Press TechRound interviews Secure.com CEO on the future of AI security
Read

86% of WordPress Sites Are Running Old Code. Attackers Already Noticed.

New Censys data shows only 14% of WordPress sites run the latest patch. Outdated WordPress sites are a soft target, and hackers already know.

Dateline: July 8, 2026

The WordPress Patch Gap: Why Most Sites Are Running on Borrowed Time

WordPress runs a huge slice of the web. That is exactly why a new scan of live sites should worry anyone who owns one. Almost none of them are current.

What Happened?

Researchers at Censys scanned the public web and found that only 14% of visible WordPress sites were running the latest patch of WordPress. Fold in sites on the previous version, which was already discontinued in March 2026, and the share that counts as actively maintained still only reaches about a third.

The plugin picture is no better. Yoast, the SEO plugin found on over five million sites, was on its newest release on only 22% of the sites running it, per Censys.

Then there is the layer underneath. WordPress runs on PHP, and over 70% of sites are on an outdated version of it. More than 20% still run PHP 7.4, which was deprecated back in November 2022. One security firm has called that practice security suicide, and it is hard to argue.

Attackers are already circling. Censys tracked a defacement campaign that replaced site content with a “Hacked By MR.GREEN” message across at least 900 sites in June 2026. Separately, GreyNoise flagged 70 IP addresses actively scanning for the legacy xmlrpc.php endpoint, a favorite target for brute-force login attempts.

The Impact

Here is the part people miss. WordPress core itself is not the weak spot. Independent research consistently pins the vast majority of new WordPress vulnerabilities on plugins, not the core software. So a stack of outdated plugins on an old PHP build is where real risk piles up.

The math is brutal too. A typical production site runs dozens of plugins, and every one is another door. When patches lag by months, and public exploits often land within hours of disclosure, that gap between a fix shipping and a site applying it becomes the whole ballgame.

For anyone running client sites at scale, agencies especially, one unpatched plugin on shared infrastructure can put every site on that box in reach.

How to Avoid This

  • Updating everything blindly is not the answer either. Censys notes that auto-updates can break sites and cause compatibility headaches, which is part of why admins delay them.
  • A saner approach: trim plugins down to what you actually use, since fewer plugins means a smaller target.
  • Update WordPress manually to well-established major versions after testing on staging.
  • Keep PHP on its patch cycle and move off deprecated builds like 7.4.
  • Check for updates every one to three months, and push critical security releases as fast as you can test them.
  • Turn on two-factor login and limit login attempts to blunt the brute-force noise hitting xmlrpc.php and wp-login.php.

You Can’t Patch What You Can’t See

Most breached sites weren’t targeted for being interesting. They were found by a scanner looking for old code. Secure.com helps you spot that exposure before an attacker’s scanner does.

  • Continuous external discovery of your web properties, including the forgotten sites and subdomains that quietly run old versions
  • Fast flagging of outdated CMS core, plugins, and PHP builds across everything you own
  • Risk-based prioritization so publicly exploitable, unauthenticated flaws jump to the top of the list
  • Guided remediation that confirms the fix actually landed, not just that an update was queued
  • Ongoing monitoring for defacement and mass-scanning activity aimed at legacy endpoints