Website Hacking Statistics You Should Know in 2021

Updated: February 1, 2021 by Agnes Talalaev

Is this article you can read about the latest website hacking statistics from 2021.

How many people get hacked a year? How many websites are hacked every day? Which are the most hacked websites? How often do hackers attack?

Unfortunately, cyber-attacks have become so rampant that it’s impossible to nail down these numbers. You’d need a global study that reached out to millions of people and organizations.

But that doesn’t mean we don’t have the numbers to be prepared for cyber attacks. We know a lot about cyberattacks and the statistics on website hacking offer valuable insights.

These updated statistics on website hacking should give you an idea of just how difficult it is to ensure website security each passing year. Any software can be hacked if you do not deploy security measures and follow best practices.

Website Hacking Statistics

Cybersecurity is now a frequent issue for companies. Websites get hacked every day and some of those hacks are fatal to the business.

“Cybercrime is the greatest threat to every company in the world.”

IBM’s chairman, president and CEO

In order to give you a better idea of the current state of threats, we’ve compiled a list of must-know statistics on website hacking.

Let’s dig in.

Website hacking statistics

How often do hackers attack? It’s an incredibly tough question to answer, but you can get some idea from the reports the cybersecurity experts produce every year.

A 2003 study found that there is an attack every 39 seconds on average on the web. Insecure usernames and passwords give attackers greater chances of success. Unfortunately, the web has grown so much that such studies are not realistic any more.

Website Hacking Statistics

However, you should know that an attack does not always mean a hacked website. For example, we at WebARX see thousands of attacks targeted at the websites we protect every day.

These attacks are logged and monitored by our firewall system, and the web application firewall on the website makes sure the attacks aren’t successful.

It’s not any easier to answer how many websites are hacked every day or every year, especially because not all hacks or attacks are publicly disclosed.

A 2019 report found that security breaches had increased by 67% over the last five years.

(Source: Accenture)
Website Hacking Statistics

However, a study that compiled publicly disclosed breaches found that 18.5 million records were compromised every day in 2018. This amounts to 214 records every second. (Source: Breach Level Index)

This, though, is an average. In general, breaches are actually rare.

Accenture’s 2019 survey showed a 11% increase in breaches from 130 in 2018 to 145 in 2019.

(Source: Accenture)

However, when they do happen, a lot of records get stolen all at once.

73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.

(Source: Thycotic.com)

This is true, but only when we’re talking about targeted attacks. A targeted attack is when a hacker has specifically chosen your website and is trying to find an entry point.

Attacks that are more broadly targeted at websites or web applications, in general, are implemented using automated tools. This means that an automated tool has been programmed to search for a specific vulnerability or software that has a vulnerability.

Hacking websites with automatic tools are popular because hackers can cast a wide net with little effort.

This is what happens with WordPress sites, hackers try to exploit vulnerabilities in popular plugins and search for websites using specific plugins that have vulnerabilities. This is when a firewall with virtual patches can protect you.

Hackers created over 65 million new malware in the first quarter of 2019 alone.

(Source: McAfee)

A Kaspersky report says that its platform identified 24,610,126 “unique malicious objects” in 2019, a 14% increase over 2018.

(Sources: CSO)

On average 30,000 new websites are hacked every day.

(Source: Forbes)
Website Hacking Statistics

These sites are usually legitimate small business websites that are unwittingly distributing malware. You can read about why anyone would hack a small business website here.

In fact, a 2020 report found that it took an average of 280 days to even identify a breach.

(Source: IBM)

2020 was an unusual year due to COVID-19 and the global pandemic. The disturbances to regular life were reflected in website security statistics as well.

Online threats have increased by as much as six times their usual levels.

(Source: Info Security Magazine)
Website Hacking Statistics

The FBI reported a 300% increase in the number of cybercrimes, from about 1,000 cases to between 3,000 and 4,000 cases each day.

(Source: The Hill)

What do the stats have to say about how hacks happen?

Well, a 2019 Sucuri report found that 47% of all hacked websites contained at least one backdoor. A backdoor is a vulnerability that allowed hackers access to the website.

Website Hacking Statistics

Such vulnerabilities happen because of issues with a CMS, like WordPress, or with the other applications used to build and maintain a website. These vulnerabilities are usually found and fixed. However, not all website owners update the software frequently.

Do you want to set up auto-update for vulnerable WordPress plugins? Learn more on how to do that here.

In 2019, over 56% of all CMS applications were out of date when hacks happened.

(Source: Sucuri)

Not updating software is among the many poor practices many site owners are guilty of. Another is falling back on default passwords.

Most common passwords used

PositionPasswordUsersTime to Crack PasswordNo. of Times Exposed
11234562,543,285Less than a second23,597,311
2123456789961,435Less than a second7,870,694
3picture1371,6123 Hours11,190
4password360,467Less than a second3,759,315
512345678322,187Less than a second2,944,615
6111111230,507Less than a second3,124,368
7123123189,327Less than a second2,238,694
812345188,268Less than a second2,389,787
91234567890171,724Less than a second2,264,884
10senha167,72810 Seconds8,213
(Source: Nordpass)

While this does not represent passwords website managers use, poor passwords is one reason for hacked websites.

Website hacking statistics for WordPress

WordPress websites are a top target for hackers because of their massive user base. BuiltWith tracks over 27 million websites live WordPress sites.

The threat is not with WordPress itself, but the wide range of third-party plugins that are used by WordPress users. A lot of developers or WordPress website owners have experienced attacks and hacks because of plugin vulnerabilities or poor security practices.

While WordPress is constantly updating its core, improved security does not extend to its plugins. This is because WordPress is an open-source ecosystem that is reliant on third-party developers, and without plugins, users cannot extend the basic functionalities of the platform.

The vulnerabilities found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.

Since WordPress is used by over 40% of all websites in the world, it unsurprisingly also registered the most number of vulnerabilities among the most commonly used content management systems.

WordPress had 542 vulnerabilities reported in 2018, a 30% increase from 2017.

According to the official WordPress site, the current number of plugins is 57,994. In fact, the number of plugins has decreased since the end of 2018.

Despite fewer new plugins in the ecosystem, the number of WordPress vulnerabilities has increased. One explanation could be that the code quality of the plugins has gone down.

Or, attackers are more motivated to take advantage of WordPress’ growing user base, and have developed more tools for hacking websites.

Website Hacking Statistics

A worrisome website hacking statistic is that well over 90% of WordPress vulnerabilities are related to plugins or themes.

One report found that as much as 98% of WordPress vulnerabilities are due to plugins while another study reported that 95% of vulnerabilities were because of plugins and themes.

Protect your websites from plugin vulnerabilities.

Try WebARX for free

The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.

According to CVE Details, WordPress sites are most vulnerable to XSS attacks. This is followed by code execution, and the different bypass vulnerabilities.

What is even the most worrisome is that in the top 10 WordPress plugins with the most vulnerabilities, there is an e-commerce plugin and two security plugins. These are also very popular, with over 10 million combined active installs.

Sources: WPScan, Imperva

So, never forget that anyone can create a WordPress plugin and publish it. WordPress is open source and no one’s performing an extensive code analysis before it is sent out into the real world.

The security standards for these plugins are not as high as it should and so they are prone to vulnerabilities.

Website hacking statistics: web application vulnerabilities

Web applications have become the #1 target for the exploitation of vulnerabilities and, unfortunately, all kinds of software are prone to security breaches.

In 2018 researchers found around 70 types of weaknesses in web applications. As always, cross-site scripting (XSS) vulnerabilities are present in many web applications. (Source: PT Security)

A 2019 study found that hackers could attack users in 9 out of 10 web applications they analyzed. In addition, breach of sensitive data was a threat in 68% of web applications. (Source: PT Security)

Another 2019 study found that 46% of web applications have critical vulnerabilities, and a whopping 87% had “medium” security vulnerabilities. 

(Source: Acunetix)
Website Hacking Statistics

Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (Source: PT Security)

30% of web applications are vulnerable to XSS.

Acunetix’s report “Web Application Vulnerability 2019”

Usually, the attacker’s goal is to get the victim to run a maliciously-injected script, which is executed by a trusted web application. In this way, the cybercriminal can steal the user’s data, or even modify applications to send sensitive data to a recipient.

Do you have any vulnerable plugins on your site?

Scan to find out!

Try WebARX for free

There are different sources for statistics on website security, and some information varies based on the scope of each study. According to the latest ENISA Threat Landscape Report, two-thirds of web application attacks included SQL injection attacks.

There was a 52% increase in the number of web application attacks in 2019 compared with 2018. And 84% of observed vulnerabilities in web applications were security misconfiguration. (Source: ENISA)

Web professionals worry about website security

In the second quarter of 2020, we surveyed over 300 web developers, freelancers, and digital agencies. The aim was to understand if they are worried about website security, which makes them worry, and what are the challenges they want to overcome.

The responses were shocking. Two hundred forty-three (243) respondents stated that they were increasingly worried about website security.

This means over 70% of digital agencies and freelancers are worried about website security. This number was slightly higher (75%) among WordPress users.

website security survey report

Source: WebARX website security survey 2020

The data also revealed that while agencies and web professionals are both increasingly worried and have challenges with regards to website security, only a little less than half (45%) take proper measures to protect the sites they’re responsible for.

During the first half of the year, we at WebARX also noticed an increased number of attacks targeted at websites. Since COVID-19 demanded that we move to remote work arrangements, we also used the internet much more. This resulted in increased cyber-attacks and attacks targeted at websites, which meant more work for us.

Have you seen a change in the number of attacks targeted against your websites?

The survey backs this up as well. Almost 45% of the respondents have seen an increase in attacks targeted at websites they’re managing. We also discovered that 25% of the responders had to deal with a hacked website in the month prior to participating in the survey.

Want to read more about our findings? Download the free PDF report here.

People are more worried about a cyber-attack than real-life attack

According to a 2018 study, Americans are more worried about cybercrime than violent crimes — including terrorism, being murdered, and being sexually assaulted. Not only are Americans more worried about cybercrime than other crimes, but their worries about cyber crimes have been consistent for a decade now. (Source: news.gallup.com)

Website Hacking Statistics
Source: news.gallup.com

As you can see, the study states that of the 13 crimes measured, Americans continue to worry most about cybercrimes. 71% worry about the hacking of personal data while 67% about identity theft.

To put it in perspective, only 24% were worried about being a victim of terrorism, 22% about being attacked while driving, 20% about being sexually assaulted, and 17% about being murdered.

Of course, organisations are just as likely to be attacked as individuals.

A study of more than 4,000 organizations across the US, UK, Germany, Spain, and the Netherlands found that 61% reported a cybersecurity incident in 2019. In addition, 47% of small enterprises reported an incident; it was 33% in 2018.

Ironically, most organizations were unprepared and would be seriously impacted by a cyber attack. The study found that a whopping 73% of companies were not ready for a cyber attack. (Source: Hiscox)

The 2020 update of the study had a bit of a surprise. The good news — the total number of respondents who reported a cyber incident fell from 61% to 39%. But the bad news — the median cost of an attack went up from $10,000 to $57,000. (Source: Hiscox)

Conclusion about website hacking statistics

These website hacking statistics have highlighted how important it is to always be on top of what happens with your company, the people, and the software you are using.

To be secure, you should always keep the software you use updated and monitored. Make sure you are always aware of the components/plugins you’re using on your web applications and always remove the ones that you are not using.

Choose a trustworthy hosting provider. You can learn about how to choose a hosting provider here.

It is also important to choose the right security provider for your WordPress site or any web application. When it comes to WordPress security plugins, we first recommend you get a better understanding of the WordPress security plugins ecosystem and how they work.

Find one that can offer virtual patching. Before enabling a firewall on your web app, take a look at the code.

If you haven’t got the technical skills to evaluate the chosen firewall code, let a professional help you out. Always remember that when it comes to security, do your research before buying a fancy bucket of hope. Be critical and be smart.

How many websites are hacked every day?

On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware.

How many people use WordPress sites?

WordPress is used by over 35% of all websites and it is unsurprisingly also registered as the one with the highest number of vulnerabilities. About 98% of WordPress vulnerabilities are related to plugins.

How often do web hacks take place?

Hackers attack every 39 seconds, on average 2,244 times a day.

What are the most hacked websites?

It’s hard to say which are the most hacked websites. Statistically, WordPress sites are the most targeted. is the main target It is because it has a massive user base and WordPress developers use a lot of unprotected and untested third-party code (plugins and themes) on their sites. So the main problem is not WordPress core itself, but the third-party plugins and themes that are used by WordPress developers.

Resources used in the article:


Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: