When a WordPress site is infected with malware or otherwise compromised, it’s a safe bet that an out-of-date plugin, theme, or WordPress installation will be implicated. While zero-day vulnerabilities or configuration errors are responsible for a proportion of attacks, regular updating reduces the risk.

Unfortunately, it seems that the message to update regularly isn’t being heard by a large number of WordPress site owners. A new study from Hacker Target shows that only 54% of WordPress sites use the most recent version.

Hacker Target scanned the top hundred thousand WordPress sites, gathering data about installed versions of WordPress, web servers, plugins and themes, and locations. The study confirmed that the oft-repeated claim that WordPress supports about a quarter of the sites on the web is true.

The good news is that a narrow majority of WordPress sites are running on the most recent version of the WordPress application. Many of the remaining sites run 4.X versions of WordPress. Running older versions of WordPress isn’t safe because newer versions fix vulnerabilities.

Although the numbers are quite small, it’s worrying to see how many sites are running on even older versions of WordPress, with over 800 sites using WordPress 3.X. 56 sites are still running on WordPress 2! If we consider that figure representative of the total number of WordPress sites and extrapolate, we’d expect to see tens of thousands of sites running on very old versions of WordPress.

It’s likely that the methodology of this study skewed the results. The top 100,000 WordPress sites are not a random sample. They’re exactly the high-traffic sites that are most likely to be well maintained. My suspicion is that if we could see the figures from a random sampling of WordPress sites the proportion of sites running on the most recent versions would be lower, and the proportion running on WordPress 3 and 2 higher.

It’s understandable that non-technical owners would neglect to update their WordPress sites, but it’s inexcusable that web hosting providers and WordPress professionals would still support ancient versions of WordPress that rely on even more ancient and unsupported versions of PHP and MySQL.

Hacker Target was also interested in discovering which plugins were used on WordPress sites. Unsurprisingly, the most popular plugin is Jetpack, with RevSlider in the second spot.

WooCommerce is next on the list of popular plugins, suggesting than many of the largest WordPress sites are actually eCommerce stores. Yoast SEO is the most popular SEO plugin, with All In One SEO being the only other contender.

Among caching plugins, Autoptimize has the largest adoption, but that’s somewhat misleading because Autoptimize handles minification and in-browser caching of static assets, but it isn’t a competitor to full featured caching plugins on the list, including WP Rocket, WP Super Cache, and W3 Total Cache.