Over 80% of WordPress sites are out of date, and hackers are noticing
Skipping WordPress updates is a widespread epidemic, with many admins afraid that something will break. Most sites are running old plugins, unpatched PHP, and outdated core software, and hackers are plowing through them with automated tools, Censys warns

Image by Cybernews.
Skipping WordPress updates is a widespread epidemic, with many admins afraid that something will break. Most sites are running old plugins, unpatched PHP, and outdated core software, and hackers are plowing through them with automated tools, Censys warns.
- Eighty-six percent of WordPress sites are outdated, with only 14% running the latest WordPress version (7.0)
- Many sites rely on end-of-life PHP versions, previously compared to a “security suicide.”
- Hackers have deployed automated tools to scan for and exploit outdated sites.
“Whenever I bump PHP to the latest version, something on my site breaks, usually some dusty old plugin,” one of the WordPress (WP) admins vented on Reddit. The feeling is universal.
Censys, the cybersecurity search engine, scanned the visible internet and found that most WordPress sites don’t use the latest software versions.
This content management system (CMS) is the most popular, powering approximately 40% of the web.
Over 59 million WordPress sites are visible, deployed across 1 million unique IP addresses.
“Only 14% of publicly visible WordPress sites were on the latest patch of WordPress,” Censys said in a report.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The latest version is WordPress 7.0. Including the sites running WordPress 6.9, which was discontinued on March 20th, 2026, would bump the total population of actively maintained sites to 31%.
WordPress is built on PHP, one of the most popular server-side programming languages. Over 70% of websites are relying on outdated PHP, too. What’s even worse, most websites, or over 20%, still run PHP 7.4, which was deprecated nearly four years ago in November 2022.
Security researchers at Webhostmost.com previously called this practice a “security suicide.”
But the second-most-popular is PHP 5.6, which is even older and hasn’t received an update since 2018.
The currently-supported PHP 8.4 was found on around 4% of websites, and the latest version 8.5 didn’t make it to the chart.
Admins are more likely to be running up-to-date WordPress versions alongside end-of-life PHP, Censys noted.
“PHP upgrades are not optional improvements, but critical security patches,” Censys researchers warn.
“This skew toward outdated versions represents a critical security concern for web servers. Not only are older frameworks less efficient, but they’re also more susceptible to vulnerabilities.”
The analyzed sample comprised 316,300 WP PHP sites that didn’t hide version headers, which represented only 0.5% of the total WP sites.
While WP sites with hidden version information might be more likely to be patched, it can also be argued that many admins obscure the issue to reduce opportunistic risks rather than fix the actual problems.
Plugins are outdated, too. Nearly 7.5 million WordPress sites have a listed plugin. One of the most visible is Yoast, which automates SEO for websites and is found on over 5 million sites. Only 22% of sites had the newest release, Censys found.
Hackers running automated scans and defacing outdated websites
The security researchers also warn about the ongoing defacement campaign targeting WordPress sites.
A threat actor is replacing websites’ content with their own message, “Hacked By MR.GREEN.” At least 900 websites were displaying this message in June 2026, Censys found.
GreyNoise sensors flagged 70 IP addresses that are actively scanning for xmlrpc.php legacy endpoints – URLs WordPress uses to interact with apps and services remotely, which are frequently targeted by attackers using brute-forcing.
And many other misconfigurations and vulnerabilities affect the websites, such as exposed SSH ports with no IP restrictions and password authentication enabled. They all compound quickly, leaving websites vulnerable.
Censys believes that outdated PHP reflects a core problem with CMS architecture – a web service cannot easily support new patches. Meanwhile, PHP itself assumes users are only updated from one patch below, making upgrading from old versions extremely difficult.
Check if your data has been leaked
“CMSes are not being designed with older backend frameworks in mind. Rather, they work under the assumption that users have the ability to maintain the latest versions of underlying backend software with no blockers or inhibitions,” the report reads.
“With new patches being released under the constraints of maintained software, updates can cause sites to become dysfunctional, resulting in users delaying updates.”
Therefore, Censys recommends limiting WordPress auto-updates, as they often break site functionality and cause compatibility issues. Only update WordPress to well-established, trusted major versions manually after testing, and don’t forget plugins.
Still, Censys urges admins to update PHP on the same patch cycle, check for updates every 1-3 months, and apply any critical releases as soon as possible. The next PHP version, 8.6, rolls out in November 2026.