WordPress runs 20% of all the websites in our database. That's more than 150,000 sites across our 760K+ domain dataset — and roughly 50,000 of those have enough data points for a meaningful security analysis. We spent the past few weeks crunching those numbers, and I've got to say: the results are a mixed bag.
Some WordPress sites are absolute fortresses. Others are basically leaving their front door wide open with a neon sign that says "come on in." The difference usually comes down to a handful of decisions that site owners either made or didn't make.
WordPress remains the dominant CMS across 760,000+ analyzed domains — roughly 1 in 5 websites
The average trust score across all domains we've analyzed is 63 out of 100. WordPress sites? They come in slightly lower at 58. That five-point gap might not sound like much, but when you're dealing with tens of thousands of sites, it tells a story.
Here's what's pulling the average down: it's not WordPress itself. The core software is reasonably well-maintained. The problem is what happens after someone installs it and then... forgets about it. We've seen WordPress sites running versions from 2023. Three-year-old software with known, documented vulnerabilities just sitting there, indexed by Google, accepting traffic.
Compare a well-maintained WordPress site like TechCrunch to a random small-business WordPress site that hasn't been updated in two years. The gap in security posture is enormous. TechCrunch scores well above 70. The abandoned small business site? Often below 40.
If there's one area where WordPress sites consistently underperform, it's security headers. Across our entire dataset, 80% of sites are missing Content-Security-Policy (CSP) headers. For WordPress sites specifically, that number climbs to around 87%.
HSTS — the header that forces browsers to always use HTTPS — is missing from 72% of all sites. On WordPress installations, it's closer to 78%. These aren't exotic or difficult configurations. A decent security plugin can add these headers in minutes. But most WordPress admins don't bother.
The average WordPress site in our dataset runs 15-25 plugins. Each one is a potential attack vector. We've found that sites with more than 30 active plugins have trust scores averaging 12 points lower than those with fewer than 10.
Want to see how a specific WordPress site stacks up? Run any domain through our free analysis tool and we'll show you exactly which headers are present or missing.
Here's some good news. HTTPS adoption among WordPress sites is actually slightly higher than the overall average — about 86% compared to 84% across all sites. I suspect this is because most modern WordPress hosting providers now include free SSL certificates and enable HTTPS by default.
That still leaves 14% of WordPress sites without encryption. If you're running WordPress without HTTPS in 2026, you're not just putting your visitors at risk — you're also getting penalized by Google in search rankings. There's literally no reason not to enable it. We wrote a full deep-dive on HTTPS adoption stats if you want the broader picture.
This is where things get ugly. Only 55% of all websites have SPF records configured. For WordPress sites, it's about the same — 53%. DMARC is even worse: 34% overall, and just 29% for WordPress domains.
What does this mean in practice? It means someone can send emails that appear to come from the majority of WordPress-powered businesses, and there's no technical mechanism to stop them. If you own a WordPress site, this is probably your lowest-hanging fruit for improving security. It takes about 10 minutes to set up SPF and DMARC records through your DNS provider.
We cover this topic in detail in our email security analysis, including step-by-step guidance on what records to add.
We looked at WordPress sites scoring above 70 on our trust scale and compared their technology stacks to those scoring below 50. The differences are striking.
High-scoring WordPress sites are significantly more likely to use:
Low-scoring WordPress sites tend to run outdated jQuery versions, lack a CDN, and often don't even have analytics installed. That last point is telling — if someone doesn't care enough to track their traffic, they probably don't care enough to update their plugins either.
Cloudflare usage among high-trust WordPress sites vs. low-trust WordPress sites
We broke down WordPress security metrics by hosting country, and some interesting patterns emerged. WordPress sites hosted in Germany and the Netherlands tend to have higher trust scores than those hosted in other regions. Canadian and American WordPress sites fall right around the average.
The reasons likely come down to hosting infrastructure. German and Dutch data centers tend to enforce stricter defaults for SSL, security headers, and server configurations. It's not that German WordPress admins are necessarily more security-conscious — their hosting environments just do more of the heavy lifting.
For a full breakdown of how different countries compare on web security, check out our web security by country analysis.
Based on our data, here are the most common security issues on WordPress sites:
None of these are WordPress-specific problems, technically. But WordPress's popularity makes it the biggest target. When an attacker finds a new exploit, they're going to test it against the CMS that powers 20% of the web first.
If you're running WordPress, here's what I'd prioritize based on our data:
First, enable HTTPS. If your host doesn't offer free SSL, switch hosts. It's 2026. This is table stakes.
Second, add security headers. Install a plugin like Headers Security Advanced & HSTS or configure them in your .htaccess file. CSP, HSTS, X-Frame-Options, X-Content-Type-Options — all of them. This alone could bump your trust score by 10-15 points.
Third, set up SPF and DMARC. Go to your DNS provider and add these records. It takes 10 minutes and protects your domain from email spoofing. We explain exactly what records to add in our email security guide.
Fourth, put Cloudflare (or a similar CDN) in front of your site. The free tier is genuinely useful. It adds a WAF, caches your static content, and gives you an extra layer of DDoS protection. Sites using Cloudflare score significantly higher on average.
Fifth, audit your plugins. Remove anything you're not actively using. Update everything that remains. Check each plugin's last update date — if it hasn't been updated in over a year, find an alternative.
Run your WordPress site through Bitverzo right now. You'll see your exact trust score, which security headers you're missing, whether your SSL is properly configured, and your email authentication status. It takes about 10 seconds and it's free.
I want to be fair to WordPress here. When we compare WordPress sites to sites running React (8% of sites), or other modern frameworks, WordPress's lower average isn't entirely its own fault. WordPress powers a much wider range of sites — from Fortune 500 companies to someone's abandoned hobby blog from 2019. That naturally pulls the average down.
Sites built on React or Vue.js tend to be newer, purpose-built applications maintained by development teams. Comparing them to the full spectrum of WordPress sites isn't exactly apples to apples. When you compare enterprise WordPress deployments to enterprise React apps, the security gap largely disappears.
The real issue isn't the platform. It's maintenance. A WordPress site that gets regular updates, has proper security headers, uses a CDN, and has email authentication configured properly will score just as well as any other platform. The problem is that WordPress makes it easy to set up a site and forget about it — and too many people do exactly that.
WordPress isn't inherently insecure. But its popularity and ease of use mean that a lot of WordPress sites are poorly maintained, and that drags down the overall numbers. If you're running WordPress, the good news is that the most impactful security improvements are also the easiest to implement. HTTPS, security headers, SPF/DMARC, and a CDN — those four things alone could take your site from "caution" territory into the "safe" zone.
We'll keep tracking these numbers as our dataset grows. If you want to see how your own site compares, check your trust score on Bitverzo — it's free, instant, and we'll tell you exactly what to fix.
Get an instant trust score, security header analysis, technology detection, and actionable recommendations.
Analyze Your Site Free →Not inherently. Our analysis of 50,000+ WordPress sites shows they score an average trust score of 58/100 compared to the overall average of 63/100. The gap mostly comes from outdated plugins and missing security headers rather than WordPress core vulnerabilities. Well-maintained WordPress sites regularly score above 70.
Based on Bitverzo's analysis of 760,000+ domains, approximately 20% of websites run on WordPress. It remains the most popular CMS by a wide margin, powering everything from personal blogs to enterprise e-commerce sites.
Use Bitverzo's free website analysis tool to get an instant trust score. Key things to look for include HTTPS encryption, security headers (CSP, HSTS), up-to-date WordPress version, SPF/DMARC email authentication, and CDN protection like Cloudflare. Sites missing these basics tend to score below 50 on our trust scale.
Data in this article is based on Bitverzo's analysis of 760,000+ domains as of July 2026. WordPress detection is based on technology fingerprinting of CMS signatures. Trust scores and statistics are updated continuously. View technology trends or see the top-rated websites.