The hesitance to update WordPress has become a pervasive issue among administrators, who often fear the consequences of potential site malfunctions.
This leaves a multitude of websites operating with obsolete plugins, unpatched PHP versions, and outdated core software, rendering them vulnerable to cyber threats, as highlighted by Censys.
Critical insights:
- A staggering eighty-six percent of WordPress sites are running outdated versions, with a mere 14% operating on the latest version (7.0).
- Numerous sites continue to rely on obsolete PHP versions, which have been likened to committing “security suicide.”
- Cybercriminals are utilizing automated tools to identify and exploit outdated sites
“Each time I attempt to upgrade PHP, my site falters, typically due to some neglected plugin,” lamented a WordPress administrator on Reddit. This sentiment resonates widely within the community.
Censys, a cybersecurity search engine, has examined the visible web, revealing that the majority of WordPress installations fail to utilize the most current software versions.
As the leading content management system, WordPress powers around 40% of websites globally.
Currently, over 59 million WordPress sites are active, distributed across approximately one million unique IP addresses.
“Only 14% of publicly accessible WordPress sites have implemented the latest patch,” declared Censys in its findings.
Stay informed with our latest updates and connect with us on social media
Be among the first to discover new insights and developments from our team.
The most recent version of WordPress is 7.0. However, considering those still using WordPress 6.9 (which ceased support in March 2026), the proportion of actively maintained sites rises to 31%.
WordPress relies on PHP, a predominant server-side programming language. Alarmingly, over 70% of websites also utilize deprecated PHP versions.
Even more concerning is that more than 20% continue to operate on PHP 7.4, which became obsolete nearly four years ago, in November 2022.
Furthermore, PHP 5.6 remains in use, a far older version that has not received updates since 2018.
Currently supported PHP 8.4 is found on only about 4% of websites, while the latest version 8.5, is conspicuously absent from these statistics.
Censys indicates that administrators are more likely to run updated WordPress versions alongside end-of-life PHP versions.
“Upgrading PHP is not merely a matter of convenience; it is essential for security,” caution Censys researchers.
“The prevalence of outdated versions presents a significant security risk for web servers. Older frameworks not only exhibit inefficiency but are also increasingly vulnerable to threats.
The study analyzed a sample of 316,300 WP PHP sites that did not conceal version headers, representing a mere 0.5% of total WP installations.
While it is plausible that WP sites concealing version details may exhibit better patching habits, it can also be argued that many administrators obscure issues to mitigate opportunistic threats rather than addressing the root problems.
Plugins are also lagging behind. Nearly 7.5 million WordPress sites have at least one listed plugin. Yoast, a prominent SEO automation tool, is utilized by over 5 million sites, yet only 22% of these have the latest version, according to Censys.
Automated Scans and Website Defacement by Hackers
Security experts have raised alarms regarding an ongoing campaign of website defacement targeting WordPress platforms.
A malicious actor is surreptitiously replacing website content with the phrase “Hacked By MR.GREEN,” affecting at least 900 sites as of June 2026, Censys reports.
GreyNoise sensors have detected 70 IP addresses actively scanning for vulnerable xmlrpc.php legacy endpoints—URLs used by WordPress for remote interactions, which are a frequent target for brute-force attacks.
Additionally, various misconfigurations and vulnerabilities plague websites, including exposed SSH ports without IP restrictions and enabled password authentication. These issues accumulate rapidly, leaving sites susceptible to breaches.
Censys posits that reliance on outdated PHP underscores a fundamental flaw in CMS architecture—specifically, a web service that struggles to accommodate new patches. Concurrently, PHP’s design presumes a straightforward transition from one patch below, complicating upgrades from antiquated versions.
“CMS platforms are not conceived with the limitations of older backend frameworks in mind. They presume users possess the capability to maintain the latest versions of essential backend software without hindrances,” the report states.
“New patches are released under the premise of maintained software, leading to dysfunctional sites if updates are not handled with care, which results in users postponing necessary updates.”
Consequently, Censys suggests limiting automatic updates in WordPress, as they frequently disrupt site functionality and compatibility.

Updates should be performed manually to well-established, trusted major versions post-testing, with a careful examination of plugins.
Nevertheless, Censys urges administrators to prioritize PHP updates in sync with patches, review updates every 1-3 months, and implement critical releases without delay. The forthcoming PHP version, 8.6, is scheduled for release in November 2026.
Source link: Cybernews.com.





