Back to blog
9 min read
WordPress Security

The State of WordPress Security in 2026: Lessons from 10,000 Audits

Aggregated, anonymized data — the numbers every freelancer and agency should know before talking security with their clients.

Key Takeaways
  • 72% of WordPress sites publicly expose their version number — a trivial fix that eliminates a key targeting signal for attackers
  • Plugin vulnerabilities account for 52% of all WordPress security issues identified in audits
  • Most fixes take less than 30 minutes — the problem is not technical complexity, it's visibility

When you audit thousands of WordPress sites, patterns emerge. Not theories — numbers. Real URLs, real configurations, real mistakes that repeat in a predictable way from one site to the next.

This article presents aggregated, anonymized data from the analysis of WordPress sites in 2026. The goal is not to point fingers at site owners, but to document the real state of WordPress security in practice — far from marketing narratives and generic check-lists.

For freelancers and web agencies, these numbers are gold. They transform an abstract conversation about "security" into factual, concrete arguments that are hard for a potential client to ignore.

State of WordPress Security in 2026 — statistics from 10,000 audits: exposed version, vulnerable plugins, XML-RPC
72%
Version WP exposée
48%
Plugins vulnérables
78%
XML-RPC activé
65%
Headers manquants

The big picture: WordPress, the web's primary target

WordPress represents 62.8% of the CMS market in 2026. That's both its strength and its weakness: WordPress's ubiquity makes it the number one target of automated malicious actors.

WordPress core auto-updates have significantly improved core security since WordPress 5.5. The vast majority of core installations are now up to date. The problem has shifted — to plugins, themes, and configurations.

The reality of audited sites: most are "secure enough" in the sense that they haven't been compromised yet. But "not yet compromised" is not the same as "secure." Attack vectors are open, simply waiting for an automated bot to find them.

Hosting plays a major role. Sites on low-end shared hosting consistently show more configuration issues than those on managed hosting or dedicated VPS. The correlation is strong and consistent.

The top 5 most common security issues

Among all the security tests run in our audits, five issues recur in statistically dominant ways. Here are the numbers, with what they mean in practice.

1. WordPress version exposed — 72% of sites

The meta generator tag, the readme.html file and the X-Powered-By header often reveal the exact installed WordPress version. For an attacker, this is the first filter: "this site runs WP 6.4.2, here are the known CVEs for that version." Fix: remove the generator tag via functions.php, rename or block readme.html and install.php.

2. Outdated plugins with known CVEs — 48% of sites

Nearly half of audited sites have at least one plugin with a known, documented vulnerability in CVE databases. Median time since the available patch was released: 47 days. In other words: the fix had existed for an average of 47 days, and no one had applied it.

3. Missing security headers — 65% of sites

Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy — these HTTP headers are missing from two-thirds of audited WordPress sites. Yet setting them up only requires a few lines in .htaccess or nginx config. The effort-to-protection ratio is exceptionally favorable.

4. XML-RPC enabled — 78% of sites

XML-RPC is a legacy WordPress API that allows remote command execution. It's enabled by default and rarely disabled. The result: 78% of sites expose a brute-force attack vector that can execute thousands of login attempts in a single HTTP request via the system.multicall method.

5. Directory listing enabled — 23% of sites

On one in four WordPress sites, directory browsing is enabled on the server. This allows anyone to list the contents of /wp-content/uploads/, /wp-content/plugins/ and other sensitive folders. It's one line in .htaccess: Options -Indexes.

"The WordPress security problem is not technical — it's a visibility problem. Most site owners don't know they're exposed."

SSL & HTTPS: almost there, but not quite

The good news: 95% of WordPress sites have a valid SSL certificate. Let's Encrypt has revolutionized HTTPS adoption, and that's a real win.
The less good news: having an SSL certificate doesn't mean the site is "secure over HTTPS." Among sites with valid SSL, 12% have mixed content — resources (images, scripts, CSS) loaded over HTTP on an HTTPS page. This breaks the SSL chain, triggers warnings in modern browsers, and partially invalidates the certificate's protection.
HSTS (HTTP Strict Transport Security) adoption remains low: around 30% of HTTPS sites have it configured. HSTS tells the browser to never load the site over HTTP, even if the user types the URL without https://. It's a simple but powerful protection against downgrade attacks.
Another recurring pattern: sites that force HTTPS at the WordPress level (via wp-config.php or a plugin) but without a server-level redirect. The result: the HTTP version remains accessible, creating duplicate content and a potential attack vector.

Performance and security: two sides of the same problem

An often-overlooked angle: slow sites and insecure sites tend to be the same sites. This isn't coincidental — it's a causal correlation.

High TTFB (Time To First Byte above 1 second) typically indicates overloaded low-end shared hosting. These hosts also tend to have default PHP and server configurations that don't enforce security best practices: expose_php enabled, overly permissive open_basedir, no ModSecurity.

Heavy pages — over 4 MB — are often a sign of minimally maintained sites. And a site not maintained for 6 months has, on average, 3 times more probability of having plugins with known CVEs than a regularly updated site.

In short: when you audit a site's performance, you also get signals about its maintenance level — and therefore its security level. That's why Orilyt combines performance and security tests in a unified audit.

The maintenance gap: the real problem

Among audited sites, a significant proportion had not been updated for more than 6 months. Plugins, themes, WordPress core — no updates for at least 180 days.

The correlation between the absence of a maintenance contract and low security scores is strong and consistent. Sites with an active provider have significantly better security scores — not because the provider works miracles, but because regular updates mechanically eliminate the vast majority of known vulnerabilities.

For freelancers, this data is a direct business argument: "Without a maintenance contract, your site has X% probability of having an unpatched known vulnerability within 6 months." This isn't a hypothesis — it's a figure from real data.

Clients who have suffered an attack or hack are almost universally receptive. Clients who have never had a problem are harder to convince. Aggregated data makes the risk tangible before it materializes.

What this means for freelancers and agencies

Every statistic in this article is a conversation starter with a client. The difference between a freelancer who says "your site isn't secure" and one who says "72% of WordPress sites expose their version, and yours is one of them — here's what that means in practice" is enormous.

Data transforms an opinion into a factual finding. And factual findings, documented and ready to present, close contracts. That's exactly what Orilyt produces for every audit: not a generic score, but individual tests with FIA recommendations (Fact, Impact, Action) ready to paste into a client report.

The concrete opportunity: recurring maintenance. An audit reveals problems. Problems require maintenance. Maintenance generates recurring revenue. The cycle is simple, but it needs to be kick-started with data that gives the client a reason to act.

The numbers in this article aren't meant to scare — they're meant to educate. An educated client understands the value of your expertise. And a client who understands the value of your expertise becomes a client who pays for it.

"Data doesn't lie. 48% of sites with unpatched CVEs — this isn't a hypothetical problem. This is the current state of the WordPress web."

The 5 top-priority fixes checklist

If you need to prioritize, here are the 5 actions with the highest security impact relative to the time invested.

  1. Hide WordPress version: remove the meta generator tag, block readme.html and install.php via .htaccess
  2. Disable XML-RPC: one line in functions.php — add_filter('xmlrpc_enabled', '__return_false')
  3. Add security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy in .htaccess or wp-config
  4. Update plugins and themes: enable auto-updates for minor releases, schedule major ones
  5. Disable directory listing: add Options -Indexes in root .htaccess

WordPress security in 2026: an opportunity, not a fatality

The state of WordPress security in 2026 is not catastrophic — but it is far from satisfying. The vast majority of issues identified in audits are known, documented problems with simple, quick fixes.

The real problem is not technical. It's a visibility and prioritization problem. Site owners don't know their version is exposed. They've never heard of XML-RPC. They don't know their headers are missing.

That's where freelancers and agencies have a crucial role. Not as fear merchants, but as translators — turning technical risk into business language. And to translate, you need data. Orilyt provides the data.

Audit a WordPress site's security in 2 minutes
Run a free audit and get 56 security, performance and SEO tests — with recommendations ready to present to your clients.
Launch a free audit
WordPress Security 2026 Statistics Audit Vulnerabilities Freelance
Previous SPF et DMARC : les 2 tests email que chaque audit devrait inclure Next Vulnérabilités plugins et thèmes WordPress : 3 tests qui révèlent votre surface d'attaque