In February of 2015 I began a project to investigate the number of prominent vulnerable WordPress sites on the Internet. WordPress, being the most prolific CMS in the world, and diligence in keeping software up to date being a good indicator of security awareness, I thought that tracking WordPress sites with outdated software would be indicative of the Internet’s general state of security health.
To that end I wrote a python program to scan the first 250,000 of Alexa’s top million list, and had run it monthly ever since. Although there are obvious inaccuracies introduced by my methodology, the intent here was not to produce an exact tally of vulnerable sites, but to hopefully reveal a trend indicating their diminishing numbers, and I must say that I was quite pleased with the progress throughout.
I was posting the results of the scans in a blog at this site until its most recent incarnation, when I thought it best to consolidate the information into a single page with a single table of results. That table is shown below, listing the date and number of WordPress sites among the sample that were running versions less than 4.0.
Thank you for your interest and I hope to provide many more such projects. And without further ado, here are the results:
Number of sites running WordPress versions < 4.0