Bloomsburg University in PA is hosting the 2024 BloomCON - 0x08. Vestige is guest speaking on March 1 on Careers in Digital Forensics & Cybersecurity.

What We Learned About WordPress Security From Crawling 24,000 Websites


What We Learned About WordPress Security From Crawling 24,000 Websites

Author photo
Director of Marketing, The SSL Store

Half of websites use outdated WordPress versions; Only 1/4 of small websites use HTTPS

Concerned about protecting the security of your WordPress website? You should be! Thousands of websites are hacked every day, and because WordPress is used by about 30% of the web it’s a favorite target for hackers. Perhaps the most dramatic illustration of this was the 2017 vulnerability that led to over 1.5 million websites being hacked, but less dramatic (but no less harmful) hacks occur constantly.

That’s not to say that WordPress can’t be a secure, reliable platform for your website to run on. It definitely can, if proper security measures are taken. As this study shows, though, far too many site owners are not taking even the most basic security steps. Today we’re discussing the importance of updating WordPress security on your site.

WordPress isn’t inherently less secure than any other platform, but with the volume of WP sites out there, coupled with far too many site owners neglecting their WP sites, well…there’s a lot of low-hanging fruit out there for hackers to exploit. –Ken Dawes @ The Web Mechanic

Why Are WordPress Updates So Important?

One of the simplest ways to avoid becoming a victim of hacking is to install the latest WordPress updates, plugins, and themes. These WordPress security updates often contain patches for security vulnerabilities found by hackers or researchers. (One popular vulnerability database lists over 11,000 known vulnerabilities that have been found in older versions of WordPress and its themes and plugins.) The quicker you install the updates, the more likely you’ll protect your site before a hacker gets around to targeting you.

About 1/2 Of Websites Use An Outdated Version Of WordPress

We analyzed the Quantcast top 10,000 WordPress sites on April 5, 2018 to determine which version of WordPress the sites were running. (The latest version (4.9.5) had been released 2 days earlier on April 3rd.) We found that 49% of the sites were running an outdated version of WordPress:

  • 51% were using the latest version (4.9.5)
  • 15% were using the previous version (4.9.4)
  • 34% were using older versions (4.9.3 or before)

wordpress security study top 10k sites

Many Sites Are Very Slow To Update

Since our first analysis was run just 2 days after the new WordPress security version came out, we reran the analysis on April 13th, 10 days after the release of version 4.9.5. We only found a small improvement, with 44% of the top 10,000 sites running an outdated version (down from 49% the previous week). Because many hackers run automated crawlers that find and exploit vulnerable websites, 10 days is a very long window of opportunity for hackers to find and damage your website.

Smaller Sites Are 27% More Likely To Be Outdated

We also analyzed less popular websites (specifically, 14,000 websites with a traffic rank lower than 500,000) to see how practices differ at smaller sites. Here’s what WordPress version the two groups of sites were using:

Top 10,000 Sites Lower Traffic Sites
Current Version 56% 44%
Previous Version 11% 8%
Older Versions 33% 48%

This data shows that low traffic websites are 27% more likely to use an outdated version of WordPress. This seems to make sense, because lower traffic websites typically represent individuals and small organizations that may not have full time technical staff or developers to keep their website updated and secured.

Staying up to date with WordPress versions prevents you from being a victim of a low hanging fruit attack. When a vulnerability is found in a version of WordPress, hackers will create an exploit for that vulnerability and then cast a wide net, usually in an automated fashion, looking to see who is not up to date. –Greg Kelley @ Vestige Digital Investigations

25% To 67% Of Websites Have Implemented HTTPS

Over the past few years, HTTPS has moved from something mostly used by ecommerce and financial websites to a best practice for all websites. In July 2018 Google plans to begin explicitly marking all http sites as “Not Secure” which will further motivate websites to start using HTTPS.

During our analysis, we checked the WordPress sites to determine whether they are using HTTPS as their default protocol. We found that 67% of top WordPress sites have implemented HTTPS as default, while only 25% of low-trafficked sites have.


Adam Thompson, SEO/PPC Manager