Statistics Show Why WordPress is a Popular Hacker Target

Last updated on June 25th, 2020 by Robert Abela. Filed under News

According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Ever wondered why WordPress is such a popular target for malicious hackers? Do you know why every year hundreds of thousands of WordPress installations are hacked, even though WordPress users have many WordPress security plugins that they can use? This article uses statistics to explain why.

The statistics are from a research held between the 12th and 15th of September 2013, just 1 day after the release of WordPress 3.6.1. This update addressed several critical exploitable vulnerabilities, such as a remote code execution. The research was headed by Sandro Gauci, CEO and Founder of EnableSecurity. Mr Gauci also built all the tools for this research.

WordPress versions statistics | The shocking truth

The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.

  • 74 different versions WordPress identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

Top 10 most popular WordPress versions

We have identified 74 different WordPress versions running in Alexa’s top 1 million websites. 1.82% of these are still running a sub version of WordPress 2.0. The below table lists the top 10 most popular WordPress versions used.

WordPress VersionNo. of InstallationsNo. of Known Vulnerabilities
3.6.1 (latest)7,8140
Total (Excl 3.6.1)30,823

WordPress Installations Vulnerable to Hacker Attacks

Data shows that at least 30,823 out of 42,106 identified WordPress websites have exploitable vulnerabilities.

This means that 73.2% of the most popular WordPress installations are vulnerable. They are vulnerable to exploitable vulnerabilities that can be detected with free automated tools, within seconds. It is surprising how most of them haven’t been hacked yet.

It only takes a couple of minutes for a malicious attacker to run an automated tool that can discover these vulnerabilities and exploit them. This highlights the importance choosing the right WordPress web host that auto updates both plugins and WordPress.

Keep WordPress up to date and stay secure

There are several security measures one can take to improve the security of a WordPress installation, such as:

We recommend doing all of the above. However, if you do not keep up to date WordPress core, all the plugins, themes and other software that you use, you will always be vulnerable.

Note: Some statistics might not be accurate. The tools used in this research are beta tools.


antiddos 09/10/2013

There always has been and always will be plenty of exploits for WordPress, simply because it’s a very well known open source CMS. The most important thing is to always keep your installation up to date, even though many webmasters don’t seem to follow that advise. If you can’t do that manually, at least automate the process by using a plugin that does that. Furthermore the security can be increased a lot by using “BulletProof Security”, which is a WP plugin which uses .htaccess rules to block most hacking attempts.

Robert Abela 09/10/2013

Hi Alex,

Correct. If only most users keep their WordPress up to date and use very strong passwords they are already safe from most of the automated attacks we see.

Mark Simko 03/03/2014

Wrong. Open source does not make something insecure. Any open source package can be secure if properly written.
Joomla! is much more secure than WordPress. It uses a framework that has security built in to it.
Also of importance is the plugins (WordPress) or extensions (Joomla!) that you use to extend your CMS or blog. Those must be properly maintained as well. Joomla! maintains a list of vulnerablilities and removes extensions that are unpatched.
Customization can introduce problems as well. If the CMS doesn’t do what is needed, a coder can write code to do so. In WordPress, the code gets changed directly, and an upgrade can cause those changes to be overwritten. In Joomla!, the system is written with Model View Controller design priciples. That means that when the system code needs to be changed, you can write those changes to a protected area and upgrades to the core system don’t overwrite that code. This is called over-rides, and it is a benefit of the MVC design.
The important point here is that open source does not make something insecure. Linux is very secure and is open source. Microsoft Windows is notoriously insecure and vulnerable, and that is closed source. The culture of a project development environment will have a significant influence on the security of the system.

Robert Abela 05/03/2014

Hi Mark,

Thank you for visiting our blog.

I think there is some misunderstanding here; we never said that just because a software is open source, it is insecure. The issue about being vulnerable or not is not related to being an open source software or not. Almost every system has security problems and very few are secure in an out of the box installation. I think what previous comments meant, simply because WordPress is very popular then of course it is of a bigger target, hence the chances of finding issues in it are more.

Simon 16/12/2019

Last updated on August 15th, 2019?

This data is over 6 years old. The update timestamp right under the title is highly deceiving! This article is made to seem up to date while in fact the information should be considered dangerously outdated.

Robert Abela 07/01/2020

Thank you for your comment Simon. I am sorry if this seems misleading to you. In the article we clearly specify the dates of when the study was done in the second paragraph. The date at the top reflects the last time the article was updated. By the way, we are working on some new statistics and we should publish them shortly.

Leave a Reply

Your email address will not be published.

Our other plugins