WordPress Hacking Statistics (How Many WordPress Websites Get Hacked?)

Need to learn how many WordPress web sites get hacked? Then you definitely gained’t wish to miss these WordPress hacking statistics!

WordPress is the preferred CMS on the planet. It powers extra web sites than some other software program. However sadly, that reputation additionally makes it one of the frequent targets for hackers.

Yearly, hundreds of thousands of WordPress web sites fall sufferer to cyberattacks. In the event you don’t wish to be a part of that group, it helps to remain knowledgeable.

With that in thoughts, we’re going to be sharing over 50 WordPress hacking statistics that web site house owners and admins must know this 12 months. 

The stats beneath will provide help to to study extra in regards to the present state of WordPress safety in 2022. They’ll reveal the commonest web site vulnerabilities that hackers exploit, and spotlight some greatest practices that may provide help to preserve your web site protected and safe.

Prepared? Let’s get began!

What number of WordPress web sites get hacked?

No person is aware of precisely what number of WordPress web sites get hacked, however our greatest estimate is at the very least 13,000 per day. That’s round 9 per minute, 390,000 monthly, and 4.7 million per 12 months.

We arrived at this estimation primarily based on the truth that Sophos experiences that over 30,000 web sites are hacked each day, and 43% of all web sites are constructed on WordPress.

What proportion of WordPress web sites get hacked?

In accordance with Sucuri, 4.3% of WordPress web sites that have been scanned with SiteCheck (a preferred web site safety scanner) in 2021 had been hacked (contaminated). That’s round 1 in each 25 web sites.

Whereas not each WordPress web site will use SiteCheck, that is nonetheless in all probability a great indication of the proportion of whole WordPress web sites that get hacked.

Sucuri additionally discovered that 10.4% of WordPress web sites have been susceptible to getting hacked as they have been operating out-of-date software program.

What’s probably the most commonly-hacked CMS platform?

WordPress was probably the most commonly-hacked CMS (content material administration system) in 2021, in response to Sucuri’s annual hacked web site report. Over 95.6% of infections detected by Sucuri have been on web sites operating WordPress. 

High 5 most-hacked CMS:

  1. WordPress – 95.6%
  2. Joomla – 2.03%
  3. Drupal – 0.83 %
  4. Magento – 0.71%
  5. OpenCart – 0.35%

Nonetheless, it’s value noting that the truth that most infections detected by Sucuri have been on web sites that run WordPress doesn’t essentially imply there’s one thing inherently weak in regards to the WordPress core software program. 

Quite the opposite, it’s extra more likely to merely be a mirrored image of the truth that WordPress is by far probably the most generally used CMS, and that WordPress customers are extra probably to make use of plugins like Sucuri than customers of different CMS software program.

Sources: Sophos, Colorlib, Sucuri1

What are the commonest WordPress hacks?

Malware is the commonest kind of WordPress hack seen by Sucuri throughout incident response. In whole, 61.65% of the infections discovered by Sucuri have been categorized as malware. Different frequent infections included backdoor hacks, website positioning spam, hacktools, and phishing hacks.

High WordPress hacks discovered by Sucuri

  1. Malware 61.65%
  2. Backdoor – 60.04%
  3. website positioning Spam – 52.60%
  4. Hacktool – 20.27%
  5. Phishing – 7.39%
  6. Defacements – 6.63%
  7. Mailer – 5.92%
  8. Dropper – 0.63%


Malware is the commonest kind of WordPress hack discovered by Sucuri. It is a broad, catch-all time period that refers to any sort of malicious software program utilized by cybercriminals to hurt or exploit your WordPress web site. The most typical kind of malware is PHP malware.

Malware is without doubt one of the most damaging forms of safety infections as, not like backdoors and website positioning spam, it typically places your website guests susceptible to some type of malicious motion. 

For instance, one frequent instance of malware is a SiteURL/HomeURL an infection, which includes infecting your website with code that redirects your guests to malicious or rip-off domains with a purpose to steal their login particulars.  

One other instance is bank card skimming: a web-based assault wherein hackers inject malicious code onto ecommerce web sites with a purpose to steal guests’ credit score and debit card data. Curiously, stats present that 34.5% of internet sites contaminated with a bank card skimmer run on WordPress.


Backdoors are the second most typical kind of WordPress hack discovered by Sucuri. Because the identify suggests, a majority of these infections enable hackers to bypass the same old login channels with a purpose to entry the backend of your web site through a secret ‘backdoor’ and compromise the atmosphere.

website positioning spam

website positioning spam is the third most typical hack discovered by Sucuri and is current in over half of all infections.

Such a hack includes infecting websites with a purpose to enhance the SEO of and direct visitors to third-party web sites by organising redirects, publishing spam posts, and inserting hyperlinks. 

In the meantime, this damages your personal area’s website positioning rating and may negatively affect your natural rating place in search engines like google like Google.

Key statistics:

  • 32.2% of website positioning spam infections relate to spam injectors, which pepper the compromised atmosphere with hidden spam hyperlinks for website positioning functions. 
  • Different sorts submit a ton of blogs for website positioning functions, often on spammy matters.
  • 28% of website positioning Spam infections relate to prescription drugs (Viagra, Cialis, and many others.)
  • 22% have been associated to Japanese website positioning Spam (these campaigns pollute the sufferer’s web site search outcomes with knock-off designer items and seem within the SERPs in Japanese textual content.
  • Redirect campaigns most frequently level to .ga and .ta top-level domains

Sources: Sucuri1

WordPress safety vulnerabilities

Subsequent, let’s have a look at some WordPress statistics that inform us extra in regards to the safety vulnerabilities hackers most frequently exploit.

What’s the most important WordPress safety vulnerability?

Themes and plugins are the most important WordPress safety vulnerabilities. 99.42% of all safety vulnerabilities within the WordPress ecosystem got here from these parts in 2021. That’s up from 96.22% in 2020.

To interrupt that down a bit additional, 92.81% of vulnerabilities got here from plugins, and 6.61% from themes. 

Amongst weak WordPress plugins, 91.38% have been free plugins obtainable by way of the repository, and simply 8.62% have been premium plugins bought by way of third-party marketplaces like Envato.

Key statistics:

  • 42% of WordPress websites have at the very least one weak element put in.
  • Curiously, solely 0.58% of safety vulnerabilities discovered by Patchstack originated from the core WordPress software program.

High WordPress vulnerabilities by kind

Cross-site scripting vulnerabilities (CSS) make up virtually half (~50%) of all of the vulnerabilities added to Patchstack’s database in 2021. That is up from 36% in 2020.

Different frequent vulnerabilities within the database embrace:

  • Different vulnerability sorts mixed – 13.3%
  • Cross-site Request Forgery (CSRF) – 11.2%
  • SQL Injection (SQLi) – 6.8%
  • Arbitrary File Add – 6.8%
  • Damaged Authentication – 2.8%
  • Data disclosure – 2.4%
  • Bypass Vulnerability – 1.1%
  • Privilege Escalation – 1.1%
  • Distant Code Execution (RCE) – 0.9%

High WordPress vulnerabilities by severity

Patchstack ranks every vulnerability in its database in response to its severity. It makes use of the CVSS system (Widespread Vulnerability Scoring System) to take action, which assigns a numerical worth between 0 and 10 to every vulnerability primarily based on its severity.

A lot of the WordPress vulnerabilities recognized by Patchstack final 12 months obtained a CVSS rating between 4 and 6.9, which makes them ‘Medium’ severity.

  • 3.4% of recognized vulnerabilities have been Crucial severity (9-10 CVSS rating)
  • 17.9% of recognized vulnerabilities have been Excessive severity (7-8.9 CVSS rating)
  • 76.8% of recognized vulnerabilities have been Medium severity (4-6.9 CVSS rating)
  • 1.9% of recognized vulnerabilities have been Low severity (0.1-3.9 CVSS rating)

High attacked vulnerabilities

The highest 4 ‘attacked’ vulnerabilities in Patchstack’s database have been:

  • OptinMonster (model 2.7.4 and earlier) – Unprotected REST-API to Delicate Data Disclosure and Unauthorized API entry
  • PublishPress Capabilities (model 2.3 and earlier) – Unauthenticated Settings Change
  • Booster for WooCommerce (model 5.4.3 and earlier) – Authentication Bypass
  • Picture Hover Results Final (model 9.6.1 and earlier) – Unauthenticated Arbitrary Choices Replace

Supply: Sucuri1, Patchstack

WordPress plugin hacking statistics

As we talked about earlier, WordPress plugins are the commonest supply of safety vulnerabilities that enable hackers to infiltrate or compromise your web site. Subsequent, we’ll have a look at some WordPress hacking statistics that relate to WordPress plugins.

In case you didn’t already know, plugins are small third-party software program purposes which you can set up and energetic in your WordPress website to increase its performance.

What number of WordPress plugin vulnerabilities are there?

There have been 35 important vulnerabilities present in WordPress plugins in 2021. Worryingly, two of those have been in plugins that had over 1 million installations: All in One website positioning and WP Quickest Cache.

The excellent news is that each of the above vulnerabilities have been promptly patched by the plugin builders. Nonetheless, 29% of the overall variety of WordPress plugins discovered to have important vulnerabilities didn’t obtain a patch.

What are probably the most weak WordPress plugins?

Contact Type 7 was probably the most commonly-identified weak WordPress plugin. It was present in 36.3% of all contaminated web sites on the level of an infection. 

Nonetheless, it’s vital to level out that this doesn’t essentially imply Contact Type 7 was the assault vector that the hackers exploited in these cases, solely that it contributed to the general insecure atmosphere.

TimThumb was the second most commonly-identified weak WordPress plugin on the level of an infection and was present in 8.2% of all contaminated web sites. That is particularly stunning on condition that the TimThumb vulnerability is over a decade outdated. 

High 10 recognized weak WordPress plugins:

High Susceptible WordPress Parts Proportion
1. Contact Type 7 36.3%
2. TimThumb (picture resizing script utilized by themes and plugins) 8.2%
3. WooCommerce 7.8%
4. Ninja Varieties 6.1%
5. Yoast website positioning 3.7%
6. Elementor 3.7%
7. Freemius Library 3.7%
8. PageBuilder 2.7%
9. File Supervisor 2.5%
10. WooCommerce Block 2.5%
Supply: Sucuri

What number of WordPress plugins ought to you might have?

Greatest practices recommend that web site house owners and admins ought to have as few WordPress plugins as attainable. The less plugins you might have, the decrease your threat of encountering a vulnerability.

The typical WordPress website has 18 totally different plugins and themes put in. That is 5 lower than final 12 months and on the floor, appears to be a transfer in the fitting path.

Nonetheless, extra of these plugins and themes have been discovered to be outdated this 12 months in comparison with final 12 months. On common, 6 out of 18 of the plugins put in on web sites have been outdated, in comparison with simply 4 out of 23 final 12 months.

Jetpack is the preferred WordPress safety plugin on the WordPress plugin listing, with over 5 million downloads. Nonetheless, it’s debatable whether or not or not Jetpack might be classed as a real safety plugin. 

Though it contains safety features like 2FA, malware detection, and Brute Power safety, it additionally contains different options for issues like pace optimization, analytics, and design instruments. This makes it extra of an all-in-one plugin than a safety plugin.

So far as devoted safety plugins go, Wordfence is the preferred, with 4 million downloads on the WordPress plugin database.

WordPress theme vulnerabilities

12.4% of WordPress theme vulnerabilities recognized by Patchstack had a important CVSS rating (9.0 – 10.0). And worryingly, 10 themes had a CVSS 10.0 safety threat that compromises the person’s complete website through an unauthenticated arbitrary file add and choice deletion.

Sources: Patchstack, WordPress1, WordPress2

How will you shield your WordPress web site from being hacked?

You possibly can shield your WordPress web site from being hacked by lowering your use of plugins and themes, ensuring you replace all software program incessantly and patch recognized vulnerabilities, and thru WordPress hardening.

Listed below are some statistics that reveal extra about rising the safety of your WordPress web site.

Commonest WordPress hardening suggestions

In accordance with knowledge from Sucuri, over 84% of internet sites didn’t have a web site software firewall (WAF), making this the highest WordPress hardening advice. 

WAFs assist just about patch identified vulnerabilities and safeguard your website in opposition to DDoS assaults, remark spam, and dangerous bots.

83% of internet sites have been additionally discovered to be lacking X-Body-Choices—a safety header that helps enhance your safety by defending you from clickjacking and stopping hackers from embedding your web site onto one other by way of an iframe. This makes X-Body-Choices the second most typical hardening advice.

High 5 most typical hardening suggestions detected by Sucuri:

  1. Lacking WAF – 84%
  2. X-Body choices – 83%
  3. No CSP – 82%
  4. Strict Transport Safety – 72%
  5. No Redirect to HTTPS – 17%

How do web site admins shield their websites?

In accordance with a survey of web site admins and house owners, 82% have undertaken safety hardening, a apply that includes taking steps to make your WordPress website harder to hack.

Of these, 27% used a plugin to harden their website, 25% undertook guide hardening, and 30% did a mix of each. Solely 18% didn’t do any hardening in any respect.

Key statistics:

  • 81% of surveyed WordPress admins have at the very least one firewall plugin put in
  • 64% of surveyed WordPress admins use 2FA (Two-factor authentication), whereas 36% don’t
  • 65% of surveyed WordPress admins use exercise log plugins.
  • 96% of surveyed WordPress directors and web site house owners view WordPress safety as essential.  And 4% view it as considerably vital
  • 43% of admins spend 1-3 hours monthly on WordPress safety
  • 35% of admins spend over 3 hours monthly on WordPress safety
  • 22% of admins spend lower than 1 hour on WordPress safety.

How do net professionals safe their purchasers’ websites?

In accordance with a current survey, virtually half of all net professionals that work with purchasers depend on premium safety plugins to safe their purchasers’ web sites:

High strategies net professionals use to safe consumer websites: 

  • 45.6% pay for premium safety plugins
  • 42.4% use free safety plugins
  • 31.2% pay knowledgeable safety supplier
  • 28.8% deal with safety points in-house
  • 24.8% refer their purchasers to knowledgeable safety supplier
  • 10.4% use different strategies
  • 6.4% inform their purchasers to make use of free plugins
  • 5.6% don’t have a plan for web site safety

High safety duties net professionals carry out

Updating WordPress (or no matter CMS the consumer makes use of) and plugins is the commonest safety job carried out by net professionals, with three-quarters of all survey respondents saying that is one thing they do. 

High duties net safety professionals perform for his or her purchasers:

  • 75% replace CMS and plugins
  • 67% backup websites
  • 57% set up SSL certificates
  • 56% monitor or scan web sites for malware
  • 38% repair websites associated to safety points
  • 34% patch vulnerabilities

How typically must you replace your WordPress website?

As we talked about earlier, conserving your WordPress web site is up to date is extremely vital from a safety standpoint. 

Most website managers replace their web site on a weekly foundation (35%), however 20% run updates each day, and 18% achieve this month-to-month. 21% of website managers have some sort of automated updates configured so that they don’t should do it manually.

Key statistics: 

  • 52% of surveyed WP house owners and admins have auto-updates enabled for WP software program, plugins, and themes.
  • 25% at all times check updates in a check or staging atmosphere first
  • 32% generally check updates
  • 17% by no means check updates 
  • 26% solely check main updates

Sources: Sucuri2, Sucuri3, WP White Security

The prices of WordPress hacking

Getting hacked can value companies a small fortune. Getting malware professionally eliminated prices $613 on common, however it could value 1000’s—and even hundreds of thousands—of {dollars} extra to recuperate from a critical knowledge breach.

Other than financial prices, WordPress hacking can even not directly have an effect on value companies cash by impacting revenues and damaging model popularity.

How a lot does it value to repair a hacked WordPress web site?

The typical value of WordPress malware elimination is $613, however that may range considerably from case to case. Individually, costs ranged from $50 all the best way as much as $4,800.

As compared, paying for web site safety to guard your website from malware prices simply $8 per website/month, on common—making it a no brainer for many website house owners.

How a lot do knowledge breaches value companies?

Hacking is chargeable for 45% of information breaches worldwide. And on common, the common value of an information breach is $3.86 million. However in fact, this varies primarily based on the dimensions of the group, business, and many others.

What are the most important impacts of WordPress hacking?

In accordance with surveyed net professionals, the best affect of a hack on their consumer’s enterprise was a lack of time (59.2%). Different damaging impacts embrace:

  • Lack of income – 27.2%
  • Loss in consumer confidence – 26.4%
  • Loss in model popularity – 25.6%
  • No disruption – 17.6%

Sources: Patchstack, Statista, Sucuri3

What’s probably the most safe model of WordPress?

Essentially the most safe model of WordPress is at all times the newest model. On the time of writing, that is WordPress 6.0.2.

How typically does WordPress launch safety updates?

WordPress sometimes releases a number of safety and upkeep updates yearly. There have been 4 in 2021. The most recent safety launch (on the time of writing) was WordPress 6.0.2, which fastened three safety points: an XSS vulnerability, an output escaping difficulty, and a attainable SQL injection.

Are outdated variations of WordPress simply hacked?

Solely 50.3% of WordPress web sites have been discovered to be old-fashioned when contaminated, which suggests operating an out-of-date model of the WordPress software program solely roughly correlates with an infection. Nonetheless, greatest practices recommend you need to at all times use the newest model of WordPress to attenuate your threat of getting hacked.

Sources: Sucuri1, WordPress3

Ultimate ideas

That concludes our roundup of crucial WordPress hacking statistics for 2022. We hope you discovered this knowledge helpful!

If you wish to study much more about WordPress, try our roundup of WordPress statistics.

You may also study extra about how you can shield your website from hackers by studying our in-depth information on how to improve WordPress security in 2022.

Good luck!

Tell us if you happen to favored the submit.

Related Articles

Back to top button