Is WordPress really safe? That’s probably a question on the minds of many new users, especially when they hear that it’s an open source project. So, are there any statistics about WordPress security that can provide an answer?
As a matter of fact, there are, and in this post, we have tried to compile as many meaningful numbers on this topic as possible. Below, we’ll examine industry reports and statistics regarding the security of WordPress core, themes and plugins, login information, and hosting environments.
In the end, we want you to not only have a good idea about the safety situation of WordPress but also know exactly where the risks lie so you can address them.
Statistically, WordPress Is the Most Popular Target for Hackers
The first datapoint that matters when talking about WordPress security is 43%. According to W3Techs, that’s the worldwide share of websites running on WordPress. Note, it’s not its market share in content management systems (which is higher) but of total websites on the Internet.
That’s a pretty big number. And it matters because, while as WordPress fans this is something to be proud of, it also comes with a downside – exposure.
The sheer number of websites running on WordPress means that the platform is a prime target for hackers. In fact, in Sucuri’s 2022 threat research report, WordPress sites accounted for 96.2% of all infected websites.
Doesn’t Really Sound Safe, Does It?
When you see statistics like that in isolation, your first thought might be that WordPress indeed has a security problem. Why else would it account for such a huge majority of successful hacks?
That’s why we started with the first number. WordPress is simply a much more prominent and lucrative target. Going for a system that allows you to try and attack literally hundreds of millions of websites rather than one with a much smaller user base is much more economical and efficient. That’s apparently also what hackers think.
The bad news is, they often succeed. Every year hundreds of thousands of WordPress websites are hacked successfully. The good news is, as you will see below, that’s not because WordPress is inherently unsafe. In fact, a lot of these successful hacks are entirely avoidable. You just need to know how to protect yourself.
WordPress Core Vulnerability Statistics
In the quest of answering whether WordPress is safe or not, let’s start off with statistics about the security of the WordPress core software.
Most Hacked Websites Haven’t Been Updated
According to the Sucuri report, most hacked WordPress websites are out of date. In 2022 more than half of those infected with malware weren’t running on the latest version of WordPress.
That’s not a surprise, Some older versions of the CMS have well-known security problems that have been publicly disclosed. So, if you continue to run your website on one of them, you are just inviting someone to take advantage of that.
In fact, the WordPress editions with the most security problems are all up to version 4.0. Since then, the number of vulnerabilities has steadily decreased.
The Sucuri report also reflects that. In comparison to earlier numbers, the share of WordPress sites hacked due to not being updated has gone down.
In fact, WordPress had the lowest share of infections due to outdated versions among all the CMS they came across.
This has been the case for two years in a row and WordPress’ share has fallen slightly during that time. Here is 2021 for comparison.
This is a User Problem, Not a WordPress Problem
So, how is the state of WordPress users keeping their websites updated? Well, many don’t. Here are the WordPress versions running on websites in the wild as tracked by WordPress.org.
As you can see, only around 60%% are on the very latest version. Yet, the good news is that at least the vast majority is on WordPress 4.0 or above, where the vulnerability situation gets much better. Plus, three quarters have updated to the latest major version, which is an improvement to before. In 2016, that share was only at about 50%.
One of the reasons for that are likely automatic updates that were introduced in version 5.6. You no longer have to rely on users to manually click the Update button. Instead, websites can automatically install new WordPress versions, which has apparently contributed to this positive trend.
The WordPress Security Infrastructure Works
Despite the reluctance of users to update their websites, the safety system for WordPress core does its job very well. The WordPress security team quickly finds and patches issues in every new WordPress release.
In 2023, we already had three security releases that patched 20-30 potential vulnerabilities. WordPress 6.0.3 alone contained 16 security fixes. There were also four security releases in the project in 2022, which addressed 26 security bugs in total.
Plus, this vigilance extends to other parts of the ecosystem. Elementor encountered a critical vulnerability that was quickly patched, Ninja Forms received a forced update from WordPress.org, and BackupBuddy patched a high-severity security flaw as well and pushed the updated version to its users.
So, while WordPress has security issues just like every other software, it has failsafes in place that quickly respond to them. One of the biggest hurdles that remains is getting users to apply the solutions.
Statistics on WordPress Theme and Plugin Security
As the most popular CMS, WordPress comes with a huge number of extensions, many of them for free. At the time of this writing, there are almost 60,000 plugins in the WordPress directory alone, as well as more than 11,000 themes.
That’s not even counting the thousands of other plugins that are available in other parts of the web, often as premium solutions. That’s the cool thing about WordPress, whatever you are looking for, there is most likely already a solution for it out there.
At the same time, each extension that you install on your site is a potential entry point for an attacker. Themes and plugins are the responsibility of individual developers. They are not tested as rigorously as WordPress core and, therefore, are more likely to contain security flaws. In addition, sometimes developers simply stop supporting their work and it becomes outdated.
Therefore, it’s not a surprise that they play a big role in WordPress security statistics, especially plugins. In fact, according to WPScan.com, they contain the vast majority of WordPress vulnerabilities.
Patchstack arrived at similar numbers.
Apparently especially free plugins are a problem. Sucuri reports that premium themes and plugins make up 8.62% of all third-party vulnerabilities, while free extensions account for 91.38%.
Here, too, a common problem is that website owners use outdated versions with known security issues. Sucuri further reports that 36% of all compromised websites had at least one vulnerable plugin or theme present while being fixed.
Popular Extensions Account for the Majority of Hacks
The distribution of which plugins and themes cause issues is also interesting. According to Sucuri, the most commonly detected vulnerable components included out-of-date versions of Contact Form 7 (27.44%), Freemius Library (20.85%), and WooCommerce (14.51%). There are a few others.
So, why do we still allow these plugins to exist if they are doing such a shoddy job at security? Here, the same thing applies as for WordPress in general. It’s not necessarily that these plugins are more insecure, they are simply very popular. Contact Form 7 alone has over five million installs.
Plus, these developers actually do a good job at fixing security issues once they become known. The problem only occurs when users don’t apply them. In addition, there are efforts well underway to address the shortcoming of plugins. There was a recent proposal for a Plugin Checker similar to the theme check plugin that is in the works.
So, what do we learn from that? Keep your themes and plugins updated just like the rest of your WordPress site.
Login credentials are another factor in websites that experience a successful hack. Weak usernames and passwords pose a serious security risk. They are easily compromised via brute force attacks and credential stuffing.
When something like that happens, it doesn’t really matter how up-to-date your site is or the security of your plugins and themes. Once someone has full access to your site, there are few limits to what they can do.
Case in point, Sucuri found malicious WordPress admin users in 32.69% of infected websites. Just for funsies, here are the usernames and emails they most used.
On the other hand, this is one of the parts most under the direct control of users. For example, WordPress comes with an automatic safe password generator. Why not take advantage of it?
However, you need to do the same for other accounts related to your website like hosting and FTP credentials. Plus, there are additional measures to protect your login page like limiting login attempts and two-factor authentication.
Hosting Security Stats
The hosting environment and the technologies present in it also play a role in security, especially the PHP version that WordPress is running on. For example, PHP 7 introduced better security features than its predecessor PHP 5.
Plus, the PHP developers have a pretty strict end-of-life policy for their older versions. At the time of this writing, anything before 8.0 no longer receives support or security fixes and is therefore better to avoid long term.
Here, WordPress doesn’t look that great. While the vast majority of WordPress websites run on at least PHP 7.0 with almost half on 7.4, only a little more than a quarter use the actively supported versions.
There are even some 6% that still run on PHP 5.x versions, which haven’t seen any support in years. So, if you haven’t yet, update your PHP version.
WordPress Security Statistics in a Nutshell
No CMS is 100% secure, in fact nothing connected to the web is. Yet, despite what you might hear elsewhere, WordPress’ security statistics are overall very good. Yes, there are issues that need fixing but most of them are actively being addressed.
If you want to help improve the numbers even further, you can do so by following these best practices:
- Keep WordPress and its plugins and themes updated
- Only use extensions from reputable sources
- Use strong passwords and credentials for everything related to your website
- Consider using a Firewall and/or CDN
- Limit login attempts
- Use an SSL certificate to encrypt traffic on your website, including your dashboard
- Pick a host that allows you to keep your PHP version up-to-date
If you follow these, you should have positive security stats at least for your own WordPress site.
What statistics about the state of WordPress security do you find most interesting? Let us know in the comments below!