WordPress50 WordPress Security Statistics Over the Years (2021-2024) Published on August 22, 2024 by Kaan Güner In this fast-evolving world of security, where threats can change in a blink of an eye, information is key. As we stride into the year 2024, the throb of digital threats is as dynamic as the opportunities knocking for businesses, individuals, and governments alike. Being abreast of the most recent statistics on WordPress Security not only gives you a sense of the magnitude of the problems faced but also important insights into trends and strategies to be able to counter the threats.This is an overall collection of more than 50 key WordPress Security statistics to solicit business, facilitate IT professionals, and inform people about the general idea of the risks of using WordPress and how to mitigate security threats. Be free to scroll all the way down to look at the data presented for an outlook on WordPress Security this year!Key TakeawaysWeak Passwords and Outdated Plugins: 8% of hacks are due to weak passwords, and 52% of vulnerabilities come from outdated plugins.High Attack Rate: WordPress faces around 90,000 attacks per minute due to its popularity.Prevalence of Plugin Vulnerabilities: 90% of known WordPress vulnerabilities target plugins, with significant issues like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).Widespread Malware: 75% of malicious files found on WordPress sites are generic malware, with SEO spamware being a significant threat.Table of Contents ToggleWordPress Security Statistics in 2024WordPress Security Statistics in 2023WordPress Security Statistics in 2022WordPress Security Statistics in 2021SummaryWordPress Security Statistics in 20248% of the hacked WordPress websites are attacked because of weak passwords. (Astra)52% of the WordPress vulnerabilities come from the outdated plugins. (Astra)Nearly 61% of the attacked websites were outdated across all the domains. (Astra)Over 20% of the security vulnerabilities have needed no authentication to access. (Jetpack)Because of its fame, a per-minute count of 90,000 attacks is made on WordPress.(Astra)In its scans, Jetpack Scan (utilizing the WPScan database) found 70,000 sites with at least one malicious file. Most causes can be tracked down to either (you guessed it!) leaked/weak credentials or nulled software. (Jetpack)Injected malware to WordPress sites stands at the second position and covers 34.14%. (AIOSEO)75% (600,000 malicious files) in WordPress sites were found generic malware. (Jetpack)The SEO spamware type accounts for 55.40% of malware attack type usage. (AIOSEO)Almost 42% of the WordPress sites have at least one part of it left to be found susceptible. (Astra)Close to 90% of known vulnerabilities in WordPress were targeted at plugins. The other 6% are themes, and core software takes up another 4%. (AIOSEO)WordPress sites imagine a high probability of fall in vulnerabilities if not updated on time. (Astra)Compared to WordPress facing 95.6% of the attacks, OpenCart only faces 0.35% of the cyber attacks. (Astra)Over 280,000 WordPress sites were attacked utilizing the zero-day vulnerability of the WPgateway plugin. (Astra)Half of the plugin vulnerabilities belong to Cross-site scripting (XSS) bugs with close to 50% of overall vulnerabilities. Cross-Site Request Forgery takes second place – 15% of the plugin vulnerabilities. (AIOSEO)WordPress Security Statistics in 2023Across the WordPress ecosystem, 53.3% of all new security vulnerabilities detected were due to Cross-Site Scripting (XSS). (Patchstack)The large user base of WordPress makes it one of the favorite platforms for hackers. However, most of the attacks occur on third-party plugins rather than the platform itself. (AIOSEO)15.7% of the risk-issued plugins in 2023 were ultimately removed from the WordPress plugin repository. (Patchstack)48.64% of new vulnerabilities earned a high or medium Patchstack Priority score. (Patchstack)42.9% were of high or critical CVSS severity on all new WordPress vulnerabilities. (Patchstack)In 2023 alone, plugins were the source of 96.77% of all new WordPress vulnerabilities. (Patchstack)58.84% of all new WordPress vulnerabilities needed no authentication for their exploit. (Patchstack)Wordfence’s Web Application Firewall (WAF) currently blocked 3 million attacks from about 14,000 IPs, where the attacks were trying to exploit vulnerabilities in the first half of 2023. (AIOSEO)This was followed by vulnerabilities for Cross-Site Request Forgery (CSRF), which accounted for 16.9%, and Broken Access Control, which accounted for 12.9%. (Patchstack)WordPress Security Statistics in 2022An average week for the year 2022 recorded 1,361 plugins and 64 theme vulnerabilities. (Wcanvas)Out of a pool of the most popular WordPress sites, 26 had plugins with critical security risks. (Bright Plugins)In 2022, iThemes Security found that the most known vulnerabilities were medium (50%), followed by high (25%), low (21%), and critical (4%). (Wcanvas)iThemes discovered 20-50 new vulnerabilities in plugins and themes every week for 2022. (Wcanvas)Wordfence reports that this year 2022, it has defended 159 billion credential-stuffing attacks. (AIOSEO)Between the months of August and September 2022, Wordfence blocked more than 4 million attacks targeting 280,000 sites that had downloaded the plugin WPGateway. (Wcanvas)iThemes put out 90-199 vulnerabilities a month in 2022. This adds up to 121 vulnerabilities available to users per month in 2022. (Wcanvas)According to the data of 1,425 plugins and themes that suffered from new vulnerabilities week by week, some 2% of the 70,000+ examined pool of themes and plugins in the WordPress.org ecosystem. (Wcanvas)In 2022, Wordfence blocked over 159 billion password attack requests across all WordPress websites that used the tool. (AIOSEO)iThemes Security published 1,779 WordPress vulnerabilities across 2022. Of these, 1,659 of them (or 93.25%) came from plugins. The rest were in themes (97 or 5.45%) and WordPress core files (23 or 1.29%). It further confirms that WordPress is very secure, but the components you add to the software may not always be. (Wcanvas)74% of all compromised WordPress websites had an available, but ancient, plug-in during the attack. (Bright Plugins)4,528 security-related bugs have been reported in 2022. This is 328 more than 2021. (Bright Plugins)Developers tend to update 69% of the plugins at the disclosure of vulnerabilities. 26% of reported vulnerabilities have no known fix. The 5% of them even close up the plugin. (Wcanvas)Further reading: 9 Best WordPress Security Plugins to Protect Your WebsiteWordPress Security Statistics in 2021Approximately 97% of vulnerabilities in their database are plugins and themes and only 4% are core software. (HubSpot)In 2021, 61.65% of remediated websites in the Sucuri database were infected with malware. (HubSpot)3% of over 55k plugins on the WordPress directory have never been updated. (Prevent Direct Access)Weak passwords contribute to 8% of WordPress website hacking. (Prevent Direct Access)44% of hacking was caused by outdated WordPress sites. (Prevent Direct Access)Hosting platforms are responsible for 41% of all WordPress attacks. (Prevent Direct Access)Google blacklists 70,000 websites due to security issues every week in 2021. (Prevent Direct Access)84% of all security vulnerabilities on the internet are the result of XSS attacks. (Prevent Direct Access)WPScan has tracked 22,113 core software vulnerabilities in total. (Prevent Direct Access)Approximately 4.3% of WordPress websites scanned with the security scanner SiteCheck in 2021 suffered infection (hacks). That’s a little over 1 out of every 25 WordPress sites. (Wcanvas)In 2021, 48% of SiteCheck (a security plugin) users had outdated CMS installations, making them more vulnerable to exploits. About 95% of SiteCheck’s users use WordPress as their CMS. (Wcanvas)61% of infected WordPress websites were out of date. (Prevent Direct Access)52% of WordPress vulnerabilities relate to plugins while themes account for 11%. (Prevent Direct Access)Further reading: What to Do After a Data Breach: Steps to Secure Your CompanySummaryKey statistics and trends demonstrated in this post underline why it is so critical to stay informed and proactive in an ever-evolving threat landscape in WordPress security. As 2024 unfolds, the figures are taking shape on an extremely fraught and complex terrain, but one on which the right knowledge and tools can help people and organizations create defensively high walls and lessen exposure.To protect your website from such a threat, contact Polar Mass WordPress Maintenance Services to prevent cyber threats from happening with comprehensive WordPress maintenance services including support, hosting, daily backups, updates, uptime monitoring, malware removal, and security scans! Tags: wordpress securityArticle byKaan GünerI am Kaan Güner, the founder of Polar Mass. Since 2011, I have specialized in WordPress Development, SEO, and business consulting, dedicated to helping businesses thrive.I’ve built a reputation for driving results and delivering exceptional value to clients across various industries.