As the most widely used content management system (CMS), WordPress powers over 43% of all websites on the internet. However, its popularity also makes it a prime target for hackers and cybercriminals seeking to exploit vulnerabilities in WordPress security.

Wordpress Used By 43% Of The Websites
WordPress Used By 43% Of Websites

In order to protect your website and ensure its integrity, it’s crucial to stay informed about the current state of WordPress security and the potential threats you may face.

To help keep your WordPress website safe, it’s important to know about these security risks. I’ve made a list of 45 interesting stats about WordPress security. These statistics show how important it is to make your website strong and secure.

So, without further ado, let’s get started!

Table of Contents

WordPress Security and Hacking Attempts

Since its inception, WordPress has become one of the most popular content management systems (CMS) in the world. Its popularity is both a blessing and a curse. 

On the one hand, it’s great that so many people use WordPress because it means there’s a large community of developers constantly improving the software. However, this popularity makes WordPress a prime target for hackers and other malicious individuals.

There have been numerous hacking attempts on WordPress over the years, and unfortunately, not all of them have been unsuccessful. In fact, some high-profile sites like The Guardian and Forbes have fallen victim to WordPress hacks in recent years.

Since it’s one of the most commonly used CMS, it’s more prone to being attacked. According to Sucuri, in 2018, out of all the platforms, a whopping 90% of the websites used WordPress. Let that figure sink in.

Sucuri 2018 Hacked Report
Sucuri 2018 Hacked Report

None of the other platforms even broke the 5% range. It shows how many people use and rely on WordPress.

Top 45 WordPress Security Statistics

Here are some of the most widely known WordPress security statistics.

45 WordPress Security Statistics
45 WordPress Security Statistics

1. WordPress is the most attacked CMS

(Source: Sucuri)

Just like I said before, WordPress is the most attacked platform out of all the others. According to Sucuri, in 2018, WordPress was the target of 90% of all hacking attempts on content management systems (CMS). Other CMSs didn’t even reach the 5% mark.

2. WordPress remains the most lucrative target for hackers

(Source: SearchEngineJournal)

According to SearchEngineJournal, WordPress is used by over 35% of all websites on the internet. Since it holds one of the largest percentages out of all the websites, the attacks on it will also be more intense.

3. 90,000 attacks per minute attacks on WordPress

(Source: Arishi)

According to Arishi, WordPress faces attacks at an average of 90,000 attacks per minute. It may look fake, but the truth is that WordPress is the target of many hackers.

4. Number of sites attacked due to weak password

(Source: WPManageNinja)

It’s very important for website owners to choose the simplest password so that they won’t forget them. However, according to WPManageNinja, 8% of WordPress sites are hacked due to weak or stolen passwords. The best countermeasure for it is to choose a difficult password that you can remember easily.

5. Number of WordPress sites hacked every day

(Source: Kinsta)

Suppose we go by day count. According to Kinsta, more than 500 WordPress websites are hacked every day. It means that in a week, +4,500 websites are hacked and exploited for the hacker’s personal needs. 

6. WordPress vulnerabilities caused due to out-of-date plugins

(Source: Verisign)

According to the State of the Internet report from Verisign, 52% of all WordPress vulnerabilities are caused by out-of-date plugins. That means that more than half of all WordPress problems can be solved with a single solution: keep your plugins updated.

For security purposes, it’s best to keep your plugins updated no matter what—even if they’re not an older plugin that’s been known to cause trouble. Just because they haven’t been hacked before doesn’t mean they can’t be hacked now.

7. Automated attacks on WordPress sites

(Source: MediaTemple)

Automated attacks on WordPress sites have become increasingly popular over the past few years. It is to MediaTemple, estimated that 97% of WordPress attacks are automated. The reason: because they work. 

Attackers are able to use automated attacks to quickly identify vulnerabilities in a website and exploit them before the owners can fix them. Automated attacks also have the benefit of being cheap to run. 

An attacker does not need to pay for a human hacker, just an application that can run for hours or days at a time, scanning for vulnerabilities.

8. WordPress is the most vulnerable CMS

(Source: Webo Degital)

According to Webo Degital, WordPress is the most popular CMS implementation and benefits from an enthusiastic and knowledgeable community, but it also suffers from a large number of security vulnerabilities. 

These flaws expose WordPress users to attacks that allow attackers to take over their sites and use them for spam, phishing, and other malicious purposes.

9. Number of sites hacked due to fake plugins

(Source: Malwarebytes)

According to a recent report from Malwarebytes, over 4,000 WordPress websites have been infected by fake SEO plugins. 

These plugins are advertised as legitimate SEO tools, but they actually serve as a backdoor for attackers to compromise users’ sites and install malicious scripts, which will likely infect other visitors of the site in the process.

10. Wordfence blocking exploitation attempts

(Source: Wordfence)

Wordfence is a WordPress security plugin that continues to be a must-have for anyone using the platform. 

In 2020 alone, Wordfence blocked 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses, one of the most common methods of penetrating a website and stealing data. 

The stats are impressive, but even more impressive is that 99.6% of all attempted exploits were stopped by Wordfence before they could be successful, while the rest were neutralized by other security measures in place on websites running the plugin.

11. Wordfence finding malicious login attempt

(Source: Wordfence)

Wordfence, a cloud-based security service for WordPress, reported that 2,800 malicious login attempts were made per second against WordPress websites in March. This is an increase of 400% over February. 

Wordfence has detected more than 5 million attacks on WordPress websites since the beginning of 2015, which are targeting the WordPress core update to version 4.2.

12. Worst attack on WordPress

(Source: Kinsta)

According to kinsta, the biggest worst security breaches to hit WordPress happened back in 2011. Over 18 million users were compromised due to that attack. 

The vulnerability was found in a common plugin named TimThumb, a thumbnail creation plugin for WordPress, which had an SQL injection vulnerability.

13. Growth of ransomware over the years

(Source: Parablu)

According to Parablu, in 2020, ransomware cases grew by 150%. Although it is a very common occurrence today, in 2020, ransomware took the internet by storm. Ransomware is a type of malware that doesn’t allow access to a computer system until a sum of money is paid. 

In 2020, the growth in ransomware was caused by two major factors: increased security attacks on individuals and companies alike and an increase in online crime. 

The end result is an increase in cyber attacks that have left millions of computers/users at risk of losing important information as well as money.

14. Main tactic for hacking WordPress websites

(Source: Sucuri)

According to a study by Sucuri, 81% of attacks on WordPress sites are based on insecure or stolen passwords, which result in being hacked. Most of the attacks were aimed at defacement purposes, followed by attempts to inject malicious scripts into websites. 

The most popular way of stealing credentials is through brute-force attacks, where the hackers use software to automatically login to web pages using random username and password combinations.

15. Average time needed to hack a website

(Source: Komando)

The average time needed to hack a WordPress site is less than 1 hour. That’s the conclusion of a study from Sucuri, an online security company that specializes in protecting websites. In other words: if you’re running WordPress, you’re at risk of being hacked.

16. Cyber attacks caused due to cross-site scripting 

(Source: Potswinger)

Cyber-attacks have been on the rise in recent years, and cross-site scripting is one of the major culprits according to a report from potswinger. Cross-site scripting allows hackers to embed malicious code into a legitimate website. 

If a user enters sensitive information (such as a password) when visiting a page that has been tampered with, the attacker can use that information to gain access to other accounts on the site or even on other websites. 

Over 40% of all cyberattacks are affected by cross-site scripting, so it’s important to understand how to prevent it.

17. Cyber attacks on eCommerce stores

(Source: Ponemon Institution)

According to the 2019-20 Global Application & Network Security Report from the Ponemon Institute and IBM, eCommerce stores experienced 22.4% of all successful cyber attacks in 2019-20

It’s a staggering number, considering how far more common it is for cyber attackers to go after banks. The report also noted that 40.6% of the organizations that experienced a cyber attack spent $10 million or less on protecting their data in 2018-19.

18. Breaches recorded in the last year

(Source: iapp)

In March 2021, there were 20 million breached records that affected around 600,000 different people. This is an increase of 1 million breached records from the month before, and it was also the first time since January that the number of breaches had risen.

19. Latest versions of WordPress are being used by websites


Only 38% of WordPress websites are running the latest version of the software (WordPress 5.8). And that number is down from the previous year when 41% of sites were using WordPress 5.6 or later.

20. Most hacked plugins on WordPress

(Source: Blogvault)

The top three most hacked WordPress plugins—those with the highest number of vulnerabilities or potential security holes—are TimThumb, Gravity Forms, and Revslider. 

These three plugins are also among the most popular on WordPress, so it’s no surprise that they’re such a target for hackers to take over WordPress sites.

21. WPScan Database containing WordPress core vulnerabilities

(Source: WPScan)

The WPScan is a free, open-source, and cross-platform tool for security auditing of WordPress-powered websites. 

To date, the vulnerability database contains 23,441 WordPress core vulnerabilities, plugin vulnerabilities, and theme vulnerabilities. It can also identify outdated versions of 53 popular plugins and themes.

22. Number of spam comments blocked by Akismet

(Source: Akismet)

Over the past nine years, Akismet has blocked more than 100 billion spam comments. These are comments that would have been lost to the Internet ether otherwise.

23. Gutenberg template vulnerabilities detected by Wordfence

(Source: Wordfence)

WordPress vulnerabilities are a regular occurrence. On January 2nd, 2019, one of the most popular WordPress plugins was updated, and it contained a vulnerability that allowed any user with author access to a post to execute malicious code on any website using the plugin. 

The bug affected more than 1 million sites. It was discovered by WordPress security company Wordfence.

24. Small businesses being targeted by hackers

(Source: Verizon)

According to the latest report from Verizon, 43% of cyber-attacks target small businesses. As a primary tool for conducting business, technology in the small business environment is more vulnerable than in larger companies.

25. Companies going out of business due to cyber-attacks

(Source: IBM)

According to a study of US companies released by IBM, 60% of companies that suffer a cyber-attack are out of business within six months. The main cause of failure is the cost of recovery (31%) and the cost of cleaning up after the attack (22%).

26. Average cost of a data breach

(Source: IBM)

A study by IBM says that the average cost of a data breach is $3.6 million. While this may seem like an astronomical figure, it can be reduced by taking preventative measures and ensuring that your company’s data is secure.

27. Small business cost for data breach

(Source: imsm)

The average cost of a data breach for small businesses is $2.2 million, but this cost may be significantly reduced through the implementation of consumer protections in the form of strong identity theft legislation. That’s according to a recent survey from the Ponemon Institute, which found that across all industries and all sizes of companies. 

The average cost per breached record was $1.3 million—so the cost is higher for small businesses, which have the less in-house expertise to help alleviate these costs. 

28. Small businesses experiencing a cyber attack


1 in 4 small businesses has experienced a cyber-attack. The impacts of a cyber-attack go far beyond the loss of valuable data or equipment. 

A cyber-attack can also be a source of loss in reputation, which can affect a company’s access to capital, impair its ability to hire and retain employees, and negatively impact its value in the marketplace. 

It’s why it’s so important for small businesses to have an incident response plan in place.

29. Percentage of cyber attacks on small businesses

(Source: National Cyber Security Alliance)

More than half (51%) of all cyber-attacks target small businesses, according to a report by the National Cyber Security Alliance. This is because smaller firms generally don’t have the same security and backup systems in place as larger corporations. 

The fact that there’s a lack of transparency in business transactions also makes it easier for cybercriminals to take advantage of smaller businesses through scams, fraud, and theft.

30. Small businesses being impacted by cyber attacks

(Source: Forbes)

Of those who have experienced a cyber-attack, 43% said it had a moderate or major impact on their business. The survey also revealed that 61% of the SMEs targeted did not have cyber insurance and that 60% felt they did not need it.

31. Most common type of attacks against small businesses

(Source: Expertinsights)

The most common type of cyber-attack against small businesses is phishing (30%), followed by viruses and malware (23%)

The most popular way to deliver these attacks is through email, with over half of respondents (52%) reporting that their business was targeted this way. Other methods include spam (27%) and instant messages (16%).

32. Time needed for resolving a ransomware attack

(Source: Cyber Threat Alliance)

The average time needed to resolve a ransomware attack is 12 days. This is according to the Cyber Threat Alliance. 

The Alliance does not include China in its analysis of this metric because “the majority of threat activity involving ransomware originates in China, and researchers are unable to gain full visibility into these attacks.”

33. Small businesses going out of business due to ransomware

(Source: PNAS)

Small businesses that experience a ransomware attack are 2.5 times more likely to go out of business than those that don’t. 

While this is the most extreme example, even for companies that don’t end up suffering major losses, it can take months to recover from an attack, and those months can be a huge blow to their bottom line.

34. Average cost of downtime for small business

(Source: the20)

To put that in perspective, you’d make that much if you worked non-stop for 52 hours at the federal minimum wage of $7.25 per hour. Most businesses would need to lose 20% of their revenue in sales to cover the cost.

In other words, you can’t afford to have downtime because it can cause up to $12,500 per hour.

35. Malware being made every day

(Source: Dataprot)

One statistic sometimes cited by security companies is that 300,000 new malware are created every single day. It means that for every malware program in existence today, there are approximately 300 more being written. 

36. Websites being hacked due to hosting

(Source: Godaddy)

Hosting providers can be a repository of thousands of domains at any given time, which means that if a security breach is discovered and exploited, it can affect a large number of sites. In fact, 41% of all websites were hacked due to vulnerabilities in their hosting provider.

37. Websites being hacked due to themes

(Source: malcare)

Bloggers of all kinds have been noting for years that blogging platforms are the most commonly exploited entry point for hacks. It’s especially true for WordPress-based websites, which are used to run over 20% of the internet. 

In a survey of about 10,000 hackers, it was found that 29% were hacked via a vulnerability in the WordPress theme they were using.

38. Impact of Multi-Factor Authentication on WordPress Security

(Source: Sucuri)

The introduction of Multi-Factor Authentication (MFA) has notably enhanced security measures for WordPress websites. MFA, a security mechanism requiring users to provide two or more independent credentials for identity verification, has proven crucial in preventing unauthorized access. 

According to Sucuri, a prominent cybersecurity firm, the implementation of MFA on WordPress websites has resulted in a substantial reduction in unauthorized login attempts, quantified at approximately 73%. This reduction signifies the efficacy of MFA in fortifying WordPress sites against security breaches. It underscores the need for a robust security framework in today’s cyber landscape, where cyber threats are increasingly prevalent and sophisticated.

39. Growth of Brute Force Attacks on WordPress Sites

(Source: Wordfence)

The threat intelligence team at Wordfence, a leading cybersecurity firm, has noted a considerable escalation in brute force attacks on WordPress sites. Over the previous year, incidents of such attacks have alarmingly surged by 60%. Brute force attacks are a method employed by hackers where they systematically check all possible username and password combinations until the correct one is identified. 

This technique of exploiting security weaknesses poses a substantial risk to WordPress site owners, emphasizing the urgent need for robust security measures and practices. The noted increase in brute force attacks underlines the persistent and evolving nature of cyber threats in today’s digital landscape.

40. Effectiveness of Regularly Updating WordPress Core, Plugins, and Themes

(Source: WPBeginner)

Maintaining up-to-date versions of WordPress core, plugins, and themes is a pivotal aspect of ensuring website security. As per the reports from WPBeginner, a reputable WordPress resource site, there exists a significant correlation between regular updates and enhanced security. 

WordPress sites that consistently update their software components demonstrated a 42% lower likelihood of being compromised compared to those operating on outdated versions. This compelling statistic highlights the role of timely updates in fortifying a site’s security infrastructure, providing effective protection against vulnerabilities exploited by cybercriminals. 

In the evolving landscape of cybersecurity, vigilance in software updates stands as a cornerstone of website security.

41. Statistics on SSL/TLS Encryption for WordPress Sites

(Source: Let’s Encrypt)

SSL/TLS encryption has become increasingly adopted among WordPress websites, as evidenced by the growth in the usage of free SSL certificates provided by Let’s Encrypt. 

This non-profit certificate authority has reported that over 3.5 million WordPress sites utilized their SSL certificates in the previous year. SSL/TLS encryption serves a dual function – it primarily secures the data exchange between the website and the user, preventing potential interception or alteration by malicious entities. 

Concurrently, it also enhances the website’s search engine optimization (SEO) ranking, making the website more discoverable and thus augmenting its online presence. The growing trend of SSL/TLS encryption underscores its importance in contemporary web development and management.

42. Role of Secure WordPress Hosting in Reducing Hack Attempts

(Source: SiteGround)

Opting for a secure hosting service is a critical measure in mitigating the risk of compromise for WordPress sites. As revealed by a study conducted by SiteGround, a leading web hosting company, the choice of hosting platform can directly impact the security of a website. 

Sites hosted on secure and reliable platforms witnessed 50% fewer hacking attempts compared to those hosted on less secure, economical alternatives. These findings highlight the importance of prioritizing security over cost when selecting a hosting service. The role of a secure hosting platform, thus, extends beyond providing a server space, contributing significantly to the site’s overall cyber resilience.

43. Number of Sites Secured by WordPress Security Plugins


The implementation of security plugins is paramount in safeguarding WordPress websites from malicious intrusions. According to statistics from, the official WordPress platform, security plugins such as Wordfence, Sucuri, and iThemes Security collectively boast over 15 million downloads. 

This data suggests a wide-scale acceptance and reliance on such plugins by WordPress users. These plugins provide a range of security features, including firewall protection, malware scanning, and spam filtering, that fortify websites against various forms of cyber threats. 

Thus, the pervasive use of security plugins underlines their integral role in maintaining the robustness and integrity of WordPress websites in an increasingly hazardous cyber environment.

44. Use of Firewall Solutions for WordPress Site Protection

(Source: Cloudflare)

Cloudflare, a leading web infrastructure and website security company, has reported that over the past year, more than 2 million WordPress websites have utilized their firewall solutions for bolstered security. 

A firewall serves as a formidable line of defense between a website and potential cyber threats. It scrutinizes incoming traffic, thereby averting malicious actors from exploiting vulnerabilities and accessing the site unauthorized. 

By integrating firewall solutions, websites significantly reduce the risk of cyberattacks, preserving their integrity and the safety of user data. The substantial uptake of Cloudflare’s firewall solutions by WordPress users indicates an acute awareness of and response to the pervasive threat of cyber intrusions.

45. Impact of Cybersecurity Awareness Training on WordPress Security

(Source: Cybint)

Cybint, a global cyber education company, has reported a significant decrease in successful attacks on WordPress sites managed by users who have undertaken cybersecurity awareness training. 

According to their study, these sites witnessed 70% fewer successful attacks compared to their counterparts managed by users without such training. This data underscores the importance of cybersecurity education in ensuring the security and integrity of WordPress sites. 

Such training equips users with the knowledge and skills needed to identify and defend against cyber threats, enabling proactive security measures. Therefore, cybersecurity awareness training stands as a pivotal component in the comprehensive defense strategy for WordPress site security.


Overall, WordPress is one of the best platforms out there, but it is also one of the most targeted ones as well. It comes down to the website owner to make the website secure for both themselves and for their visitors.

Make sure to keep your website secure by keeping the website, plugins, and themes up-to-date. Additionally, stay away from any unreliable plugins that can be used to hack your site.

Frequently Asked Questions

What percentage of WordPress sites are hacked?

In 2023, it was estimated that approximately 4.3% of WordPress sites had been hacked, translating to almost 1 in every 25 WordPress sites. This means that at least 13,000 WordPress websites were hacked daily, or roughly 4.7 million sites per year​.

Is WordPress good for security?

While WordPress is the most popular content management system (CMS) and thus a common target for hackers, its security is not inherently poor. It’s estimated that 97% of WordPress attacks are automated, and insecure or stolen passwords cause an overwhelming 81% of WordPress hacks.  

Additionally, sites that aren’t updated regularly enough are particularly vulnerable, with outdated sites being the root cause of 61% of attacks​1​. This indicates that while WordPress can be secure, the security largely depends on good practices by the users, including regular updates, secure passwords, and the use of security plugins.

How many WordPress sites are hacked daily?

On a daily basis, an alarming number of over 30,000 websites fall victim to hacking incidents. Shockingly, a significant portion of this staggering figure, comprising at least 13,000 websites, specifically targets WordPress websites. These statistics underscore the pressing need for heightened cybersecurity measures and diligent website management practices to safeguard against such threats.

Is WordPress still relevant in 2023?

Yes, WordPress is still very much relevant in 2023. Over the years, it has grown from a simple blogging tool to a powerful platform that powers over 40% of the web. Its open-source nature, combined with a vast array of plugins and themes, has made it the go-to choice for millions of websites.  

The WordPress ecosystem, which includes many developers, designers, and marketers, helps keep the platform relevant by offering innovative solutions and continuous improvements. As technology evolves, WordPress is expected to adapt and grow along with it, demonstrating its commitment to staying relevant through updates and new features, such as the Gutenberg editor and improved security measures​​.

Subscribe to our Monthly Newsletter

Get monthly updates of WordPress tips, tricks, and tutorials in your email.

Thanks. You have successfully subscribed.

Similar Posts