The WordPress Security Project

In February of 2015 I began a project to investigate the number of prominent vulnerable WordPress sites on the Internet. WordPress, being the most prolific CMS in the world, and diligence in keeping software up to date being a good indicator of security awareness, I thought that tracking WordPress sites with outdated software would be indicative of the Internet’s general state of security health.

To that end I wrote a python program to scan the first 250,000 of Alexa’s top million list, and had run it monthly ever since. Although there are obvious inaccuracies introduced by my methodology, the intent here was not to produce an exact tally of vulnerable sites, but to hopefully reveal a trend indicating their diminishing numbers, and I must say that I was quite pleased with the progress throughout.

I was posting the results of the scans in a blog at this site until its most recent incarnation, when I thought it best to consolidate the information into a single page with a single table of results. That table is shown below, listing the date and number of WordPress sites among the sample that were running versions less than 4.0.

Thank you for your interest and I hope to provide many more such projects. And without further ado, here are the results:

Number of sites running WordPress versions < 4.0

Date Count
2017-04 530
 2017-03  621
 2017-02  666
 2017-01  711
 2016-12  588
 2016-11  800
 2016-10  824
 2016-09  859
 2016-08  1041
 2016-07  1123
 2016-06  1144
 2016-05  1185
 2016-04  1266
 2016-03  1381
 2016-02  1600
 2016-01  1776
 2015-12  1849
 2015-11  1920
 2015-10  2070
 2015-09  2318
 2015-08  3885
 2015-07  4232
 2015-06  4751
 2015-05  5462
 2015-04  6337
 2015-03  7122
 2015-02  7590