{"id":221,"slug":"sucuri-2023-39pct-cms-outdated-at-infection","title":"Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022)","kind":"reference","scope":"business","status":"current","audiences":["claude-code","candid-team"],"topics":["wordpress","security-vulnerabilities"],"reference_body":"**Quote (Sucuri 2023 Hacked Website & Malware Threat Report, June 12, 2024):**\n\n> \"**39.1% of all CMS applications were outdated** at the point of infection.\"\n\nCompanion findings (same report):\n- 13.97% of compromised sites had at least one vulnerable plugin or theme present\n- **49.21%** had at least one backdoor at remediation\n- **42.22%** had SEO spam (Japanese SEO spam .htaccess: 10.07% — the most common single infection)\n- **55.2%** of infected databases had malicious WordPress admin users\n\nYear-over-year context: Sucuri's 2022 report (April 2023) reported **50.58%** of compromised CMS apps were outdated. The 39.1% → 50.58% improvement reflects real progress, but **outdated CMS is still the most common environment for a compromise**.\n\n**Source:** <https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.html>\n\n**Confidence:** Verified.","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"wordfence-2024-attack-volume-54b-requests","title":"Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day","kind":"reference","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"verizon-dbir-2025-88pct-smb-ransomware","title":"Verizon DBIR 2025: 88% of SMB breaches involved ransomware vs 39% of enterprise; median ransom $115k","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"decay-vs-compound-matrix","title":"Reference framework: which website dimensions decay vs compound over 10 years (12-dimension matrix)","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"rule-reduce-plugin-count-as-security-discipline","title":"RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.","kind":"rule","scope":"business","link_type":"depends-on"},{"slug":"research-brief-built-to-last","title":"Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15)","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T19:58:12.819Z","updated_at":"2026-05-22T19:58:12.819Z"}