According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
Ever wondered why WordPress is such a popular target for malicious hackers? Do you know why every year hundreds of thousands of WordPress installations are hacked, even though WordPress users have many WordPress security plugins that they can use? This article uses statistics to explain why.
The statistics are from a research held between the 12th and 15th of September 2013, just 1 day after the release of WordPress 3.6.1. This update addressed several critical exploitable vulnerabilities, such as a remote code execution. The research was headed by Sandro Gauci, CEO and Founder of EnableSecurity. Mr Gauci also built all the tools for this research.
WordPress versions statistics | The shocking truth
The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.
- 74 different versions WordPress identified.
- 11 of these versions are invalid. For example version 6.6.6.
- 18 websites had an invalid non existing versions of WordPress.
- 769 websites (1.82%) are still running a subversion of WordPress 2.0.
- Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
- 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
- 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
Top 10 most popular WordPress versions
We have identified 74 different WordPress versions running in Alexa’s top 1 million websites. 1.82% of these are still running a sub version of WordPress 2.0. The below table lists the top 10 most popular WordPress versions used.
|WordPress Version||No. of Installations||No. of Known Vulnerabilities|
|Total (Excl 3.6.1)||30,823|
WordPress Installations Vulnerable to Hacker Attacks
Data shows that at least 30,823 out of 42,106 identified WordPress websites have exploitable vulnerabilities.
This means that 73.2% of the most popular WordPress installations are vulnerable. They are vulnerable to exploitable vulnerabilities that can be detected with free automated tools, within seconds. It is surprising how most of them haven’t been hacked yet.
It only takes a couple of minutes for a malicious attacker to run an automated tool that can discover these vulnerabilities and exploit them. This highlights the importance choosing the right WordPress web host that auto updates both plugins and WordPress.
Keep WordPress up to date and stay secure
There are several security measures one can take to improve the security of a WordPress installation, such as:
- Configure strong WordPress password policies,
- Keep a WordPress audit log,
- Configure a WordPress intrusion detection system (IDS),
- Install a WordPress firewall,
- Run file integrity monitoring checks on WordPress,
- and much more!
We recommend doing all of the above. However, if you do not keep up to date WordPress core, all the plugins, themes and other software that you use, you will always be vulnerable.
Note: Some statistics might not be accurate. The tools used in this research are beta tools.