European web security in 2026: what early observations reveal

HTTPS, security headers, WordPress exposure, GDPR compliance: a state of the art before the Orilyt 2026 barometer publishes on June 16.

For ten years, web security has lived in a paradox. Fundamentals like HTTPS have become near-universal, and GDPR compliance has restructured the entire advertising ecosystem. But as these basics generalized, advanced practices like HSTS, CSP, or fine-grained permission control have remained the privilege of a minority of sites.

Meanwhile, attacks have shifted to the supply chain: vulnerable plugins, compromised third-party scripts, configuration leaks. WordPress, which now powers a majority share of CMS-based sites worldwide, remains the favorite target of automated botnets.

This article takes stock of major web security indicators worldwide in 2026, based on widely recognized public sources. It sets the context before the publication, on June 16, 2026, of the Orilyt barometer that will measure these same criteria across five distinct European panels.

Why talk about security now?

Three concurrent factors make the state of web security a topical question in 2026: European regulatory pressure, the sophistication of automated attacks, and the persistent audit gap across SMBs and local governments.

The 2026 context: NIS2, DSA and stronger obligations

The NIS2 directive, transposed into European national laws since 2024, considerably broadens the perimeter of entities required to maintain a baseline of cybersecurity. Beyond operators of vital importance, it now affects digital subcontractors, hosts, and more broadly any medium-sized organization whose activity depends on digital infrastructure.

The Digital Services Act (DSA), fully in force since 2024, adds specific obligations to online platforms, including on cookie banner transparency and content moderation. For medium-sized editorial or e-commerce sites, this reinforces the need for regular compliance audits.

This regulatory pressure changes the perception of web security. What was previously a topic for large accounts is becoming a basic requirement for any organization exposed online, including the SMB hosting a blog or the local government with an institutional site.

What we already know from global data

The HTTP Archive Web Almanac, published annually from a crawl of over 16 million sites, is the reference source for measuring annual evolution of web practices. In its 2024 edition, it confirmed that about 93% of pages loaded on mobile and 96% on desktop are served via HTTPS.

The Mozilla Observatory, complemented by BuiltWith and W3Techs data, gives a finer view. HSTS remains implemented on only 25 to 30% of major sites depending on the source. Content-Security-Policy, in structured form, stays below 15%. Other headers (Permissions-Policy, X-Content-Type-Options, Referrer-Policy) vary between 30 and 60% depending on measurement methods.

This global data is a good reference, but it aggregates sites of all sizes and geographies. The legitimate question becomes: what about European sites specifically, which operate under specific regulatory pressure?

Why a European focus is missing in the current landscape

Existing barometers focus either on the world top (Tranco top 1 million, Alexa before it), or on individual English-speaking countries. There are few studies rigorously comparing technical practices between European countries on a broad sample.

It is precisely this gap that the Orilyt barometer, published on June 16, 2026, intends to fill. Five independent national panels were scanned on 12 homogeneous technical criteria, allowing for the first time a direct comparison on the state of security, performance, and compliance.

Pending this publication, let us look at what global public data already tells us about the major open construction sites, and where the blind spots lie for agencies and freelancers auditing sites daily.

HTTPS: the supposedly-acquired basic, really?

HTTPS has become a given in common discourse, but its complete implementation remains imperfect. The padlock presence says nothing about the quality of the underlying configuration.

HTTPS near-universal on active sites

The 2024 HTTP Archive Almanac figures are unambiguous: 93% of mobile pages and 96% of desktop pages are now encrypted. The generalization of Let's Encrypt since 2016 and its native integration in consumer hosts has tipped the web into an era where unencrypted HTTP is now a technical anomaly.

This near-universality nonetheless hides fragilities. Expired certificates, poorly renewed, or with incomplete chains of trust remain observable on less-maintained sites. Forgotten HTTP-to-HTTPS redirects, or worse, subdomains not covered by the certificate, create blind spots hard to detect without a dedicated tool.

On the long tail of nonprofit sites, local governments, and SMBs, the coverage rate remains noticeably lower than top-1000 averages. It is precisely this long tail that agencies and freelancers audit daily, where the gap with standards remains most marked.

HSTS, still largely absent from the landscape

HTTP Strict Transport Security (HSTS) is a header that forces browsers to use HTTPS exclusively for a given domain, for a configurable duration. It is the step that definitively closes the door to downgrade attacks toward HTTP.

Despite its simplicity of implementation, HSTS remains implemented on only 25 to 30% of sites according to the HTTP Archive Almanac. On unmaintained WordPress sites, it is often forgotten in the deployment chain, and many secured configurations limit themselves to HTTPS redirect without pushing HSTS.

To go further on this practice and its implications, see our guide on SSL certificate and HTTPS, which details the two most critical tests to run on any professional audit.

Mixed content and expired certificates, the blind spots

Mixed content refers to HTTP resources loaded on an HTTPS page. It is one of the most frequent causes of browser warnings on sites that have nonetheless migrated to HTTPS. An image, an iframe, or an old script in HTTP is enough to break the chain of trust.

The second blind spot is expired certificates, frequent on staging subdomains, forgotten internal APIs, or barely monitored secondary sites. Without automated alerting, these incidents go unnoticed until a visitor reports them.

A professional audit must systematically verify these two points, which are rarely present in free consumer tools. It is one of the reasons a multi-dimensional audit retains its value against a simple PageSpeed test.

Security headers, still the poor relative

Beyond HTTPS, HTTP security headers form a second line of defense widely underexploited. Their correct configuration has become the marker of a site managed by a serious technical team.

CSP, the poorly implemented puzzle

Content-Security-Policy (CSP) is the most powerful header to prevent injection of malicious scripts. Properly configured, it blocks any JavaScript execution not explicitly authorized. Poorly configured, it breaks the site without protecting anything.

This implementation difficulty explains its low adoption rate: less than 15% of sites have a structured CSP according to public sources. Many settle for a CSP in report-only mode or an overly permissive default-src directive, which reduces real effectiveness.

On WordPress, implementing a CSP often requires inventorying external sources (Google Fonts, Google Tag Manager, video platforms) that exceeds the scope of a standard audit. It is typically the workstream agencies propose as a billable upgrade engagement.

Permissions-Policy, X-Frame-Options, Referrer-Policy

Three other less-known but simple-to-activate headers: Permissions-Policy (formerly Feature-Policy) controls authorized browser APIs, X-Frame-Options prevents clickjacking, Referrer-Policy manages URL leakage to third-party sites. All three activate in a few lines in the server configuration.

According to HTTP Archive, these headers remain present on 30 to 60% of major sites, but their configuration is often default, without real personalization. An audit must therefore assess not only presence but also relevance of values.

Our practical guide to HTTP security headers details recommended values for each case and classic pitfalls to avoid on WordPress sites.

The gap between top 1000 and long tail

All public data shows the same phenomenon: sites in the world top 1000 are significantly better configured than the average site. The presence percentage of advanced headers is often two to three times higher on high-traffic sites.

This dichotomy reveals a concrete imbalance: security technical practices are concentrated in the structured IT teams of large enterprises, while most of the web consists of SMB, nonprofit, or institutional sites that have no access to these skills.

This is precisely the role of freelancers, web agencies, and audit platforms like Orilyt: to bring these security standards to sites that have neither the budget nor the know-how to implement them alone. The June 16 barometer will measure the extent of this gap on European panels.

WordPress: the #1 target and its weak signals

WordPress now powers over 40% of websites worldwide according to W3Techs. This dominance mechanically makes it the prime target of automated botnets that constantly scan for vulnerable versions and exposed plugins.

WordPress market share in 2026

W3Techs figures in early 2026 place WordPress around 43% of websites worldwide and 62% of sites using an identifiable CMS. These shares continue to slowly grow, despite competition from dedicated e-commerce solutions like Shopify and the rise of headless frameworks.

This dominance mechanically concentrates attackers' efforts on the WordPress ecosystem. Automated scans seeking vulnerable versions, compromised plugins, or lax configurations represent a major share of malicious traffic observed by modern WAFs (Web Application Firewall).

For freelancers and agencies maintaining WordPress sites, this reality changes the nature of the work. Maintenance is no longer optional, it has become a condition of survival for exposed sites online.

Readme and install version exposure

Three WordPress files are classic indicators of a poorly maintained site: readme.html which reveals the installed version, install.php accessible to version scanners, and directory listing of wp-content/uploads/. Their presence often correlates with an obsolete or barely-surveyed site.

HTTP Archive and public databases do not systematically measure these WordPress-specific indicators, but quarterly reports from Wordfence and Patchstack confirm that a significant share of audited WordPress sites display at least one of these weak signals.

Our operational guide to securing a WordPress site details the verifications to perform and the quick fixes to apply in an audit or maintenance contract.

Vulnerable plugins, the weak link

The WPScan database constantly catalogs several thousand vulnerabilities affecting WordPress plugins, some with critical CVSS scores. Attackers industrialize exploitation: as soon as a CVE is published, massive scans seek uncorrected sites within hours.

The automatic update logic introduced in WordPress 5.5 has reduced the exposure window, but it does not cover all plugins, and many agencies voluntarily disable it for fear of regressions. The result is an inventory of always-vulnerable sites, audit after audit.

On an agency portfolio, weekly monitoring that detects these flaws before the client does is the concrete difference between a freelancer delivering a one-off engagement and a partner ensuring professional maintenance. The June 16 barometer will measure WordPress exposure by European country.

GDPR and compliance: where do European sites really stand?

GDPR came into force in 2018. Eight years later, its application remains deeply heterogeneous across countries and sectors. Cookie banners have become the most visible terrain of this compliance, but the depth of implementation remains highly variable.

Third-party cookies and consent banners

The ePrivacy directive combined with GDPR requires explicit consent before any non-strictly-necessary cookie is set. In theory, European sites are all concerned. In practice, implementations range from strictly compliant banners to dark patterns inducing consent through fatigue.

CNIL audits and its European counterparts (national authorities under GDPR) have regularly sanctioned major poorly-configured sites since 2021. But sanctions remain rare on the long tail, which explains the persistence of non-compliant banners on many SMB sites.

Compliant banners versus dark patterns

Three criteria distinguish a compliant banner: refusal as easy as acceptance, conservation of user choices, and absence of tracking scripts set before consent. Many banners fail on at least one of the three.

For a detailed view of verification points and acceptable tools (Axeptio, Tarteaucitron, Didomi), see our guide on GDPR and cookies.

The June 16 barometer will measure the apparent compliance rate of each national panel, from a technical signature observable from the outside, without setting a cookie.

Legal notices and privacy policy

Beyond cookies, the French law for trust in the digital economy (LCEN) and its European equivalents require the presence of accessible legal notices and a clear privacy policy. These obligations are often forgotten on showcase sites or amateur blogs.

A professional audit must verify the presence and completeness of these pages, ensuring they are accessible from every page of the site. It is a simple but often-missing verification in free audit tools.

For agencies, it is also a direct commercial argument: a non-compliant site exposes its editor to administrative sanctions, and raising this topic in a client meeting turns an audit into a billable upgrade engagement.

What the Orilyt barometer of June 16, 2026 will bring

Global figures provide a frame. But for European agencies auditing sites daily, the real question is: how do European sites position, country by country, on these security criteria?

Five independent national panels scanned

The Orilyt 2026 barometer scanned five independent national panels drawn from public sectoral databases: .fr (France), .de (Germany), .es (Spain), .be (Belgium), and .ch (Switzerland). Each panel was constituted to reflect the real diversity of the national web fabric, not just the top of the most-visited sites.

This multi-country approach is what was missing from the landscape of existing barometers, focused either on the world top or on a single geography. Direct comparison between five national ecosystems opens unprecedented questions: who masters HTTPS best, who dominates advanced security, where is WordPress exposure concentrated?

Twelve homogeneous technical criteria

All panels were measured on the same technical grid: HTTPS presence, certificate strength, HSTS, CSP, other security headers, WordPress version exposure, compression rate (Gzip/Brotli), mobile-friendly, meta description presence, viewport, legal notices presence, and compliant cookie banner.

This homogeneity is what makes comparison rigorous. Where most studies publish absolute figures hardly comparable between themselves, the Orilyt barometer provides a direct ranking on each criterion, with average rank and country podium.

Why it matters for agencies

For a freelancer or agency auditing client sites, knowing the average state of the national market is a concrete discussion argument. Being able to say "your site is below the French average on 4 out of 12 criteria" makes the conversation tangible, where "your site is not optimal" remains vague.

The Orilyt barometer will be published in open access on June 16, 2026, with a press kit, detailed graphics, and an interactive comparison page allowing positioning of a given site against its national panel average.

Pending this publication, launching an Orilyt audit on a site provides immediate access to a complete diagnosis on the twelve barometer criteria, plus over forty other universal tests and over forty-five CMS-specific tests.

The state of web security in 2026 remains a two-speed landscape. On one side, fundamentals like HTTPS have become near-universal, driven by the generalization of Let's Encrypt and native host integration. On the other, advanced practices like HSTS, CSP, or fine-grained header mastery remain the privilege of a minority.

WordPress, which powers over 40% of the web, remains the prime target of automated attacks. Vulnerable plugins and lax configurations fuel a constant inventory of at-risk sites, which agencies and freelancers discover with each audit.

The Orilyt barometer published on June 16, 2026 will bring, for the first time, a rigorous comparison between five European national ecosystems on these criteria. In the meantime, launching a free audit on your site or a client's provides immediate access to an objective measurement of its position on the twelve criteria that structure the analysis.

Your most frequent questions

Sources and references

• HTTP Archive, Web Almanac 2024 Security chapter — annual state of HTTPS, HSTS, CSP and security headers
• W3Techs, Usage statistics of content management systems — WordPress and other CMS market share
• Mozilla Observatory — HTTP security header evaluation tool, recognized method
• ENISA Threat Landscape 2024 — European cybersecurity threat landscape
• WPScan, WordPress vulnerability database
• European Commission, NIS2 directive — official text and national transpositions