53 WordPress Security & Hacking Statistics in 2023

What are the most common ways WordPress websites are hacked? Check out these interesting WordPress hacking statistics.

While WordPress is popular, it is one of the most targeted CMSs on the internet.Β 

WordPress appears on more websites than any other CMS on the planet.

Here are 2023 stats on WordPress security that will help you to understand how to secure WordPress is at the moment.

WordPress Security Statistics (Editor’s Choice)

  • At least 13,000 WordPress websites are hacked per day
  • 4.7 million WordPress websites are hacked per year
  • Almost 1 in every 25 WordPress sites has been hacked
  • 8% of WordPress sites get hacked by weak or stolen passwords
  • The best way of protecting WordPress content is by using a content protection plugin
  • Outdated WordPress sites cause 61% of attacks
  • WordPress gets attacked on average 90,000 times a minute.
  • WordPress is the most hacked CMS
  • 97% of WordPress attacks are automated
  • In 81% of WordPress sites, there is at least one firewall plugin
  • 65% of surveyed WordPress admins use activity log plugins
  • 4.3 billion vulnerability exploit attempts targeting WordPress were reported in 2020
  • 99.42% of all security vulnerabilities within the WordPress ecosystem were found in themes and plugins in 2021
  • It costs $50 to $4,800 to clean up a hacked WordPress site

Important Note: One of the most important tasks for securing WordPress is using a security plugin. You can use our handpicked list of WordPress security plugins to choose a plugin for protecting your site from getting hacked.

1. WordPress Security Statistics

The following are the most notable statistics about WordPress that will shock you.

You will note that the statistics are not in any form of semantic order

How many WordPress websites are hacked?

Nobody knows exactly how many WordPress websites get hacked, but our best estimate is at least 13,000 per day. That’s around 9 per minute, 390,000 per month, and 4.7 million per year.

What percentage of WordPress websites get hacked?

There were 4.3% of WordPress sites that were hacked. Almost 1 in every 25 WordPress sites has been hacked.

How many websites do you use every day?

Every day, more than 30,000 websites are hacked.

What percentage of WordPress websites were at risk of getting hacked?

10.4% of WordPress sites were at risk of getting hacked because of using outdated plugins, themes or WordPress version.

How many WordPress attacks per minute are reported?

Thanks to its popularity and widespread use, almost 90,000 attacks come through WordPress every minute.

How many WordPress sites are hacked due to weak passwords?

It’s estimated that 8% of WordPress sites get hacked by weak or stolen passwords.

Website owners should choose a simple password so that they won’t forget it, but make sure that it’s difficult enough that you can remember it and that hackers can’t guess it.

Source: WPManageNinja

What percentage of attacks occur due to outdated sites?

When WordPress sites aren’t updated regularly enough, they’re especially vulnerable. Outdated sites cause 61% of attacks.


Source: WP Clipboard

WordPress gets attacked on average 90,000 times a minute.

It may seem fake, but WordPress is getting attacked all the time.

Source: Arishi

What was the most commonly hacked CMS?

According to Sucuri’s annual hacked website report, WordPress was the most commonly hacked CMS in 2021.

95.6% of infections Sucuri detected were on WordPress sites.

1- WordPress – 95.6%

2- Joomla – 2.03%

3- Drupal – 0.83%

4- Magento – 0.71%

5- OpenCart – 0.35%

It’s worth noting that just because Sucuri detected most infections on WordPress-powered sites doesn’t mean that WordPress itself is inherently vulnerable.


Why is WordPress the most hacked CMS?


Because WordPress is the most popular CMS, hackers are more likely to target it.

Source: BetterStudio

How many attempts were blocked by Wordfence to exploit vulnerabilities?

Over 9.7 million unique IP addresses attempted to exploit vulnerabilities in 2020.

The statistics are impressive, in my opinion, but what’s even more impressive is that 99.6% of all exploits were prevented from succeeding by Wordfence, and the remaining ones were stopped by other security measures on the website.

Source: Wordfence

What is the main tactic for hacking WordPress websites?

Insecure or stolen passwords cause 81% of WordPress hacks.Β 

Almost all the attacks targeted websites for defacing, then tried to inject malicious scripts.Β 

Passwords are most commonly stolen through brute-force attacks, where hackers use software to log in to websites with random usernames and passwords automatically.

Source: Sucuri

What is the worst attack on WordPress?

Over 18 million WordPress sites were compromised in 2011 because of a vulnerability found in a plugin called TimThumb.

The TimThumb thumbnail creation plugin for WordPress had an SQL injection vulnerability.

Source: BetterStudio

What is the most common method hackers use to hack WordPress?

It’s estimated that 97% of WordPress attacks are automated.

Why? Because they’re efficient and effective.

It’s easy for attackers to use automatic attacks to find flaws in a website before their owners can fix them. Automated attacks are also cheap.Β 

Hackers don’t need to pay for humans, just applications that scan for vulnerabilities for hours or days at a time.

Source: MediaTemple

What is the best way to protect WordPress websites from being hacked?

The top WordPress hardening recommendation comes from Sucuri, who found that 84% of websites don’t have a Website Application Firewall.

Using a WordPress security plugin is also essential to protect websites from hacking.

Source: Sucuri

What are the five most common hardening recommendations?

These are the top 5 hardening recommendations Sucuri found:

1- Missing WAF – 84%

2- X-Frame options – 83%

3- No CSP – 82%

4- Strict Transport Security – 72%

5- No Redirect to HTTPS – 17%

Source: Sucuri

How many WordPress admins have a firewall plugin?

At least one firewall plugin is installed by 81% of WordPress sites.


There were 96% of WordPress administrators and website owners who viewed WordPress security as very important and 4% who viewed it as somewhat important.

43% of admins spend 1-3 hours per month on WordPress security

35% of admins spend over 3 hours per month on WordPress security

22% of admins spend less than 1 hour on WordPress security.

What are the top security tasks web professionals perform?

Almost three-quarters of all survey respondents said that updating the WordPress core and plugins is their most common security task.

The top tasks web security professionals perform for their clients are listed here:

1- 75% update CMS and plugins

2- 67% backup sites

3- 57% install SSL certificates

4- 56% monitor or scan websites for malware

5- 38% fix sites related to security issues

6- 34% patch vulnerabilities

Source: Sucuri

How often should you update your WordPress site?

It’s recommended to use auto updating on WordPress to be updated automatically, but updating all plugins and themes monthly at least is very recommended.

It’s statistics about updating WordPress:

1- 35 percent of site managers who update their websites weekly

2- 20 percent who do it every day

3- 18 percent who do it every month

4- 21% use an automatic updating system so they are not required to update their sites manually

What is the testing statistic for WordPress?

Key statistics about WordPress updates and testing:Β 

β†’ 52% of surveyed WP owners and admins have auto-updates enabled for WP software, plugins, and themes.

β†’ 25% always test updates in a test or staging environment first

β†’ 32% sometimes test updates

β†’ 17% never test updatesΒ 

β†’26% only test major updates

How many emails were exposed by The Panama Papers leak?

It may surprise you that The Panama Papers leak exposed 4.8 million emails due to a vulnerability in a WordPress plugin.

How much time are WordPress site owners spenting on security tasks?

More than 35% of respondents spend less than one hour per month on security tasks, while 22% spend more than three hours.

A total of 4.3 billion vulnerability exploit attempts targeting WordPress were reported in 2020

Without counting successful exploits, Wordfence’s software prevented over 4 billion exploit attempts and over 90 billion malicious login attempts in 2020.

Which version of WordPress is the most secure?

Next version.

The latest version of WordPress is always recommended. At the time of this writing, WordPress 6.1.0 is available.

Source: BetterStudio

Is WordPress releasing security updates regularly?

Several updates to WordPress are released each year for security and maintenance.

Source: BetterStudio

WordPress older versions are easy to hack?

There were a majority of out-of-date WordPress sites infected, showing that running out-of-date WordPress is only somewhat associated with infection

Using the latest version of WordPress will minimize the risk of hackers attacking your site.

2. WordPress Hacking Statistics

What are the most common WordPress hacks?

Malware is the most common type of WordPress hack seen by Sucuri during incident response.Β 

Top WordPress hacks found by Sucuri

1- Malware 61.65%

2- Backdoor – 60.04%

3- SEO Spam – 52.60%

4- Hacktool – 20.27%

5- Phishing – 7.39%

6- Defacements – 6.63%

7- Mailer – 5.92%

8- Dropper – 0.63%


How many Websites are being hacked due to themes?

About 29% of hackers were hacked by a vulnerability in their WordPress theme, according to a survey of about 10,000 sites.

Source: Malcare

How many Websites are being hacked due to hosting?

According to estimates, 41% of all websites hosted by their provider have had vulnerabilities exploited.Β 

Since hosting companies can hold thousands of domains at once, hundreds of websites could be impacted if a mistake is found.

Source: Godaddy

3. WordPress Security Vulnerability Stats

Let’s take a look at some WordPress statistics to better understand what we can do about security vulnerabilities that hackers most commonly exploit.

Count of WP vulnerabilities in 2022?

What’s the biggest WordPress security vulnerability?

99.42% of all security vulnerabilities within the WordPress ecosystem were found in themes and plugins in 2021. That’s an increase from 96.22% in 2020.

Further, 92.81% of vulnerabilities were due to plugins, while 6.61% were due to themes.


42% of WordPress sites have at least one vulnerable component installed.

It is estimated that 91.38% of plugins are available for free through the WordPress.org repository, while only 8.62% are available through third-party marketplaces.

What is the top WordPress vulnerability?

Almost half (50%) of the vulnerabilities in Patchstack’s database in 2021 are cross-site scripting vulnerabilities.

Source: Patchstack

What are the most common WordPress vulnerabilities?

The most common WordPress vulnerabilities:

1- Cross Site Scripting (XSS) – 49.82.3%

2- Other vulnerability types combined – 13.3%

3- Cross-site Request Forgery (CSRF) – 11.2%

4- SQL Injection (SQLi) – 6.8%

5- Arbitrary File Upload – 6.8%

6- Broken Authentication – 2.8%

8- 7- Information disclosure – 2.4%

9- Bypass Vulnerability – 1.1%

10 -Privilege Escalation – 1.1%

What percentage of all security vulnerabilities on the internet is due to cross-site scripting?

In total, 84% of all security vulnerabilities on the internet are caused by cross-site scripting or XSS attacks.

Source: Sucuri

39% of WordPress vulnerabilities are because of cross-site scripting (XSS)

Source: Sucuri

4. WordPress Plugin Hacking Statistics

WordPress plugins are known for having the highest proportion of security vulnerabilities, making your website susceptible to hacking.

Let’s look at some hacking statistics related to WordPress plugins and themes:

How many of all WordPress vulnerabilities are caused by out-of-date plugins?

52% of all WordPress vulnerabilities are due to outdated plugins.

This means that you can solve more than half of your WordPress problems by updating your plugins.

Just because they haven’t been hacked in the past doesn’t mean they won’t be hacked in the future, so you should always keep your plugins up to date if you want to keep them safe.

Source: Verisign

How many WordPress sites are fake SEO plugins?

Fake SEO plugins infect over 4,000 WordPress websites.

Source: WP Clipboard

What is the biggest source of security vulnerabilities to WordPress?

WordPress’ biggest security vulnerability comes from plugins.

WPScan reported that 52% of the 4,000 known WordPress vulnerabilities are caused by plugins, compared to 37% by WordPress core and 11% by themes.Β 

What are the most vulnerable WordPress plugins?

Contact Form 7 was the most commonly-identified vulnerable WordPress plugin. It was found in 36.3% of all infected websites at the point of infection.

However, it’s important to point out that this doesn’t necessarily mean Contact Form 7 was the attack vector that the hackers exploited in these instances, only that it contributed to the overall insecure environment.

TimThumb was the second most commonly-identified vulnerable WordPress plugin at the point of infection and was found in 8.2% of all infected websites.Β 

Source: BetterStudio

Top 10 Vulnerable WordPress Plugins

In order of the number of vulnerable WordPress plugins identified, here are the top ten:

1- Contact Form 7Β  (36.3%)

2- TimThumb (8.2%)

3- WooCommerce (7.8%)

4- Ninja Forms (6.1%)

5- Yoast SEO (3.7%)

6- Elementor (3.7%)

7- Freemius Library (3.7%)

8- PageBuilder (2.7%)

9- File Manager (2.5%)

10- WooCommerce Block (2.5%)

Source: Jetpack

5. The Costs of WordPress Hacking

Having a WordPress website hacked can be very expensive for businesses also as it can affect revenue as well as causing reputation damage as a result of the financial losses suffered by the companies as a result of the hack.

Let’s look at some WordPress hacking costs statistics:

What is the cost of fixing a WordPress site that has been hacked?

Individual prices have ranged from $50 to $4,800 for WordPress malware removal, but there is no standard fee.

Generally, protecting your website from malware costs just $8 per site/month, making it an easy decision.


What are the costs of data breaches for businesses?

The world’s largest data breach occurs due to hacking 45% of the time

Approximately $3.86 million is the average price of a data breach, but of course, this can vary according to the size of the organization, industry, etc.

When WordPress is hacked, what are the biggest impacts?

Web professionals surveyed think these are the most important impact of a WordPress hack:

β–ΆοΈŽ Loss of time – 59.2%

β–ΆοΈŽ Loss of revenue – 27.2%

β–ΆοΈŽ Loss in client confidence – 26.4%

β–ΆοΈŽ Loss in brand reputation – 25.6%

β–ΆοΈŽ No disruption – 17.6%


WordPress is number one of the best and most popular platforms available today in terms of quality and popularity, but it’s also one of the most targeted by hackers.

Your website will remain secure if you regularly update your plugins and themes. Do not use unreliable plugins that can be used to hack your website.

I hope this list was helpful to you.

I would appreciate it if you shared any other WordPress security statistics in the comments section.

Leave a Reply