Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022)
Created 2026-05-22
Quote (Sucuri 2023 Hacked Website & Malware Threat Report, June 12, 2024):
"39.1% of all CMS applications were outdated at the point of infection."
Companion findings (same report):
- 13.97% of compromised sites had at least one vulnerable plugin or theme present
- 49.21% had at least one backdoor at remediation
- 42.22% had SEO spam (Japanese SEO spam .htaccess: 10.07% — the most common single infection)
- 55.2% of infected databases had malicious WordPress admin users
Year-over-year context: Sucuri's 2022 report (April 2023) reported 50.58% of compromised CMS apps were outdated. The 39.1% → 50.58% improvement reflects real progress, but outdated CMS is still the most common environment for a compromise.
Source: https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.html
Confidence: Verified.
Referenced by (4)
- reference Verizon DBIR 2025: 88% of SMB breaches involved ransomware vs 39% of enterprise; median ransom $115k relates-to
- reference Reference framework: which website dimensions decay vs compound over 10 years (12-dimension matrix) depends-on
- rule RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule. depends-on
- reference Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15) relates-to