Outdated PHP Versions Leave Majority of WordPress Sites Vulnerable to Attacks
A recent analysis by Censys has uncovered a critical security gap in the global web ecosystem, revealing that over 70% of publicly accessible WordPress sites are running outdated, end-of-life (EOL) PHP versions. As of June 2026, WordPress powers more than 40% of all websites over 59 million instances making this a widespread and systemic issue.
The research examined 316,500 WordPress deployments with visible version data and found that only 30% were using supported PHP versions. The majority relied on deprecated releases, including PHP 7.4, which reached EOL in November 2022. While WordPress core updates were more frequently applied with 31% of sites running supported versions (6.9 or higher) and 14% on the latest release (7.0) the underlying PHP runtime remained neglected, creating a significant security blind spot.
Outdated PHP versions expose sites to unpatched vulnerabilities, lack of security support, and compatibility issues with modern defenses. Since PHP underpins WordPress themes and plugins, weaknesses at this level can compromise the entire application stack. Attackers are actively exploiting this gap, targeting legacy environments that are easier to breach at scale.
Operational challenges contribute to the problem, as site owners often delay upgrades due to concerns about breaking functionality, plugin incompatibilities, and complex migration paths. The issue is further exacerbated by inconsistent plugin patching less than 22% of Yoast SEO users, for example, run the latest version. Plugins introduce additional risks, with high-profile tools like UpdraftPlus facing multiple critical vulnerabilities, including authentication bypass and data exposure flaws.
Real-world consequences are evident in ongoing attack campaigns, such as the "Hacked By MR.GREEN" defacement operation, which has compromised over 900 WordPress sites since 2020. These attacks exploit outdated software, misconfigurations, and exposed endpoints like xmlrpc.php, with continuous scanning activity targeting vulnerable sites. While the campaign focuses on defacement rather than financial gain, it demonstrates how low-sophistication threats can achieve widespread impact when basic security hygiene is ignored.
The findings underscore the need for organizations to address both application and infrastructure layers, ensuring regular PHP updates, proactive plugin management, and secure configurations to reduce exposure.
Source: https://gbhackers.com/over-70-of-public-wordpress-sites-running-outdated-php-exposed/
WordPress cybersecurity rating report: https://www.rankiteo.com/company/wordpress
"id": "WOR1783499208",
"linkid": "wordpress",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Various (all industries using WordPress)',
'location': 'Global',
'name': 'WordPress sites globally',
'size': 'Over 59 million instances',
'type': 'Websites'}],
'attack_vector': 'Exploitation of outdated software (PHP versions)',
'date_publicly_disclosed': '2026-06',
'description': 'A recent analysis by Censys revealed that over 70% of '
'publicly accessible WordPress sites are running outdated, '
'end-of-life (EOL) PHP versions, exposing them to unpatched '
'vulnerabilities and active exploitation. The issue stems from '
'neglected PHP runtime updates despite more frequent WordPress '
'core updates, creating a systemic security gap in the global '
'web ecosystem.',
'impact': {'brand_reputation_impact': 'Defacement and potential data exposure '
'risks',
'operational_impact': 'Potential compromise of entire application '
'stack due to PHP vulnerabilities',
'systems_affected': 'Over 59 million WordPress sites (40% of all '
'websites)'},
'investigation_status': 'Ongoing (as of June 2026)',
'lessons_learned': 'Organizations must address both application and '
'infrastructure layers, ensuring regular PHP updates, '
'proactive plugin management, and secure configurations to '
'reduce exposure.',
'motivation': ['Defacement', 'Opportunistic exploitation'],
'post_incident_analysis': {'corrective_actions': ['Regular PHP updates',
'Proactive plugin '
'management',
'Secure configurations'],
'root_causes': ['Neglected PHP runtime updates',
'Concerns about breaking '
'functionality',
'Plugin incompatibilities',
'Complex migration paths',
'Inconsistent plugin patching']},
'recommendations': ['Update PHP to supported versions',
'Regularly patch WordPress core and plugins',
'Implement secure configurations',
'Monitor for exposed endpoints (e.g., xmlrpc.php)',
'Address plugin incompatibilities proactively'],
'references': [{'source': 'Censys'}],
'response': {'remediation_measures': 'Regular PHP updates, proactive plugin '
'management, secure configurations'},
'threat_actor': 'Hacked By MR.GREEN (defacement campaign), other unidentified '
'attackers',
'title': 'Outdated PHP Versions Leave Majority of WordPress Sites Vulnerable '
'to Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Unpatched vulnerabilities in end-of-life PHP '
'versions (e.g., PHP 7.4)'}