Statistics Show Why WordPress is a Popular Hacker Target

Last updated on April 12th, 2019 by Robert Abela. Filed under News

According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Ever wondered why WordPress is such a popular target for malicious hackers? Why in 2012 more than 117,000 WordPress installations were hacked? The statistics in this article explain why.

The statistics are from a research held between the 12th and 15th of September 2013, just 1 day after the release of WordPress 3.6.1, which contained several fixes to critical exploitable vulnerabilities, such as remote code execution. The research was done by Sandro Gauci, CEO and Founder of EnableSecurity. Mr Gauci also built all the tools for this research. We would like to thank Mr Gauci for sharing the results with us and allowing us to come up with such statistics.

WordPress Versions Statistics | The Shocking Truth

The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.

  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

Top 10 Most Popular Installed WordPress Versions

As explained in the above section, we have identified 74 different versions of WordPress running in Alexa’s top 1 million websites, and 1.82% of these are still running a sub version of WordPress 2.0. We could not list all the versions, so below are the top 10 most popular WordPress versions found in 42,106 WordPress installations:

WordPress VersionNo. of InstallationsNo. of Known Vulnerabilities
3.6.1 (latest)7,8140
Total (Excl 3.6.1)30,823

WordPress Installations Vulnerable to Hacker Attacks

From the table above we can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities. Note that the above is just from the top 10 most popular WordPress versions installed.

This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools. Considering the number of vulnerable WordPress installations out there, and the popularity of such websites, we are still surprised how come most of them haven’t been hacked yet.

It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them. This illustrates the importance choosing a web hosting solution that auto updates both plugins and WordPress.

Keep WordPress Up to Date and Stay Secure

There are several security measures one can take, or tweaks one can implement to improve the security of a WordPress installation, and we recommend you to doing so. But if you don’t use the latest version of WordPress, you will always be vulnerable whatever you do (unless you manually fix the WordPress code).

Note: The tools used for this research are still being developed therefore some statistics might not be accurate.

WordPress Hosting, Firewall and Backup

This Website is:


antiddos 09/10/2013

There always has been and always will be plenty of exploits for WordPress, simply because it’s a very well known open source CMS. The most important thing is to always keep your installation up to date, even though many webmasters don’t seem to follow that advise. If you can’t do that manually, at least automate the process by using a plugin that does that. Furthermore the security can be increased a lot by using “BulletProof Security”, which is a WP plugin which uses .htaccess rules to block most hacking attempts.

Robert Abela 09/10/2013

Hi Alex,

Correct. If only most users keep their WordPress up to date and use very strong passwords they are already safe from most of the automated attacks we see.

Mark Simko 03/03/2014

Wrong. Open source does not make something insecure. Any open source package can be secure if properly written.
Joomla! is much more secure than WordPress. It uses a framework that has security built in to it.
Also of importance is the plugins (WordPress) or extensions (Joomla!) that you use to extend your CMS or blog. Those must be properly maintained as well. Joomla! maintains a list of vulnerablilities and removes extensions that are unpatched.
Customization can introduce problems as well. If the CMS doesn’t do what is needed, a coder can write code to do so. In WordPress, the code gets changed directly, and an upgrade can cause those changes to be overwritten. In Joomla!, the system is written with Model View Controller design priciples. That means that when the system code needs to be changed, you can write those changes to a protected area and upgrades to the core system don’t overwrite that code. This is called over-rides, and it is a benefit of the MVC design.
The important point here is that open source does not make something insecure. Linux is very secure and is open source. Microsoft Windows is notoriously insecure and vulnerable, and that is closed source. The culture of a project development environment will have a significant influence on the security of the system.

Robert Abela 05/03/2014

Hi Mark,

Thank you for visiting our blog.

I think there is some misunderstanding here; we never said that just because a software is open source, it is insecure. The issue about being vulnerable or not is not related to being an open source software or not. Almost every system has security problems and very few are secure in an out of the box installation. I think what previous comments meant, simply because WordPress is very popular then of course it is of a bigger target, hence the chances of finding issues in it are more.

Leave a Reply

Your email address will not be published. Required fields are marked *