53 WordPress Security & Hacking Statistics in 2023

Nobody knows exactly how many WordPress websites get hacked, but our best estimate is at least 13,000 per day. That’s around 9 per minute, 390,000 per month, and 4.7 million per year.

There were 4.3% of WordPress sites that were hacked. Almost 1 in every 25 WordPress sites has been hacked.

Every day, more than 30,000 websites are hacked.

10.4% of WordPress sites were at risk of getting hacked because of using outdated plugins, themes or WordPress version.

Thanks to its popularity and widespread use, almost 90,000 attacks come through WordPress every minute.

It’s estimated that 8% of WordPress sites get hacked by weak or stolen passwords.

Website owners should choose a simple password so that they won’t forget it, but make sure that it’s difficult enough that you can remember it and that hackers can’t guess it.

When WordPress sites aren’t updated regularly enough, they’re especially vulnerable. Outdated sites cause 61% of attacks.

It may seem fake, but WordPress is getting attacked all the time.

According to Sucuri’s annual hacked website report, WordPress was the most commonly hacked CMS in 2021.

95.6% of infections Sucuri detected were on WordPress sites.

1- WordPress – 95.6%

2- Joomla – 2.03%

3- Drupal – 0.83%

4- Magento – 0.71%

5- OpenCart – 0.35%

It’s worth noting that just because Sucuri detected most infections on WordPress-powered sites doesn’t mean that WordPress itself is inherently vulnerable.

WordPress.

Because WordPress is the most popular CMS, hackers are more likely to target it.

Over 9.7 million unique IP addresses attempted to exploit vulnerabilities in 2020.

The statistics are impressive, in my opinion, but what’s even more impressive is that 99.6% of all exploits were prevented from succeeding by Wordfence, and the remaining ones were stopped by other security measures on the website.

Insecure or stolen passwords cause 81% of WordPress hacks. 

Almost all the attacks targeted websites for defacing, then tried to inject malicious scripts. 

Passwords are most commonly stolen through brute-force attacks, where hackers use software to log in to websites with random usernames and passwords automatically.

Over 18 million WordPress sites were compromised in 2011 because of a vulnerability found in a plugin called TimThumb.

The TimThumb thumbnail creation plugin for WordPress had an SQL injection vulnerability.

It’s estimated that 97% of WordPress attacks are automated.

Why? Because they’re efficient and effective.

It’s easy for attackers to use automatic attacks to find flaws in a website before their owners can fix them. Automated attacks are also cheap. 

Hackers don’t need to pay for humans, just applications that scan for vulnerabilities for hours or days at a time.

The top WordPress hardening recommendation comes from Sucuri, who found that 84% of websites don’t have a Website Application Firewall.

Using a WordPress security plugin is also essential to protect websites from hacking.

These are the top 5 hardening recommendations Sucuri found:

1- Missing WAF – 84%

2- X-Frame options – 83%

3- No CSP – 82%

4- Strict Transport Security – 72%

5- No Redirect to HTTPS – 17%

At least one firewall plugin is installed by 81% of WordPress sites.

There were 96% of WordPress administrators and website owners who viewed WordPress security as very important and 4% who viewed it as somewhat important.

43% of admins spend 1-3 hours per month on WordPress security

35% of admins spend over 3 hours per month on WordPress security

22% of admins spend less than 1 hour on WordPress security.

Almost three-quarters of all survey respondents said that updating the WordPress core and plugins is their most common security task.

The top tasks web security professionals perform for their clients are listed here:

1- 75% update CMS and plugins

2- 67% backup sites

3- 57% install SSL certificates

4- 56% monitor or scan websites for malware

5- 38% fix sites related to security issues

6- 34% patch vulnerabilities

It’s recommended to use auto updating on WordPress to be updated automatically, but updating all plugins and themes monthly at least is very recommended.

It’s statistics about updating WordPress:

1- 35 percent of site managers who update their websites weekly

2- 20 percent who do it every day

3- 18 percent who do it every month

4- 21% use an automatic updating system so they are not required to update their sites manually

Key statistics about WordPress updates and testing: 

→ 52% of surveyed WP owners and admins have auto-updates enabled for WP software, plugins, and themes.

→ 25% always test updates in a test or staging environment first

→ 32% sometimes test updates

→ 17% never test updates 

→26% only test major updates

It may surprise you that The Panama Papers leak exposed 4.8 million emails due to a vulnerability in a WordPress plugin.

More than 35% of respondents spend less than one hour per month on security tasks, while 22% spend more than three hours.

Without counting successful exploits, Wordfence’s software prevented over 4 billion exploit attempts and over 90 billion malicious login attempts in 2020.

Next version.

The latest version of WordPress is always recommended. At the time of this writing, WordPress 6.1.0 is available.

Several updates to WordPress are released each year for security and maintenance.

There were a majority of out-of-date WordPress sites infected, showing that running out-of-date WordPress is only somewhat associated with infection

Using the latest version of WordPress will minimize the risk of hackers attacking your site.

Malware is the most common type of WordPress hack seen by Sucuri during incident response. 

Top WordPress hacks found by Sucuri

1- Malware 61.65%

2- Backdoor – 60.04%

3- SEO Spam – 52.60%

4- Hacktool – 20.27%

5- Phishing – 7.39%

6- Defacements – 6.63%

7- Mailer – 5.92%

8- Dropper – 0.63%

About 29% of hackers were hacked by a vulnerability in their WordPress theme, according to a survey of about 10,000 sites.

According to estimates, 41% of all websites hosted by their provider have had vulnerabilities exploited. 

Since hosting companies can hold thousands of domains at once, hundreds of websites could be impacted if a mistake is found.

99.42% of all security vulnerabilities within the WordPress ecosystem were found in themes and plugins in 2021. That’s an increase from 96.22% in 2020.

Further, 92.81% of vulnerabilities were due to plugins, while 6.61% were due to themes.

42% of WordPress sites have at least one vulnerable component installed.

It is estimated that 91.38% of plugins are available for free through the WordPress.org repository, while only 8.62% are available through third-party marketplaces.

Almost half (50%) of the vulnerabilities in Patchstack’s database in 2021 are cross-site scripting vulnerabilities.

The most common WordPress vulnerabilities:

1- Cross Site Scripting (XSS) – 49.82.3%

2- Other vulnerability types combined – 13.3%

3- Cross-site Request Forgery (CSRF) – 11.2%

4- SQL Injection (SQLi) – 6.8%

5- Arbitrary File Upload – 6.8%

6- Broken Authentication – 2.8%

8- 7- Information disclosure – 2.4%

9- Bypass Vulnerability – 1.1%

10 -Privilege Escalation – 1.1%

In total, 84% of all security vulnerabilities on the internet are caused by cross-site scripting or XSS attacks.

39% of WordPress vulnerabilities are because of cross-site scripting (XSS)

52% of all WordPress vulnerabilities are due to outdated plugins.

This means that you can solve more than half of your WordPress problems by updating your plugins.

Just because they haven’t been hacked in the past doesn’t mean they won’t be hacked in the future, so you should always keep your plugins up to date if you want to keep them safe.

Fake SEO plugins infect over 4,000 WordPress websites.

WordPress’ biggest security vulnerability comes from plugins.

WPScan reported that 52% of the 4,000 known WordPress vulnerabilities are caused by plugins, compared to 37% by WordPress core and 11% by themes. 

Contact Form 7 was the most commonly-identified vulnerable WordPress plugin. It was found in 36.3% of all infected websites at the point of infection.

However, it’s important to point out that this doesn’t necessarily mean Contact Form 7 was the attack vector that the hackers exploited in these instances, only that it contributed to the overall insecure environment.

TimThumb was the second most commonly-identified vulnerable WordPress plugin at the point of infection and was found in 8.2% of all infected websites. 

In order of the number of vulnerable WordPress plugins identified, here are the top ten:

1- Contact Form 7  (36.3%)

2- TimThumb (8.2%)

3- WooCommerce (7.8%)

4- Ninja Forms (6.1%)

5- Yoast SEO (3.7%)

6- Elementor (3.7%)

7- Freemius Library (3.7%)

8- PageBuilder (2.7%)

9- File Manager (2.5%)

10- WooCommerce Block (2.5%)

Individual prices have ranged from $50 to $4,800 for WordPress malware removal, but there is no standard fee.

Generally, protecting your website from malware costs just $8 per site/month, making it an easy decision.

The world’s largest data breach occurs due to hacking 45% of the time

Approximately $3.86 million is the average price of a data breach, but of course, this can vary according to the size of the organization, industry, etc.

Web professionals surveyed think these are the most important impact of a WordPress hack:

▶︎ Loss of time – 59.2%

▶︎ Loss of revenue – 27.2%

▶︎ Loss in client confidence – 26.4%

▶︎ Loss in brand reputation – 25.6%

▶︎ No disruption – 17.6%