According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Ever wondered why WordPress is such a popular target for malicious hackers? Why in 2012 more than 117,000 WordPress installations were hacked? The statistics in this article explain why.

The statistics are from a research held between the 12th and 15th of September 2013, just 1 day after the release of WordPress 3.6.1, which contained several fixes to critical exploitable vulnerabilities, such as remote code execution. The research was done by Sandro Gauci, CEO and Founder of EnableSecurity. Mr Gauci also built all the tools for this research. We would like to thank Mr Gauci for sharing the results with us and allowing us to come up with such statistics.

WordPress Versions Statistics | The Shocking Truth

The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.

• 74 different versions of WordPress were identified.
• 11 of these versions are invalid. For example version 6.6.6.
• 18 websites had an invalid non existing versions of WordPress.
• 769 websites (1.82%) are still running a subversion of WordPress 2.0.
• Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
• 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
• 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

Top 10 Most Popular Installed WordPress Versions

As explained in the above section, we have identified 74 different versions of WordPress running in Alexa’s top 1 million websites, and 1.82% of these are still running a sub version of WordPress 2.0. We could not list all the versions, so below are the top 10 most popular WordPress versions found in 42,106 WordPress installations:

WordPress Version	No. of Installations	No. of Known Vulnerabilities
3.6	13,034	5
3.6.1 (latest)	7,814	0
3.5.1	6,859	8
3.5.2	4,031	0
3.4.2	2,204	12
3.5	1,655	10
3.3.1	820	24
3.2.1	820	10
3.3.2	732	14
3.4	295	15
Total (Excl 3.6.1)	30,823

WordPress Installations Vulnerable to Hacker Attacks

From the table above we can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities. Note that the above is just from the top 10 most popular WordPress versions installed.

This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools. Considering the number of vulnerable WordPress installations out there, and the popularity of such websites, we are still surprised how come most of them haven’t been hacked yet.

It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them.