Skip to content

86 Percent of WordPress Sites Running Outdated Software

The gist: Around 70 percent of globally monitored WordPress sites run on unsupported software and are increasingly targeted by automated attacks.

A worldwide study by Censys shows that the vast majority of WordPress installations are not running current software versions. Cybercriminals are already actively exploiting these security gaps through automated attacks.

Of over 59 million tracked WordPress sites, only 14 percent use the current version 7.0. Combined with version 6.9, whose support ends in March 2026, only about 31 percent run on an actively maintained version. This means that 69 percent of WordPress installations are operated outside the regular maintenance window.

A critical risk lies in the programming language used: PHP. Over 70 percent of the analyzed systems run on outdated PHP versions. More than 20 percent still rely on PHP 7.4, whose support ended in November 2022. The unsupported PHP 5.6 (support ended 2018) is the second most common version in use. The currently supported version PHP 8.4 is used by only four percent of the examined sites. With plugins like Yoast SEO, only 22 percent of administrators update to the latest version.

In June 2026, Censys documented a defacement campaign in which at least 900 WordPress sites were overwritten with the message “Hacked By MR.GREEN.” GreyNoise sensors identified 70 unique IP addresses actively scanning for outdated xmlrpc.php interfaces—a common entry point for brute-force attacks. Additionally, there are further configuration gaps: open SSH ports without IP restrictions and enabled password authentication on the affected servers.

The main cause of delayed updates lies in compatibility issues. PHP upgrades frequently cause malfunctions with older plugins, which is why administrators postpone updates. Censys recommends rolling out WordPress updates manually and incrementally after testing, rather than using automated rollouts that can jeopardize functionality. PHP versions should be reviewed in cycles of one to three months. PHP 8.6 is expected in November 2026.


Source: www.it-daily.net · Published July 4, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: