Analysis of the 100K Top WordPress Sites provides us with insight into the technology and the security posture of these Internet properties. While WordPress Powered sites number in the millions around the world, the focus here are sites that have significant Internet traffic.
The methodology used to determine a WordPress powered site is to search for specific strings within the
HTML or the
HTTP Headers provided by the web server. It was a matter of downloading the headers and page source from the Alexa top 1 million sites and then searching for
The number of WordPress powered sites gets thrown aroundf quite often. It is nice to see that the often quoted 25% figure is close even when counting high traffic sites.
Web Servers of the Top WordPress Powered Sites
These statistics are based on the front end web server that is delivering the WordPress site to the browser. The results are based on the initial HTTP header (
Server:). In the following chart the total number for the web server technology is the focus.
Nginx has a solid lead with just under 50% (49460) of the websites. Keep in mind that since our methodology only looked at the initial Server: HTTP Header, there are likely nginx sites that are acting as a reverse proxy in front of other web servers.
In addition sites that are being delivered by CloudFlare or other content delivery networks are included in the server numbers. See the following chart for a break down of the CloudFlare numbers.
More than a handful of sites are running on Microsoft based IIS servers (1788), included in this number is Microsoft Corporate properties such as Visual Studio.
A closer look at the Nginx statistics
In this breakdown of the nginx powered sites, we can see that CloudFlare is a significant part of that number.
With 19826 of the sites, CloudFlare is close to delivering 20% of the Top 100000 WordPress websites.
See the web hosting and IP address block analysis for more detail on other content delivery networks that are serving up the WordPress sites.
Examination of the WordPress Version
Looking into the WordPress version goes hand in hand with understanding the security posture of a site. Since WordPress 3.7 automatic updates are available for WordPress installations to ensure that sites are kept up to date. WordPress Security recommendations outline the need for always running that latest version of WordPress core to ensure that that security fixes are applied.
There are different ways to determine the version of a WordPress installation; for simplicity only sites with the default
Meta Generator banner are included in this break down of versions found. The default
generator tag was found on 52515 of the WordPress sites.
Quite a spread of versions can be seen, those WordPress 2.x sites really do exist. There are currently 56 sites running 2.x and 821 sites running WordPress 3.x.
Just over half of all the sites are running the latest version 4.8.1 (this was latest version at time of analysis).
Having only 53.8% of these high traffic sites running the latest version, shows an absence of standard maintenance procedures on the remaining sites. Owners still need to make improvements in adopting best practice security maintenance processes.
WordPress Hosting Providers
Digging into the hosting providers of WordPress sites, meant resolving the IP address of the site. From the IP address the network owner was determined by running a simple ASN lookup. The result revealed the owner of the hosting net block which is often the hosting provider. Please note that some hosting companies may not own the IP block, in these cases large networks such as Amazon may actually include smaller hosting companies.
Everyone loves a good map. So utilizing the Maxmind GeoLite data the IP address locations were plotted against the list of 100'000 top WordPress powered sites. As you can see there are either a few sites running on submarines or the IP Geo data is not 100% accurate. The general distribution of sites around the world is interesting, with expected clusters in the USA and Europe.
WordPress SEO Plugin Showdown
When it comes to improving the SEO of a WordPress site, there are two plugins that come to mind; 1. WordPress SEO by Yoast and 2. All in One SEO. The nice thing about these plugins is they put a comment in the HTML source allowing it to be identified.
Using the default comment it was possible to quickly determine the number of sites (that have the default comment enabled). Of course it is possible that some sites have removed the comment.
And the winner is Yoast!.
WordPress Caching Plugin Showdown
Fast sites make users happy and recently has made Google happy with an update to the search algorithm that provides search weighting based on site speed. Understandably these factor make WordPress Caching Plugins essential for most serious sites.
The most popular caching plugins include comments in the HTML (by default) identifying the plugin in use. By searching for these comments it was possible to gather numbers for the most popular caching plugins.
Of course it is possible some have been missed, but like all of the data on this page the sample size is pretty good.
And the winner is Autoptimize!.
Top 25 WordPress Plugins
The numbers become a bit rougher when determining the plugins in use. Unless the plugin has a default comment in the code such as the SEO plugins or caching plugins, it gets a bit harder to determine plugins in use.
Many plugins load resources from the plugin folder (
js), and this is the best way to identify plugins used passively. A more aggressive way to find plugins in use is to brute force the path, obviously when doing a survey such as this that is not an option.
So to determine the Top 25 plugins listed below the HTML was searched for
/wp-content/plugins/$plugin/ and the plugin names were extracted simply using the path. An additional caveat is that it is now common for
css to be minified, to improve site performance. If minified code is in use this method of identifying plugins no longer works.
Top 25 WordPress Themes
Using similar methodology as the above plugin identification we were able to identify the WordPress theme in use. Searching for the path
/wp-content/themes/$theme/ in HTML and counting the most common occurrences. Many sites will use custom plugins, and have changed the path, however identification of the most common should be fairly accurate using the large sample size.
Article first published in 2012. This a complete 2017 update.
Test WordPress and Server side with Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.
Need and expert? Professional WordPress Assessments.
Validated Security Report. Fast turn around.