According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
Ever wondered why WordPress is such a popular target for malicious hackers? Why in 2012 more than 117,000 WordPress installations were hacked? The statistics in this article explain why.
The statistics are from a research held between the 12th and 15th of September 2013, just 1 day after the release of WordPress 3.6.1, which contained several fixes to critical exploitable vulnerabilities, such as remote code execution. The research was done by Sandro Gauci, CEO and Founder of EnableSecurity. Mr Gauci also built all the tools for this research. We would like to thank Mr Gauci for sharing the results with us and allowing us to come up with such statistics.
WordPress Versions Statistics | The Shocking Truth
The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.
- 74 different versions of WordPress were identified.
- 11 of these versions are invalid. For example version 6.6.6.
- 18 websites had an invalid non existing versions of WordPress.
- 769 websites (1.82%) are still running a subversion of WordPress 2.0.
- Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
- 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
- 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
Top 10 Most Popular Installed WordPress Versions
As explained in the above section, we have identified 74 different versions of WordPress running in Alexa’s top 1 million websites, and 1.82% of these are still running a sub version of WordPress 2.0. We could not list all the versions, so below are the top 10 most popular WordPress versions found in 42,106 WordPress installations:
|WordPress Version||No. of Installations||No. of Known Vulnerabilities|
|Total (Excl 3.6.1)||30,823|
WordPress Installations Vulnerable to Hacker Attacks
From the table above we can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities. Note that the above is just from the top 10 most popular WordPress versions installed.
This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools. Considering the number of vulnerable WordPress installations out there, and the popularity of such websites, we are still surprised how come most of them haven’t been hacked yet.
It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them.
Keep WordPress Up to Date and Stay Secure
There are several security measures one can take, or tweaks one can implement to improve the security of a WordPress installation, and we recommend you to doing so. But if you don’t use the latest version of WordPress, you will always be vulnerable whatever you do (unless you manually fix the WordPress code).
Note: The tools used for this research are still being developed therefore some statistics might not be accurate.