CMS Detection Methodology

The methodology used to determine the underlying technology of web sites is to search for specific strings within the HTML, or the HTTP Headers provided by the web server. For WordPress, our process is a simple matter of downloading the headers and page source from all sites in the Alexa top 1 million sites. The resulting content was then searched for /wp-json/, /wp-includes/ or /wp-content/ indicating a WordPress powered site.

No guarantee is made to the accuracy of this data. The accuracy comes down to what we found in the source.

CMS Usage in the Top 1 Million Sites

Here, we compare WordPress against its rival content management systems. It is clear to see WordPress is well out in front in 2019.

The popularity of WordPress gets quoted in everything from marketing materials to security incident reports. It is nice to see that the often quoted 30% figure is close even when counting the worlds highest traffic sites.

Web Servers of the Top 100K WordPress Sites

These statistics are based on the front-end web server delivering the WordPress site to the browser. The results are based on the initial HTTP header (Server:).

In the following chart, the total number for the web server technology is the focus.

Keep in mind the front-end servers powering Cloudflare are Nginx based, and the growing openresty is also built on Nginx. Putting Nginx well out in front as the technology of choice serving the page to the browser. No doubt one of the reasons it was recently acquired by F5 Networks.

More than a handful of sites are running on Microsoft based IIS servers (1275). Included in this number are WordPress powered Microsoft Corporation properties such as Visual Studio.

A closer look at the Cloudflare statistics

Cloudflare continues to be very popular among WordPress administrators. 21.6% of the world's top 100K WordPress sites being served by Cloudflare on front end.

In this breakdown of the WordPress sites being served by cloudflare sites, we can see Cloudflare has grown by a couple of percent since our last analysis performed in 2017.

Don't forget your PHP Upgrades

The latest update to WordPress Core checks the PHP version and will fail if the minimum PHP 5.6.20 is not running. This is interesting when we look at the PHP version within use in the top WordPress sites.

In the HTTP Header responses, we found the PHP version leaking in 28729 sites (28.7%) of the top 100'000. This was found in the X-Powered-By header or in the extended Apache Server Header. The end of life chart shows the percentage of sites within the 28.7% where the version was leaked.

Keep in mind that anything before PHP/7.1 is End of Life and not supported at all from the PHP project - even for critical security patches.

Analysis of installed WordPress Core Version

Looking into the WordPress version goes hand in hand with understanding the security posture of a site. Since the release of WordPress 3.7, automatic updates have been available for WordPress installations.

WordPress Security recommends always run the latest version of WordPress core to ensure security fixes are applied.

There are different ways to determine the version Check out our guide on Attacking WordPress Sitestest of a WordPress installation. For simplicity, only sites with the default Meta Generator banner are included in this break down of versions found. The default generator tag was found on 60009 of the top 100K WordPress sites.

Quite a spread of versions can be seen! Those WordPress 2.x sites really do exist (WordPress 3.0 was released June 2010). There are currently 527 sites running 2.x and 616 sites running WordPress 3.x. This is about 15% less than 2017, so thankfully there are no new 2.x or 3.x installations!

Just over a third of all the sites are running the latest version 5.2.1 (this was the latest version at time of analysis - 3rd June 2019). Version 5.2.1 had been out for 2 weeks at this time.

Only 37.2% of these high traffic sites are running the latest version (2 weeks after release).

All this indicates a lack of standard maintenance procedures on the majority of sites. Administrators still need to improve the adoption of best practice security maintenance processes.

WordPress Hosting Providers

Crunching the numbers for the hosting of the WordPress sites, we simply resolved the IP address of the site. From the IP address, the network block owner was determined by running a simple ASN lookup.

The results show the owner of the hosting net block which is often the hosting provider. Note: some hosting companies may not own the IP block. In these cases, large networks such as Amazon (AWS) and Google (GCP) will include smaller hosting companies.

Managed WordPress Hosting

While the ASN's listed above show the locations of the sites within network blocks, there are also managed WordPress hosting providers whose services sit within some of these ASN's.

For example, the statistics for the Google ASN include the managed hosting provider Kinsta who utilizes Google Cloud for their services.

The data for these managed hosting providers has been pulled from HTTP headers, where clues exist in the server header or other custom headers.

Hosting Locations

Everyone loves a good map. Utilizing the Maxmind GeoLite data the IP address locations were plotted against the list of 100'000 top WordPress sites.

As you can see, either a few sites are running on submarines in the Indian Ocean or, the IP Geolocation data is not 100% accurate. The general distribution of sites around the world is interesting, with expected clusters in the data centres within the USA and Europe.

Network Services

Using passive scan data from Internet wide scanning data sets, we can correlate with our list of WordPress sites and determine common network services.

Interesting to see that nearly 10% of the top sites are running SSH on port 2222 or 22222.

It seems server owners do not like SSH password bots smashing away all day and night and filling their log files.

Are 36% of the top 100000 WordPress sites updating files using the unencrypted FTP protocol? Let's hope not. It is, of course, possible to use FTP over TLS/SSL, and this can be configured to work over port 21. Let's hope all those high value sites are using encrypted communication.

IPv6 Adoption in the Top WordPress Sites

The rollout of IPv6 continues to crawl at a slow pace in most parts of the world. This is evident by the fact only 23.6% of the world's highest traffic WordPress installation have IPv6 enabled on server.

Google has statistics indicating they are seeing 29% of traffic being IPv6 globally. Maybe its time that web site owners jumped on the IPv6 wagon.

WordPress Plugin and Theme Analysis

Analysis of WordPress plugins is limited to those that are detectable through passive analysis. In this instance, passive analysis is through examination of a regular web request and parsing the HTML and HTTP headers. More aggressive plugin detection can be achieved through brute-forcing plugin paths. Check out our guide on Attacking WordPress Sites However, this generates thousands of web requests and is only used by malicious actors and vulnerability scanning tools.

SEO Plugins

When it comes to improving the SEO of a WordPress site, there are two plugins that come to mind;

1. WordPress SEO by Yoast
2. All in One SEO.

The nice thing about these plugins is they put a comment in the HTML source, allowing it to be identified. Recently, a new contender has entered the scene - SEO Framework. According to the stats, it has plenty of ground to cover to catch up.

Compared to 2017, Yoast SEO has really hit the accelerator now with 82% of the install base (of sites running an SEO plugin).

Identification was performed by checking for the plugins default comment. Of course it is possible that some sites have removed the comment.

WordPress Caching Plugin Showdown

Fast sites make users happy. They also make Google happy following the update to the search algorithm that takes site speed into account. Understandably these factors make WordPress Caching Plugins a popular choice for most serious sites.

The most popular caching plugins include comments in the HTML (by default) identifying the plugin in use. By searching for these comments, it was possible to gather numbers for the most popular caching plugins.

Top 25 WordPress Plugins

The numbers become a bit rougher when determining the plugins in use. Unless the plugin has a default comment in the code, such as the SEO plugins and caching plugins, it gets a bit harder to determine plugins in use.

Many plugins load resources from the plugin folder (css or js), and this is the best way to identify plugins used passively.

So to determine the Top 25 plugins listed below, the HTML was searched for /wp-content/plugins/$plugin/. Then the plugin names were extracted simply using the path. An additional caveat: it is now common for javascript and css to be minified to improve site performance. If minified code is in use, this method of identifying plugins no longer works.

Top 25 WordPress Themes

Using a similar methodology as the above plugin identification, we were able to identify the WordPress theme in use. Searching for the path /wp-content/themes/$theme/ in HTML and counting the most common occurrences. Many sites will use custom themes and have changed the path, however, identification of the most common should be fairly accurate using the large sample size.

It is interesting to note that even the default themes (twentysixteen, twentyseventeen) that ship with WordPress make an appearance in the list. Showing that a flashy theme does not make the site, content matters.

 Article first published in 2012. Most recently updated June 2019.

The post Analysis of Top 100K WordPress Sites appeared first on HackerTarget.com.

In March 2012 we conducted a similar survey, that was presented in an info-graphic. Since March 2012 there has been an awareness campaign and much press around World IPv6 day on June 6th 2012. These latest results are a good indication of how much progress has been made.

Total IPv6 Enabled Sites in the Top 1 Million

In August 2012 there were 26776 IPv6 enabled websites in the Alexa Top 1 million. This compares with 11237 in March 2012.

Websites that enable IPv6 by Netblock owner

In this chart we start to get a picture of where the increase in IPv6 enabled websites has come from. Google has played a major part in this increase. In fact digging deeper into the results reveals that apart from some relatively small increases the only major change since March has been due to the adoption of IPv6 by Google based properties.

Top Hosting Providers and Netblock Owners of IPv6 enabled websites in Top 1 million

Websites that enable IPv6 by Country

Earlier in the year, we saw Germany, Russia and other European nations were well ahead of the USA in the adoption of IPv6 as a percentage of the sites in the country. Now it is clear that the move by Google to enable IPv6 across its web sites has given the United States a given a major boost.

Dark blue are the numbers from March, with the lighter blue the latest August 2012 numbers.

IPv6 enabled web servers

Finally we see again the huge difference that Google has made in the statistics. The GSE server is Blogger / Blogspot powered web sites. Google Front End and GWS are the servers of other sites within the Google web site property base.

In the event that you have not caught on yet, the primary reason why the move by Google to enable IPv6 has caused such an impact on the results is that Blogger and Blogspot make up around 15'000 sites in the Alexa top 1 million. In fact a simple search shows 14914 sites with .blogspot. or .blogger. in the web site host name. Hence when these Google owned properties enabled IPv6, the number of sites in the Alexa top million with IPv6 addressing more than doubled overnight.

The post Leading websites that enable IPv6 now at 2.68% appeared first on HackerTarget.com.

Methodology

To determine themes in use by the world's most popular WordPress based websites, a search of the source html from the primary page was analysed for wp-content/themes/. This is a good indication of a WordPress installation, and also reveals the theme in use.

As expected from a free open source content management system, of the 160438 sites we found with WordPress themes, many are running free themes, but many are also running premium commercial themes.

Top 5 Premium WordPress Theme Providers

To determine the commercial themes in use, the 100 most popular themes have been counted (35930 total wordpress sites). Of the 100 most popular themes, 51% were premium or commercial themes. This clearly shows how significant the WordPress "economy" is in the world of web development.

Of the commercial themes, Thesis Theme Framework, StudioPress, Woothemes, OptimizePress and Elegant themes were the top 5 providers in the 100 most popular themes.

It is interesting to note the high number for the OptimizePress theme. This is a single purpose theme, whereas the others in the Top 5 are all theme frameworks. OptimizePress is very much a sales-focused theme, using techniques such as "funnels" and "squeeze pages" to push users into a sales pitch. It shows that WordPress is much more than just a blogging platform.

Woothemes has the most popular general purpose commercial theme with its "canvas" theme coming in at number 16.

Free themes are of course very popular with the top 2 themes come bundled with WordPress default installations (twentyten and twentyeleven).

Summary of the Top 20 WordPress Themes

1.		Twentyten The default WordPress theme for 2010, it just so happens to be the most popular wordpress theme in the top 1 million websites. Total Sites: 3096
2.		Twentyeleven The default WordPress theme for 2011, and hot on the heels of 2010, this theme is the second most popular. Total Sites: 2793
3.		Thesis 18 This version of the Thesis theme framework comes in as the highest commercial listing. This entry is a theme framework, and not an individual theme. Total Sites: 1706
4.		Optimize Press This commercial theme is a very popular theme that is dedicated towards driving a visitor towards the sale of a product or sign-up. Total Sites: 1457
5.		Thesis 182 This is a later version of the Thesis theme framework and comes in as the third highest commercial listing. Note this is a theme framework, and not an individual theme. Total Sites: 1144
6.		Default This was the default theme for WordPress versions 1.5 up until 2.9. When browsing the web sometimes this old timer still pops up and these stats confirm that it is still kicking strong. Total Sites: 918
7.		Mystique First release was back in 2009, this theme has recently been moved into a Framework like core called Atom. Total Sites: 916
8.		Arras A clean magazine style theme that comes in multiple color variations. While the Arras theme is a Free download commercial child themes are being developed. Total Sites: 868
9.		Atahualpa Bytes for All have a handful of Free wordpress themes, Atahualpha being the most popular. Total Sites: 795
10.		Suffusion A versatile Free theme with a 5 star rating at the WordPress theme directory. Total Sites: 766
11.		Inove A popular theme that was last updated back in 2009. Are the sites running this getting no updates or do people just love this theme? Total Sites: 758
12.		Thesis 184 This commercial Framework makes another appearance with version 184. Note this is a theme framework, and not an individual theme. Total Sites: 726
13.		Graphene Another popular free theme, the developer actively offers paid customisation and support. Total Sites: 654
14.		Article Directory A popular example of a custom purpose theme. This turns your WordPress installation into a feature packed article directory. It is a commercial offering. Total Sites: 604
15.		Lifestyle A commercial theme from Studio Press. Works with the Genesis Framework. Total Sites: 581
16.		Canvas A commercial theme from Woothemes. Uses the Wooframework, this theme is designed to be highly customisable. Total Sites: 562
17.		News Another commercial theme from Studio Press makes an entry into the list. Uses the Genesis Framework. Total Sites: 500
18.		Magazine Basic A free theme from a now commercial theme house. Total Sites: 465
19.		Arthemia A commercial theme available from Colorlabs. Total Sites: 418
20.		Headway 2013 A commercial theme available from Headway themes. Total Sites: 409

Premium vs Free Themes in the Top 20

This shows a very different result to the statistic for the top 100. In the Top 20, only 35% are premium themes. This appears due to the large number of twentyten and twentyeleven themes in use.

WordPress.com Hosting in the Top 1 Million

Over at wordpress.com, you can get free hosting for a wordpress installation. They also offer a VIP hosting option for commercial-grade hosting. Looking at the theme paths we can see that 2.8% (4492) of the 160k wordpress sites are running on wordpress.com path /wp-content/themes/pub/ and 147 are running on wordpress.com in a paid for capacity /wp-content/themes/vip/.

Related Articles

• Infographic detailing various statistics of the Top 100K WordPress sites (March 2011)
• Analysis of Top 100K WordPress Sites
• Woothemes Framework Updates - Security Analysis (June 2012)

The post WordPress themes in top 1 million websites appeared first on HackerTarget.com.