Updated: 22-02-21

Website Hacking Statistics You Should Know in 2021

Agnes Talalaev
from patchstack

In this article, you can read about the latest website hacking statistics from 2021.

These updated statistics on website hacking should give you an idea of just how difficult it is to ensure website security each passing year. Any software can be hacked if you do not deploy security measures and follow best practices.

Cybersecurity is now a frequent issue for companies. Websites get hacked every day and some of those hacks are fatal to the business.

“Cybercrime is the greatest threat to every company in the world.”

IBM’s chairman, president, and CEO

In order to give you a better idea of the current state of threats, we’ve compiled a list of must-know statistics on website hacking.

How often do hackers attack?

A study made in 2003 (remember, it's 2021 right now) found that there is an attack every 39 seconds on average on the web. Insecure usernames and passwords give attackers greater chances of success. Unfortunately, the web has grown so much that such studies are not accurate anymore.

Does every hacker attack always result in a hacked website?

An attack does not always mean a hacked website. For example, we at Patchstack see thousands of attacks targeted at the websites we protect every day.

These attacks are logged and monitored by our firewall system, and the web application firewall on the website makes sure the attacks aren’t successful.

It’s not any easier to answer how many websites are hacked every day or every year, especially because not all hacks or attacks are publicly disclosed.


Are security breaches increasing or decreasing?

A 2019 report found that security breaches had increased by 67% over the last five years.

(Source: Accenture)

However, when they do happen, a lot of records get stolen all at once.

73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.

(Source: Thycotic.com)

This is true, but only when we’re talking about targeted attacks. A targeted attack is when a hacker has specifically chosen your website and is trying to find an entry point.

Attacks that are more broadly targeted at websites or web applications, in general, are implemented using automated tools. This means that an automated tool has been programmed to search for a specific vulnerability or software that has a vulnerability.

How many websites get hacked every day? 

On average 30,000 new websites are hacked every day.

(Source: Forbes)

How are website hacks done?

The most common way websites get hacked is by automated tools. Hacking websites with automatic tools is popular because hackers can cast a wide net with little effort.

This is what happens with WordPress sites, hackers try to exploit vulnerabilities in popular plugins and search for websites using specific plugins that have vulnerabilities. This is when a firewall with virtual patches can protect you.

Hackers created over 65 million new malware in the first quarter of 2019 alone.

(Source: McAfee)

A Kaspersky report says that its platform identified 24,610,126 “unique malicious objects” in 2019, a 14% increase over 2018.

(Sources: CSO)

website hacking statistics

These sites are usually legitimate small business websites that are unwittingly distributing malware. You can read about why anyone would hack a small business website here.

How many days does it take to identify a security breach?

A 2020 report found that it took an average of 280 days to even identify a breach.

(Source: IBM)

2020 was an unusual year due to COVID-19 and the global pandemic. The disturbances to regular life were reflected in website security statistics as well.

How has COVID-19 affected cybersecurity?

Online threats have increased by as much as six times their usual levels.

(Source: Info Security Magazine)

website hacking statistics

The FBI reported a 300% increase in the number of cybercrimes, from about 1,000 cases to between 3,000 and 4,000 cases each day.

(Source: The Hill)

What do the stats have to say about how hacks happen?

Well, a 2019 Sucuri report found that 47% of all hacked websites contained at least one backdoor. A backdoor is a vulnerability that allowed hackers access to the website.

Such vulnerabilities happen because of issues with a CMS, like WordPress, or with the other applications used to build and maintain a website. These vulnerabilities are usually found and fixed. However, not all website owners update the software frequently.

Do you want to set up auto-update for vulnerable WordPress plugins? Learn more on how to do that here.

In 2019, over 56% of all CMS applications were out of date when hacks happened.

(Source: Sucuri)

How much time does it take to crack a password?

The password "123456" takes less than a second to crack. The password "picture1" takes about 3 hours to crack. Look for more examples from the table below. 

Not updating software is among the many poor practices many site owners are guilty of. Another is falling back on default passwords.

website hacking statistics

Are poor passwords the reason why websites get hacked?

Yes, one of the reasons websites get hacked can be poor passwords.

Read more: Everything you should know about passwords and password management.

Website hacking statistics for WordPress

Why are WordPress sites targeted by hackers?

WordPress websites are a top target for hackers because of their massive user base. BuiltWith tracks over 27 million websites live WordPress sites.

What is the main threat to WordPress sites?

The threat is not with WordPress itself, but the wide range of third-party plugins that are used by WordPress users. A lot of developers or WordPress website owners have experienced attacks and hacks because of plugin vulnerabilities.

But WordPress gets constant updates...?

While WordPress is constantly updating its core, improved security does not extend to its plugins. This is because WordPress is an open-source ecosystem that is reliant on third-party developers, and without plugins, users cannot extend the basic functionalities of the platform.

What kind of vulnerabilities are in WordPress plugins?

The vulnerabilities found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.

Since WordPress is used by over 40% of all websites in the world, it unsurprisingly also registered the most number of vulnerabilities among the most commonly used content management systems.

WordPress had 542 vulnerabilities reported in 2018, a 30% increase from 2017.

According to the official WordPress site, the current number of plugins is 57,994. In fact, the number of plugins has decreased since the end of 2018.

Have WordPress vulnerabilities increased or decreased?

Despite fewer new plugins in the ecosystem, the number of WordPress vulnerabilities has increased. One explanation could be that the code quality of the plugins has gone down. Other is that there is an active security community - Patchstack Red Team that looking for vulnerabilities on a daily basis. 

It can also be that attackers are more motivated to take advantage of WordPress’s growing user base and have developed more tools for hacking websites.

website hacking statistics

Where are WordPress vulnerabilities found?

A worrisome website hacking statistic is that well over 90% of WordPress vulnerabilities are related to plugins or themes. One report found that as much as 98% of WordPress vulnerabilities are due to plugins while another study reported that 95% of vulnerabilities were because of plugins and themes.

What is the most popular vulnerability type in WordPress plugins?

The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.

According to CVE Details, WordPress sites are most vulnerable to XSS attacks. This is followed by code execution and the different bypass vulnerabilities.

What is even the most worrisome is that in the top 10 WordPress plugins with the most vulnerabilities, there is an e-commerce plugin and two security plugins. These are also very popular, with over 10 million combined active installs.

website hacking statistics

So, never forget that anyone can create a WordPress plugin and publish it. WordPress is open source and no one's performing an extensive code analysis before it is sent out into the real world.

website hacking statistics

The security standards for these plugins are not as high as they should and so they are prone to vulnerabilities.

Website hacking statistics: web application vulnerabilities

Web applications have become the #1 target for the exploitation of vulnerabilities and, unfortunately, all kinds of software are prone to security breaches.

How many types of weaknesses are in web applications?

In 2018 researchers found around 70 types of weaknesses in web applications. As always, cross-site scripting (XSS) vulnerabilities are present in many web applications. (Source: PT Security)

Are all web applications vulnerable?

A 2019 study found that hackers could attack users in 9 out of 10 web applications they analyzed. In addition, breach of sensitive data was a threat in 68% of web applications. (Source: PT Security) It's also important to remember that there is no 100% security. 

How many web applications have critical vulnerabilities?

Another 2019 study found that 46% of web applications have critical vulnerabilities, and a whopping 87% had “medium” security vulnerabilities. 

(Source: Acunetix)

Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (Source: PT Security)

How many web applications are vulnerable to XSS?

30% of web applications are vulnerable to XSS according to Acunetix’s report “Web Application Vulnerability 2019”

What is the attackers' goal when attacking web applications?

Usually, the attacker’s goal is to get the victim to run a maliciously injected script, which is executed by a trusted web application. In this way, the cybercriminal can steal the user’s data, or even modify applications to send sensitive data to a recipient.

There are different sources for statistics on website security, and some information varies based on the scope of each study.

According to the latest ENISA Threat Landscape Report, two-thirds of web application attacks included SQL injection attacks.

Are web application attacks increasing?

There was a 52% increase in the number of web application attacks in 2019 compared with 2018.

And 84% of observed vulnerabilities in web applications were security misconfiguration. (Source: ENISA)

Web professionals worry about website security

In the second quarter of 2020, we surveyed over 300 web developers, freelancers, and digital agencies. The aim was to understand if they are worried about website security, which makes them worry, and what are challenges they want to overcome.

Are people worried about website security?

The responses to the Patchstack study done with digital agencies and developers were shocking. Two hundred forty-three (243) respondents stated that they were increasingly worried about website security.

This means over 70% of digital agencies and freelancers are worried about website security. This number was slightly higher (75%) among WordPress users.

website hacking statistics
Source: Website security survey 2020

The data also revealed that while agencies and web professionals are both increasingly worried and have challenges with regard to website security, only a little less than half (45%) take proper measures to protect the sites they’re responsible for.

During the first half of the year, we at Patchstack also noticed an increased number of attacks targeted at websites.

Since COVID-19 demanded that we move to remote work arrangements, we also used the internet much more. This resulted in increased cyber-attacks and attacks targeted at websites, which meant more work for us.

website hacking statistics


Source: Website security survey 2020

The survey backs this up as well. Almost 45% of the respondents have seen an increase in attacks targeted at websites they’re managing. We also discovered that 25% of the responders had to deal with a hacked website in the month prior to participating in the survey.

Want to read more about our findings? Download the free PDF report here.

People are more worried about a cyber-attack than a real-life attack

According to a 2018 study, Americans are more worried about cybercrime than violent crimes — including terrorism, being murdered, and being sexually assaulted.

Not only are Americans more worried about cybercrime than other crimes, but their worries about cyber crimes have been consistent for a decade now. (Source: news.gallup.com)


Source: news.gallup.com

As you can see, the study states that of the 13 crimes measured, Americans continue to worry most about cybercrimes. 71% worry about the hacking of personal data while 67% about identity theft.

To put it in perspective, only 24% were worried about being a victim of terrorism, 22% about being attacked while driving, 20% about being sexually assaulted, and 17% about being murdered.

Of course, organizations are just as likely to be attacked as individuals.

A study of more than 4,000 organizations across the US, UK, Germany, Spain, and the Netherlands found that 61% reported a cybersecurity incident in 2019. In addition, 47% of small enterprises reported an incident; it was 33% in 2018.

password management

Ironically, most organizations were unprepared and would be seriously impacted by a cyber attack. The study found that a whopping 73% of companies were not ready for a cyber attack. (Source: Hiscox)

The 2020 update of the study had a bit of a surprise. The good news — the total number of respondents who reported a cyber incident fell from 61% to 39%.

But the bad news — the median cost of an attack went up from $10,000 to $57,000. (Source: Hiscox)

Conclusion about website hacking statistics

These website hacking statistics have highlighted how important it is to always be on top of what happens with your company, the people, and the software you are using.

To be secure, you should always keep the software you use updated and monitored. Make sure you are always aware of the components/plugins you’re using on your web applications and always remove the ones that you are not using.

Choose a trustworthy hosting provider. You can learn about how to choose a hosting provider here.

It is also important to choose the right security provider for your WordPress site or any web application. When it comes to WordPress security plugins, we first recommend you get a better understanding of the WordPress security ecosystem and how they work.

Find one that can offer virtual patching. Before enabling a firewall on your web app, take a look at the code.

If you haven’t got the technical skills to evaluate the chosen firewall code, let a professional help you out. Always remember that when it comes to security, do your research before buying a fancy bucket of hope. Be critical and be smart.

Share This Article
Related Articles
🎁 Take 2 min survey
NO Credit card required

Protect your WordPress sites against plugin, theme and core vulnerabilities