How easy is a WordPress site to be hacked really? We would like to examine these numbers and probabilities and consider how easy it is for a WordPress site to be hacked.

How many WordPress sites are there in Japan?

WordPress is the most popular CMS (Content Management System) in the world and is said to account for 30% of all websites.


At https://wordpress.org/about/stats/, it is estimated that 5.8% of WordPress sites are in the Japanese language environment.
Then, how many WordPress sites are there worldwide?

According to https://digital.com/best-web-hosting/wordpress/statistics/, 450 million sites are using WordPress, which means that in Japan, 5.8% or 26.1 million sites are WordPress. In Japan, 5.8%, or 26.1 million sites are using WordPress.

According to https://ascii.jp/elem/000/001/855/1855707/, GMO Internet, which boasts 90% of the market share, has more than 20 million domain registrations, so this number is probably too high.

If we assume that WordPress is used by about 30% of the total number of sites, 20 million x 30%, which means that 6 million sites are WordPress sites.

How many WordPress sites in Japan are defaced annually?

The number of hacked WordPress sites inspected by users with the WordPress tamper detection plugin released by WordPress Doctor is about 1,000 sites per year in Japan (including re-tampering).
In reality, there are many sites that do not use our plug-ins, so we believe that about three times that number of sites are originally tampered with.
Assuming that around 30,000 WordPress sites are hacked in Japan each year

30000 ÷ 6000000 = 0.005 = 0.5

This means that 0.5% of WordPress sites in Japan are hacked at least once a year.

0.5% of WordPress sites are tampered with annually

Whether 0.5% per year is a lot or a little depends on how you look at it.
However, since this figure includes sites that are neglected and not updated, WordPress Doctor believes that the probability of the following sites being tampered with is as close to zero as possible.

Sites that are constantly updated to the latest versions of plug-ins and WordPress itself every few months.
Sites that use a password automatically generated by WordPress for the administrator user.

These two points will prevent vulnerability attacks and brute force attacks, which account for the majority of WordPress hacks.
Even if the above is not possible, you can further reduce the probability of being hacked by performing vulnerability checks and malware checks on a regular basis so that you can respond immediately if your site is defaced, and by installing security plug-ins.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].