother. Some researchers believe that as many as 73% of the WordPress sites out there are vulnerable to attack purely because they aren't running the […]

  25. […] un facile obiettivo di pirati informatici. Stando ad alcune statistiche, recentemente pubblicate su wpwhitesecurity.com, solo nel 2012 più di 170.000 siti web realizzati in WordPress sono stati hackerati e questo […]

  26. […] Sandro Gauci, the CEO and Founder of EnableSecurity, published his research regarding WordPress security it opened quite a few eyes. Looking at the 42,106 that […]

  27. […] unfortunate reality is that WordPress sites are heavily targeted by malicious bots and individuals. WP WhiteSecurity states that, “According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more […]

Speak Your Mind

*

Get Notified Instantly of Changes on Your WordPress

The WSAL Notifications Extension plugin enables WordPress administrators to setup monitoring rules so they are notified instantly via email when important changes happen on their WordPress.

Learn More