VYPR
trendPublished Jul 8, 2026· 1 source

Over 70% of WordPress Sites at Risk Due to Outdated PHP Versions

A significant majority of WordPress websites are running outdated PHP versions, leaving them vulnerable to known exploits and cyberattacks.

A recent study has revealed that more than 70% of publicly accessible WordPress websites are running outdated versions of PHP, significantly increasing their exposure to cyberattacks. The findings highlight a growing security gap in the global web ecosystem, where millions of sites rely on aging backend technologies despite the availability of regular security updates. WordPress, which powers over 40% of the internet, depends heavily on PHP as its core server-side language. While the platform itself continues to release updates, backend PHP versions often remain neglected.

Based on data from over 316,000 WordPress instances with visible version information, only about 30% are running a supported, up-to-date PHP version. The remaining majority are operating on versions that have already reached end-of-life, including PHP 7.4, which stopped receiving security updates in November 2022. This imbalance creates a critical security risk. Even when website owners keep their WordPress core relatively up to date, outdated PHP versions can still expose systems to known vulnerabilities, including remote code execution flaws and authentication bypass issues.

Attackers actively scan the internet for such weaknesses, making unpatched systems easy targets for exploitation. One notable example of this threat landscape is the ongoing “Hacked by MR.GREEN” defacement campaign. Researchers observed more than 900 compromised websites, most of which were running WordPress. These attacks typically replace legitimate site content with attacker messages, demonstrating how easily vulnerable systems can be breached. While the exact attack vector is unclear, many affected sites showed signs of outdated software, exposed configuration files such as xmlrpc.php, and weak access controls.

The widespread use of WordPress plugins further compounds the issue. Plugins extend functionality but also introduce additional attack surfaces. Millions of websites use plugins, but many fail to keep them updated. Even popular plugins have low adoption of the latest versions. Vulnerabilities in plugins, such as authentication bypass or data exposure flaws, can serve as entry points for attackers if left unpatched.

Another key challenge lies in the architecture of CMS platforms. Updating PHP versions is not always straightforward, especially for older websites. Compatibility issues, broken functionality, and fear of downtime often lead administrators to delay or skip updates entirely. However, this short-term convenience comes at the cost of long-term security.

Misconfigurations also play a major role in increasing risk. Exposed SSH services, weak authentication settings, and publicly accessible administrative endpoints can combine with outdated software to create a highly exploitable environment. Attackers often rely on automated scanning tools to identify such weaknesses at scale.

Security experts emphasize that maintaining updated backend infrastructure is just as important as updating visible components like themes and plugins. Regular patching, proper configuration, and proactive monitoring are essential to reducing the attack surface.

The findings serve as a reminder that cybersecurity hygiene remains a persistent challenge. In an environment where threats are constantly evolving, failing to update core technologies like PHP leaves a vast portion of the internet vulnerable to opportunistic attacks.

Synthesized by Vypr AI