The two questions every WordPress owner asks
I get asked two versions of the same question every week: "How big is WordPress really?" and "How dangerous is it to run a site on it?"
Both deserve honest answers, not the marketing version. So here's what the actual data says about WordPress usage and the real attack picture in 2025.
WordPress in 2025: the headline numbers
WordPress turned 22 this year. It started as a fork of b2/cafelog in 2003 and has grown into the dominant CMS for the open web.
Source: W3Techs, 2025 data.
| Metric | Value |
|---|---|
| Share of all websites | 43.4% |
| Share of CMS market | 62.5% |
| Estimated active sites | 95-110 million |
| Plugins in official repo | 59,000+ |
| Themes in official repo | 11,000+ |
| Languages supported | 200+ |
Two things to know about that 43% number. First, it counts sites that respond to a basic crawl. Many are dormant. Second, the "62.5% of CMS sites" stat is more useful for comparison: when someone picks a CMS, two out of three pick WordPress.
Active vs dormant: the sites that matter
Not every WordPress install is alive. Based on Sucuri's 2024 web malware report and Wordfence telemetry:
- Active sites with regular traffic: about 65-70% of installs (roughly 65-75 million)
- Dormant or low-activity: 30-35% (test installs, abandoned blogs, expired domains still serving WP)
This matters for security because dormant sites are the most dangerous. Nobody updates them. They become reservoirs of exploitable vulnerabilities that attackers harvest for botnets, spam relays, and lateral attacks.
If you have an old WordPress site you haven't touched in two years, it's almost certainly compromised. Either rebuild or delete it.
Where WordPress runs
WordPress isn't evenly distributed. It skews heavily toward markets where small businesses run their own sites.
| Region | Share of WordPress sites |
|---|---|
| North America | 30-35% |
| Europe | 22-25% |
| Asia | 22-25% |
| Latin America + Africa | 15-18% |
India sits inside that Asia number and is one of the fastest-growing WordPress markets globally. WooCommerce alone has thousands of new Indian merchant signups every month, driven by GST-compliant invoicing and Razorpay integration.
The security picture, without the panic
This is where most articles either downplay or sensationalise. Both are wrong.
The Wordfence 2024 threat report (source) and Sucuri's annual hacked website report (source) paint a consistent picture:
| Metric | 2024-2025 estimate |
|---|---|
| Attack attempts per hour (monitored sites) | 90,000-100,000 |
| Daily automated probes globally | Tens of millions |
| Successful breaches per day | 5,000-10,000 |
| Successful breaches per month | ~200,000-300,000 |
Two things to take from this. The attempt numbers are huge but mostly meaningless: bots probe everything, all the time. The successful breach number is what matters, and it's drastically smaller. Out of 100 million WordPress sites, maybe 0.3% get successfully hacked in a given month.
Most of that 0.3% is preventable.
Why the breaches happen
Wordfence's data on the actual cause of confirmed breaches is more useful than counting attempts:
| Cause | Share of confirmed breaches |
|---|---|
| Outdated plugin | 56% |
| Weak or stolen password | 22% |
| Compromised hosting environment | 11% |
| Stolen session token or API key | 7% |
| Zero-day or insider threat | 4% |
The real attack surface is shockingly mundane. Outdated plugins and weak passwords drive 78% of breaches between them. Almost nothing is exotic.
What attackers actually do once they're in
The motive matters because it shapes what to monitor for. From Sucuri's incident data:
- SEO spam injection (44% of compromised sites) — hidden links and pages pushing pharma, casino, or replica goods. Often invisible to the site owner until traffic tanks.
- Malicious redirects (24%) — visitors get bounced to phishing or malware sites.
- Backdoors (62% of cleanups, often combined with the above) — attacker installs hidden access for return visits.
- Cryptojacking (8%) — your server mines cryptocurrency for someone else.
- Credit card skimming (6%, mostly WooCommerce) — payment form gets a malicious script that captures card data.
The first three are about scale: hit thousands of sites, monetise through volume. The last two target sites with valuable resources or transactions.
The common attack vectors, ranked
Most WordPress attacks fall into a small number of patterns. Knowing them helps you prioritise defences.
Brute force credential attacks (30-40% of all attempts) Bots try lists of common usernames and leaked passwords. Stopped almost completely by 2FA plus a real WAF.
Plugin exploits (40%+ of successful breaches) Attacker scans for known vulnerable versions of popular plugins. The fix is patch-day discipline, not an exotic firewall.
Cross-site scripting (XSS) (15-25% of intrusions) Malicious script gets stored in a comment, form, or theme option. Modern sanitization in WordPress core prevents most of this if developers follow the rules.
SQL injection (15-20% of major vulnerabilities reported) Attacker manipulates database queries via unprotected inputs. Almost always a plugin issue, not core WP.
File inclusion attacks (5-10%) Bad path handling lets attackers load remote or local files they shouldn't access.
For deep coverage of each, see our 2025 guide to WordPress hacking techniques.
Why WordPress is targeted
Two reasons. First, scale: 100+ million sites means even a 1% success rate is a million victims. Second, the long tail of poorly maintained sites running old code creates a permanent attack surface.
This isn't unique to WordPress. Drupal, Joomla, Magento all face the same dynamic. WordPress just shows up more in the data because it powers more sites.
High-profile incidents and what they taught us
A few patterns repeat across major WordPress security incidents:
- Reuters, 2014: Site defacement traced to a vulnerable plugin. Lesson: even big publishers run plugins they haven't audited.
- Panama Papers connection, 2016: The leak began with an outdated WordPress install on Mossack Fonseca's email portal. Lesson: a forgotten subdomain can sink the whole company.
- WooCommerce skimmer attacks, 2022-2024: Hundreds of stores hit by Magecart-style card skimmers via compromised payment plugins. Lesson: e-commerce security needs a layered approach beyond a generic security plugin.
The common thread: nobody was paying attention to the boring infrastructure until it failed.
Where the platform itself is heading
Three trends matter for 2025-2026:
Auto-updates expanding. WordPress 6.5+ pushed auto-update controls deeper into core. More plugin authors now ship signed auto-update channels.
Tighter plugin repo controls. The .org plugin team has tightened submission and update review. Vulnerable plugins get pulled from the repo faster than they used to.
AI-powered detection. Cloudflare, Sucuri and Wordfence all now use ML models to identify malicious request patterns rather than just signature matching. This catches novel attack variants the rule-based engines miss.
None of this matters if site owners don't apply updates. The platform is doing its part. The weak link is operations.
The honest take
WordPress isn't insecure. WordPress sites that nobody maintains are insecure. There's a meaningful difference.
A current WordPress install, on a good host, with a real WAF and 2FA, is as secure as anything else on the open internet. A two-year-old install with 40 plugins and the password "Welcome123" is a guaranteed breach waiting to happen.
The platform gets blamed for both.
Practical roadmap if you're starting now
- Pick managed WordPress hosting. Kinsta, WP Engine, RunCloud, or a serious Indian provider. Rules out the worst hosting-level breaches.
- Install only what you need. Aim for under 20 plugins. Audit quarterly.
- Enforce 2FA on every admin account. No exceptions for "the founder doesn't like clicking codes."
- Set up a real WAF. Cloudflare or Sucuri. Plugin-only firewalls aren't the same thing.
- Daily off-site backups, monthly restore drill. Backups you've never tested don't work.
- Activity logging with alerts. WP Activity Log plus email or Slack notifications.
If you'd prefer to outsource this, our WordPress maintenance service handles security setup, patching, and incident response for sites in India, the US and UK. See also our 7 key WordPress security strategies for the deeper how-to.
FAQ
How many WordPress sites get hacked per day? Between 5,000 and 10,000 successful breaches per day globally, based on Sucuri and Wordfence telemetry. That's a small fraction of the 100+ million active sites, but the absolute number is large because the install base is huge.
Is WordPress more dangerous than other CMSes? Per site, no. The breach rate per site is similar to Drupal, Joomla, and Magento when normalised for plugin usage. WordPress shows up more in headlines because it has more sites running it. The main risk factor is unmaintained installs.
What's the cheapest secure WordPress setup? Managed host (₹400-800/month or $5-10), free Cloudflare WAF, free Let's Encrypt SSL, free WP 2FA plugin, and Solid Backups free tier. Total ongoing cost: under ₹1,000/month or $12. The work isn't expensive. The discipline is the hard part.
Do I need a security plugin if I use Cloudflare? Yes, but a different one. Cloudflare blocks attacks at the edge. You still want a plugin for activity logging, malware scanning, and 2FA. Wordfence or Solid Security pairs well with Cloudflare.
How do I check if my WordPress site is already hacked?
Run a scan with Sucuri SiteCheck or WPScan, search Google for site:yoursite.com viagra or site:yoursite.com casino (common SEO spam markers), and check Search Console for unexpected indexed pages. If anything shows up, assume compromise and start a clean restore from a known-good backup.
Need help with your WordPress site?
We've shipped and maintained 200+ WordPress sites since 2007. If you want a security audit, ongoing maintenance, or help recovering from a breach, get in touch. We do honest assessments, not sales pitches.
Need help with this?
Our team has 19+ years of experience and can help you implement everything discussed in this article.
Book a Discovery Call