30+ WordPress Security Statistics & Facts 2024

WordPress is the most used content management system in the world. If you are not living under a rock for a while then you must be aware of WordPress. It started as a blogging tool. But throughout the years it has evolved a lot and now became a go-to place for website creators.

You would be surprised to know that WordPress powers 42% of all websites present on the internet. The simplicity and flexibility encourage users to make different types of websites using this platform. Cybersecurity is one of the hottest topics these days and how does WordPress stay away from this?

When a platform became so gigantic then it attracts many unwanted evils. When it comes to the security of this platform, a lot of people rise to concern about it because of past security flaws. In this post, we come up with a lot of interesting WordPress security statistics that blow you away.

So let’s get started.

WordPress Security Statistics & Facts 2024

Let’s take a close look at the facts and figures collected from various sources.

  1. On average 30,000 new websites are hacked every day. (Forbes)
  2. WordPress security plugin Wordfence blocked 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in 2020. (Wordfence)
  3. 61 percent of all infected WordPress websites feature an out-of-date version.
  4. 90% of remote code execution attacks are associated with crypto mining.
  5. With the increase in cyberattacks and data thefts, organizations want to spend more money on security. Some forecast suggests that the market reach $124 billion in 2021 and $170.4 billion in 2022.
  6. 83% of all CMS-based websites, which are hacked, are built on WordPress.
  7. Wordfence found that 2,800 malicious WordPress login attempts attacks per second targeting WordPress websites.
  8. The biggest and worst security breaches to hit WordPress happened back in 2011. Over 18 million users were compromised due to that attack.
  9. 81% of attacks are based on insecure or stolen passwords, being the main tactic used. (Panda Security)
  10. 700,000 WordPress users affected by Zero-Day vulnerability in File Manager plugin in 2020. (Wordfence)
  11. Google’s Safe Browsing service blacklists up to 70,000 websites each day for malware infection or phishing scams. (Google)
  12. Email is responsible for around 94% of all malware.
  13. According to WPMUdev WordPress alone has over 90,978 attacks happening per minute. (WPMUDev)
  14. In 2020, ransomware cases grew by 150%.
  15. 41% of WordPress websites were hacked through a security vulnerability on their selected hosting platform. (Wpwhitesecurity)
  16. 52% of attacks happen because of plugins. (WPScan)
  17. Over 40% of all cyberattacks are affected by cross-site scripting.
  18. 64% of companies worldwide have experienced at least one form of cyber attack.
  19. Over 40% of all cyberattacks are affected by cross-site scripting. (WPexplorer)
  20. Only 38% of WordPress websites are running the latest version of the software (5.8) (WordPress.org)
  21. 81% of WordPress vulnerabilities happen because of weak or stolen passwords.
  22. Online eCommerce sites experienced 22.4% of all successful cyber attacks in 2019-20. (Wphackedhelp)
  23. There were 20M breached records in March 2021.
  24. 43% of cyber attacks are aimed at small businesses.
  25. Only 1.1% of WordPress websites are running the latest version of PHP (8.0).
  26. The top three most hacked plugins are TimThumb, Gravity Forms, and Revslider.
  27. 68% of business leaders felt the risk of a cyberattack increasing. (Accenture)
  28. To date, the WPScan vulnerability database contains 23,441 WordPress core vulnerabilities, plugin vulnerabilities, and theme vulnerabilities.
  29. To date, Akismet has successfully blocked more than 100 billion spam comments. (Akismet)
  30. Mailgun hacked part of massive cross-site scripting (XSS) vulnerability attacks on WordPress sites. The plugin was installed on more than 60,000 sites allowing hackers to inject malicious code into vulnerable sites.
  31. A critical unrestricted file upload bug found in Contact Form 7 affected 5 million websites. The vulnerability allows an attacker to upload malicious scripts. 70 percent of those sites were running version 5.3.1 or an older version of the Contact Form 7 plugin. (SEJ)
  32. WooCommerce SQL Injection Vulnerability affected millions of WordPress sites. Victim sites have been using the old version of the software.
  33. Wordfence discovered (in February 2021) high-severity vulnerabilities within a known plugin named Responsive Menu that was responsible for exposing over 100,000 sites. (WordFence)
  34. Over 600,000 WordPress sites were affected due to a vulnerability in WP Statistics. The vulnerability allowed any site visitor to extract sensitive information from a site’s database.
  35. XSS Vulnerability found in SEOPress affected more than 100,000 sites which could lead to a full site takeover. (WordFence)
  36. [Latest – September 2, 2021] WordPress Gutenberg template library plugin vulnerability affected more than 1 million sites. It was discovered by the WordPress security company WordFence.

Is WordPress Secure?

By seeing all the above stats you might be thinking is WordPress an insecure platform?

The short answer is NO.

The WordPress core is maintained by a team of world-class developers and security experts. To stay on top of vulnerabilities and malware in the software, the team releases frequent security updates to patch their core files.

Think about it, If WordPress is not a secure platform then why more than one-third (42%) of the web is using WordPress?

As long as you take website security seriously your WordPress-based website would be secured. Use premium hosting, safe plugins, and themes, consistently update them along with WordPress core, and monitor your site to stay away from any type of security risk.

Most of the time the flaws are detected in plugins and themes. WordPress library contains 55,000+ plugins and hundreds of themes. The problem is that all the plugins are made by third-party developers. There is no guarantee that they are properly maintained or keep security in the first place. As a result, it opens the door for hackers to enter WordPress-powered websites.

Best Practices To Keep Your WordPress Website Safe

To be honest it is impossible to make a website 100% secure and hacking-proof. As hackers have gotten smarter, they are trying new methods. But a few simple steps can have a great impact on website security.

  • Keep WordPress core, themes, and plugins up-to-date.
  • Choose trusted plugins and themes
  • Use strong login credentials
  • Limit the number of login attempts
  • You can use a 2-step authentication in log in to improve security ten-fold
  • Install an SSL certificate to add an additional layer of protection to your website
  • Install a security and firewall plugin such as Sucuri
  • Disable plugin and theme editors
  • Never install nulled themes and plugins from third-party sources
  • Choose a quality hosting service provider
  • Use Captcha on your login page to prevent bot login attempts
  • Assign correct user roles when giving out permissions to use your website


So these are some of the interesting WordPress security statistics you need to know. Whether you are running a personal blog and publishing posts or a dedicated eCommerce site with thousands of products listed on the WordPress platform, website security should be your priority.

We recommend you have the best WordPress backup plugin for your website. This will help you to restore your valuable website and all the data when disaster strikes. Follow the above steps to protect your WordPress-based website.

Leave a Comment