WordPress Hack Statistics (2013)


Written by

Dave Warfel

Reading Time

2 minutes

If you buy something from one of our links, we may earn a commission.

WordPress Hack Statistics

While publishing an article about the new WordPress password generator, I started researching WordPress security. In doing so, I pulled together the following info on WordPress hacks & vulnerabilities.

If you have more stats or resources to add, please let me know in the comments, and I’ll add them to the write-up.

The Ways Hackers Gain Access

There’s an infographic out there that depicts the various ways WordPress sites get hacked. The sources appear to be quite scattered, but let’s assume they are at least somewhat accurate. Here’s what it says about WordPress hacks:

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress theme they were using
  • 22% were hacked via a security issue in the WordPress plugins they were using
  • 8% were hacked because they had a weak password

I’m not blaming any one group for being more or less responsible for WordPress vulnerabilities, but if these stats are even somewhat accurate, then the bigger security issues lie with third-parties, not WordPress users.

Those numbers add up to 100%, and I don’t see anything on there that cites WordPress core security issues as a culprit. It’s certainly possible that no WordPress hacks have been traced back to bugs in the core code. And WordPress does release security patches very quickly after new releases. Regardless, obviously they are doing a lot of things right in terms of security.

Of those 8% that were hacked because of a weak password, let’s take a look at the data on brute force attacks.

WordPress Bruce Force Attacks

An article from sucuri (April 2013) presents some data on WordPress brute force attacks. By no means does this tell us the entire security story, but it’s a solid start.

  • Top usernames being attacked: admin, Admin, administrator, test, root
  • Top passwords being tried: password, 12345678, 123admin, 123abc, qwerty, and a handful of other common ones

WordPress Vulnerabilities reported by National Vulnerability Database

The government maintains a website that tracks website vulnerabilities. A search for “WordPress Core” over the past 3 months returns 5 results (as of Nov 11, 2013). All 5 were reported on 9/12/2013, after they were fixed with the release of WordPress 3.6.1. Run your own search to view other stats. The reason I cited “WordPress Core” is to eliminate the theme & plugin vulnerabilities, and only look at security issues with the core code.

Props to for the original infographic.

Dave Warfel

LinkedIn  •  X (Twitter)Dave has been working with WordPress since 2011. He's built 100s of client sites and almost a dozen of his own. He's tested almost every plugin you can think of, hosted with at least 10 different companies, and gone down every SEO rabbit hole you can imagine. When's he's not tinkering with new software, you'll find him in the mountains of Colorado, trail running, summiting peaks, and rippin' downhills on his mountain bike. 🏔️🏃🚴🤸

Leave a Comment