Worldwide footprint of publicly visible WordPress instances | Image: Censys
Hundreds of WordPress sites remain easy targets year after year. The cause is rarely a rare zero-day vulnerability. Instead, it is outdated PHP versions, forgotten plugins, and default configurations that site owners never revisited. A detailed Censys analysis of WordPress exposure puts the scale of the problem in sharp relief.
Most WordPress Sites Run End-of-Life PHP
Researchers at Censys examined publicly visible WordPress installations. They found that more than 70 percent of the sites run on an end-of-life PHP version. Those sites exposed their PHP version information publicly. Only 14 percent of publicly accessible WordPress sites run the latest patched release of the CMS itself.
Including WordPress 6.9, which reached end-of-life on March 20, 2026, pushes that share up. Even then, relatively current installations account for only 31 percent.
The Scale: 59 Million WordPress Assets Online
WordPress remains one of the most popular platforms for running websites without writing code directly. According to Censys data from June 2026, more than 59 million WordPress web assets are visible on the internet. They span more than one million distinct IP addresses.
The core system may receive updates. However, the server environment beneath it can go unchanged for years.
PHP 7.4: The Most Common End-of-Life Version
The most common PHP version found across the surveyed sites is PHP 7.4. More than 20 percent of sites still run it, even though PHP 7.4 reached end-of-life in November 2022. For a site owner, an old version often feels like a non-issue. For attackers, however, that server becomes a predictable target with well-documented vulnerabilities.
Plugin Updates Are Just as Neglected
Plugins create a separate risk surface. As of June 2026, nearly 7.5 million sites publicly exposed at least one installed plugin. Even for the widely used Yoast SEO, the picture is bleak. Fewer than 22 percent of sites with a visible version ran the latest release, version 27.7 from May 27, 2026. Including version 27.6 raises the share to 40 percent. Still, the majority of installations remain outdated.
Plugins carry their own category of risk. They receive less rigorous scrutiny than the WordPress core. Popular plugins have accumulated many known vulnerabilities over the years. Outdated versions can expose user data, allow authentication bypass, or enable malicious file uploads. Additionally, attackers may impersonate well-known plugins, purchase abandoned projects, or embed hidden backdoors.
The MR.GREEN Defacement Campaign
Censys highlights the MR.GREEN campaign as a concrete example. In this campaign, unknown actors compromise WordPress sites and replace their content with the message “Hacked By MR.GREEN.” As of June 2026, researchers identified more than 900 defaced sites. Nearly all affected properties ran content management systems, with WordPress being the most common target.
Evidence of this campaign dates back to 2020. However, it remains active today. The exact intrusion method is unknown. Nevertheless, many affected sites share the same weaknesses. These include outdated software, an exposed WordPress install page, an accessible xmlrpc.php file, and SSH access without strict restrictions.
The xmlrpc.php Risk and Active Scanning
The xmlrpc.php file belongs to a legacy WordPress remote management mechanism. Leaving it exposed allows attackers to conduct brute-force password attacks and enumerate installed plugins. GreyNoise data from the past 90 days shows 70 IP addresses actively scanning for these entry points.
Based on Censys observations, MR.GREEN does not always pursue complex objectives. The attackers often simply deface a site and leave it with a default WordPress theme. Yet even this scenario demonstrates how minor oversights compound into serious risk. Together, these gaps give attackers far too many opportunities. An old PHP version, a neglected plugin, and an exposed utility file each add to the risk.
What Site Owners Should Do
Censys recommends that site owners update not only WordPress itself but also PHP, plugins, themes, and server configurations. PHP support has a limited lifespan. Therefore, owners should check for updates every one to three months and apply critical patches as quickly as possible.
Blindly enabling automatic updates for everything in WordPress carries its own risks. However, deferring patches for years is far more dangerous. A site may look perfectly functional while the server beneath it quietly becomes an open door.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.