Using the BuiltWith system we have found that up to 80% of all WordPress installations have not been updated to the latest version. Taking a sample of the 8,434,062 websites listed on BuiltWith, we searched the code for signals of which version that website is running. Using data from WordPress, we also found that Version 3. 5 was downloaded 60 million times, but the most recent version has only been downloaded 12.6 million, meaning that up to 80% are not updated. This makes them very vulnerable to cyber attack. Older versions of the core system have known vulnerabilities. In the last 9 years 145 vulnerabilities have been found in older versions of WordPress. WordPress 3.4.2 has a Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php that allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
The core system is always being updated by the WordPress community, however individual website owners have to install updates on their own website themselves, and many businesses either don’t know how to update their installation, or forget to.
The popularity of the system increases the risk the system will be a target for hackers. All web platforms have vulnerabilities, and can be attacked by malicious agents, however WordPress has had some specific vulnerabilities that have been exposed by hackers over the last few years. These vulnerabilities have been fixed on new versions of the platform, but older versions are still open to attack.