Almost two years ago we published an article on the “state of blog security” (focused on WordPress) where we checked the percentage of blogs that were taking care of their security properly. We checked if they had WordPress updated and a few other things. You can read the whole article here (note, the formatting is very bad).
We decided to re-do this test a few weeks ago and check the current state of WordPress security. How many blogs are following the security guidelines and protecting their sites?
To get started, we scanned the top 36,299 self-hosted WordPress sites (according to Alexa) and checked all their versions. Note that we did this check a few days before 3.1.1 was released, so it is not included here.
These numbers are very good and they impressed us. Almost 82% of the sites were running versions 3.0 or 3.1, and 43% were upgraded to the latest version! I think this is due to the easy and automated installation option available in WordPress that allows everyone to upgrade with one simple click (plus it’s backwards compatible).
By looking at the major version groups, we can see how good these numbers are:
Compared to other web applications (like Joomla, Mediawiki), WordPress is leading the pack in terms of keeping their users updated with their latest versions.
The bad news is that almost 20% of self hosted WordPress users are still running old and unsecure versions of WordPress. We’re talking about sites well ranked on Alexa and with good PR too. We fear that if we started scanning less popular sites, the numbers would be much worse.
If you have any question, let us know.
This is the full data dump if you want to do further analysis: