Almost two years ago we published an article on the “state of blog security” (focused on WordPress) where we checked the percentage of blogs that were taking care of their security properly. We checked if they had WordPress updated and a few other things. You can read the whole article here (note, the formatting is very bad).
We decided to re-do this test a few weeks ago and check the current state of WordPress security. How many blogs are following the security guidelines and protecting their sites?
To get started, we scanned the top 36,299 self-hosted WordPress sites (according to Alexa) and checked all their versions. Note that we did this check a few days before 3.1.1 was released, so it is not included here.
| Version | # | % |
|---|---|---|
| v2.7.1 | 453 | 1.5% |
| v2.8.6 | 545 | 1.5% |
| v2.9.1 | 581 | 1.5% |
| v2.8.4 | 733 | 2% |
| v3.0 | 1,253 | 3% |
| v3.0.3 | 1,945 | 5% |
| v2.9.2 | 2,437 | 6% |
| v3.0.5 | 2,661 | 7% |
| v3.0.4 | 3,392 | 9% |
| v3.0.1 | 4,181 | 11% |
| v3.1 | 15,893 | 43% |
These numbers are very good and they impressed us. Almost 82% of the sites were running versions 3.0 or 3.1, and 43% were upgraded to the latest version! I think this is due to the easy and automated installation option available in WordPress that allows everyone to upgrade with one simple click (plus it’s backwards compatible).
By looking at the major version groups, we can see how good these numbers are:
| Version | # | % |
|---|---|---|
| v2.7 | 711 | 1% |
| v2.8 | 1,663 | 4% |
| v2.9 | 3,018 | 8% |
| v3.0 | 13,858 | 38% |
| v3.1 | 15,893 | 43% |
Compared to other web applications (like Joomla, Mediawiki), WordPress is leading the pack in terms of keeping their users updated with their latest versions.
The bad news is that almost 20% of self hosted WordPress users are still running old and unsecure versions of WordPress. We’re talking about sites well ranked on Alexa and with good PR too. We fear that if we started scanning less popular sites, the numbers would be much worse.
If you have any question, let us know.
This is the full data dump if you want to do further analysis:
19 WordPress2.1.3
21 WordPress2.3.2
24 WordPress2.0.4
30 WordPress2.2.2
30 WordPress2.3.1
31 WordPress2.2
35 WordPress2.3.3
39 WordPress2.2.1
44 WordPress2.8.1
52 WordPress2.6.1
57 WordPress2.5
59 WordPress2.6.3
61 WordPress2.8.3
67 WordPress2.6.5
84 WordPress2.6
95 WordPress2.8.2
103 WordPress2.6.2
139 WordPress2.5.1
145 WordPress2.8
160 WordPress2.9
246 WordPress2.8.5
258 WordPress2.7
426 WordPress3.0.2
453 WordPress2.7.1
545 WordPress2.8.6
581 WordPress2.9.1
733 WordPress2.8.4
1253 WordPress3.0
1945 WordPress3.0.3
2437 WordPress2.9.2
2661 WordPress3.0.5
3392 WordPress3.0.4
4181 WordPress3.0.1
15893 WordPress3.1
Denis Sinegubko
Puja Srivastava
Luke Leal
Ahmad Azizan Idris
Kaushal Bhavsar
Pilar Garcia
Marc-Alexandre Montpas
John Castro
1 comment
See this report for breakdown of the full Top 1 Million – http://hackertarget.com/2011/03/web-tech-2011-report/
Finds 11-15% of the Alexa Top 1 Million running WordPress.
Has a breakdown of WordPress, Joomla and Vbulletin Versions plus other data on the Alexa Top 1 Million.
Comments are closed.