Originally released as a blogging platform in 2003, WordPress has evolved into a multi-purpose content management system with tens of thousands of plugins and themes.
As WordPress continues to evolve so does its user base. Once used primarily by bloggers, WordPress is now used by ecommerce businesses, news organizations, and many others. In fact, two out of every five websites on the internet use WordPress.
To better understand the most popular open-source CMS in the world and its community, let’s look at important statistics related to WordPress usage, plugins, themes, and security below.
WordPress Usage Statistics
1. WordPress is used by 43.2% of all websites on the internet. (W3Techs, 2022)
According to data from W3Techs, WordPress is used by 43.2% of all websites on the internet in 2022. This is an increase from 39.5% in 2021. That means that two out of every five websites use WordPress.
2. WordPress usage has increased an average of 12% per year since 2011. (W3Techs, 2022)
W3Techs has tracked the usage of WordPress and other content management systems since January 2011. In 2011, WordPress was used by 13.1% of websites. Since then, WordPress usage has increased 12% per year on average, bringing its total to 43.2% in 2022.
3. WordPress is used by 65.2% of all websites using a content management system. (W3Techs, 2022)
WordPress is used by 65.2% of all websites using a CMS, which is a huge market share. The second most popular CMS — Shopify — has a market share of 6.6%. Wix, Squarespace, and Joomla are next, with 2.8%, 2.7%, and 2.6% market shares, respectively.
4. WordPress powers 36.28% of the top 1 million websites. (BuiltWith, 2022)
According to data from BuiltWith, WordPress powers over 36% of the top 1 million websites, including Bloomberg, Nike, and The New York Times. The “top” sites are based on traffic.
5. Roughly every two minutes, another top 10 million site starts using WordPress. (W3Techs, 2021)
In 2021, it was estimated that a top 10 million website started using WordPress every two minutes. That means more than 1000 WordPress sites within the top 10 million sites were created every day of the year.
6. WordPress has been the fastest growing content management system for 12 years in a row. (W3Techs, 2022)
WordPress has been the fastest growing content management system since 2010, according to data from W3Techs. In 2021, WordPress gained the most websites, adding 9.3% to its already impressive user base.
7. 20.4% of WordPress websites use WooCommerce. (W3Techs, 2022)
Many WordPress websites also use various subcategories of WordPress. The majority — 20.4% — use WooCommerce. The next most popular subcategories are Elementor and WPBakery, with 15.9% and 15.3% of WordPress websites using the respective page builders.
WordPress Plugin Statistics
8. There are almost 60,000 free plugins in the official WordPress plugin directory. (WordPress, 2022)
The official WordPress plugin directory currently features 59,825 free plugins. Some of the most popular are Elementor, Askimet, and Jetpack.
9. Yoast SEO has the most active installations and five-star ratings in the WordPress plugin directory. (WordPress 2022)
Yoast SEO has over five million active installations and 26 thousand five-star ratings in the WordPress plugin directory, making it the most downloaded and well-rated free plugin in the directory.
WordPress Theme Statistics
10. There are over 9,000 free themes in the official WordPress theme repository. (WordPress, 2022)
The official WordPress theme repository currently features 9,124 free themes. Some of the most popular are Astra, OceanWP, and Neve.
11. There are over 31,000 WordPress themes in total, including premium options. (Scepter, 2020)
According to research from Scepter, there are approximately 31,010 WordPress themes available for download or purchase. Included in this count are themes that are known or likely to be up-to-date and child themes. Themes that have both a free and paid version are only counted once.
12. The average price of a premium WordPress theme is $77.57. (Scepter, 2020)
On average, a premium WordPress theme costs $77.57. While this price tag may seem high, premium themes typically offer more functionality, flexibility, and security features than their free counterparts and therefore can be worth the investment.
13. Divi and Astra are the two most popular active WordPress themes used by the top 1 million sites. (BuiltWith, 2022)
Among the top 1 million WordPress sites, Divi and Astra are the most widely-used themes that are still active.
WordPress Security Statistics
14. Wordfence blocked 18.5 billion password attack requests on WordPress websites in the first half of 2021. (Wordfence, 2021)
Wordfence, a popular firewall service, blocked over 86 billion password attack requests in the first six months of 2021. The number of password attacks is expected to continue to increase.
In January 2021, Wordfence blocked 8,227,887,615 brute force attempts (a type of password attack that involves randomly guessing a password using a mix of characters, letters, and numbers). In June 2021, it blocked more than double that, at 18,552,519,601 brute force attempts.
15. The Wordfence Web Application Firewall blocked 4 billion requests coming from blocklisted IPs and attackers attempting to exploit vulnerabilities in the first half of 2021. (Wordfence, 2021)
WordPress plugin and theme vulnerabilities remained one of the top targets for threat actors targeting WordPress sites in 2021. In the first six months of the year, the Wordfence Web Application Firewall blocked over 4 billion requests coming from blocklisted IPs and attackers attempting to exploit vulnerabilities.
16. WPScan recorded 602 new vulnerabilities across WordPress plugins, themes, and core in the first half of 2021. (Wordfence, 2021)
Between January to June 2021, WPScan recorded 602 new vulnerabilities across WordPress plugins, themes, and core. This surpassed the number of reported vulnerabilities in all of 2020.
However, the upward trend does not indicate that WordPress is becoming less secure over time. Instead, it indicates that people are spending more time finding and reporting vulnerabilities in WordPress software, which will ultimately result in fewer vulnerable plugins and themes in the WordPress repository and other marketplaces.
17. WPScan recorded over 550 plugin vulnerabilities in the first half of 2021. (Wordfence, 2021)
In the first six months of 2021, WPScan catalogued 552 plugin vulnerabilities in their WordPress vulnerability database. This is much higher than the number of core and theme vulnerabilities reported, which makes sense considering the vast number of plugins and complex functionality, which means there’s a higher attack surface.
18. WPScan recorded 47 theme vulnerabilities in the first half of 2021. (Wordfence, 2021)
In the first six months of 2021, WPScan catalogued 47 theme vulnerabilities in their WordPress vulnerability database. This is much lower than the 552 plugin vulnerabilities reported, which is typical since there are fewer themes and their more basic functionality means there’s a lower attack surface.
19. Approximately 90% of WordPress vulnerabilities are plugin vulnerabilities. 6% are theme vulnerabilities and 4% are core software vulnerabilities.
Plugin vulnerabilities pose a huge risk to WordPress websites, accounting for 90% of all WordPress vulnerabilities while theme and core vulnerabilities make up 10%. One of the best and easiest solutions is to always keep your WordPress plugins, theme, and core running their latest versions.
20. Cross-Site Scripting (XSS) vulnerabilities accounted for 52% of plugin vulnerabilities in the first half of 2021. (Wordfence, 2021)
Cross-Site Scripting (XSS) is the most commonly discovered vulnerability affecting WordPress plugins. With 216 XSS vulnerabilities cataloged by WPScan, it accounted for 52% of plugin vulnerabilities in the first half of 2021. The next most commonly discovered vulnerability — Cross-Site Request Forgery (CSRF) — accounted for 16% of plugin vulnerabilities.
Understanding the Current State of WordPress