Are WordPress users taking care of their security? State of Blog Security – Part I

Almost two years ago we published an article on the “state of blog security” (focused on WordPress) where we checked the percentage of blogs that were taking care of their security properly. We checked if they had WordPress updated and a few other things. You can read the whole article here (note, the formatting is very bad).

We decided to re-do this test a few weeks ago and check the current state of WordPress security. How many blogs are following the security guidelines and protecting their sites?

To get started, we scanned the top 36,299 self-hosted WordPress sites (according to Alexa) and checked all their versions. Note that we did this check a few days before 3.1.1 was released, so it is not included here.

Table 2: WordPress Version Usage
  Version   #   %
v2.7.1 453 1.5%
v2.8.6 545 1.5%
v2.9.1 581 1.5%
v2.8.4 733 2%
v3.0 1,253 3%
v3.0.3 1,945 5%
v2.9.2 2,437 6%
v3.0.5 2,661 7%
v3.0.4 3,392 9%
v3.0.1 4,181 11%
v3.1 15,893 43%

These numbers are very good and they impressed us. Almost 82% of the sites were running versions 3.0 or 3.1, and 43% were upgraded to the latest version! I think this is due to the easy and automated installation option available in WordPress that allows everyone to upgrade with one simple click (plus it’s backwards compatible).

By looking at the major version groups, we can see how good these numbers are:

Table 2: WordPress Major Version Usage
  Version   #   %
v2.7 711 1%
v2.8 1,663 4%
v2.9 3,018 8%
v3.0 13,858 38%
v3.1 15,893 43%

Compared to other web applications (like Joomla, Mediawiki), WordPress is leading the pack in terms of keeping their users updated with their latest versions.

The bad news is that almost 20% of self hosted WordPress users are still running old and unsecure versions of WordPress. We’re talking about sites well ranked on Alexa and with good PR too. We fear that if we started scanning less popular sites, the numbers would be much worse.

If you have any question, let us know.

This is the full data dump if you want to do further analysis:

19 WordPress2.1.3
21 WordPress2.3.2
24 WordPress2.0.4
30 WordPress2.2.2
30 WordPress2.3.1
31 WordPress2.2
35 WordPress2.3.3
39 WordPress2.2.1
44 WordPress2.8.1
52 WordPress2.6.1
57 WordPress2.5
59 WordPress2.6.3
61 WordPress2.8.3
67 WordPress2.6.5
84 WordPress2.6
95 WordPress2.8.2
103 WordPress2.6.2
139 WordPress2.5.1
145 WordPress2.8
160 WordPress2.9
246 WordPress2.8.5
258 WordPress2.7
426 WordPress3.0.2
453 WordPress2.7.1
545 WordPress2.8.6
581 WordPress2.9.1
733 WordPress2.8.4
1253 WordPress3.0
1945 WordPress3.0.3
2437 WordPress2.9.2
2661 WordPress3.0.5
3392 WordPress3.0.4
4181 WordPress3.0.1
15893 WordPress3.1

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.