You may have heard that "most website are made with WordPress." Turns out they are not! Nevertheless, a significant number of websites do use WordPress in some way or form.
In 2021, WordPress was used by 40% of the top 10 million websites in the world.1
"Most" means at least over 50%. Actually, according to a study of the English language, "most" typically means even more than 50%!
When people use the word "most," the study found, they don't usually mean the whole range of 51-99%. The common interpretation is much narrower, understood as a measurement of 80 to 95% of a sample -- whether that sample is of people in a room, cookies in a jar, or witnesses to an accident.
https://www.sciencedaily.com/releases/2009/11/091119121302.htm (accessed 2024-11-08)
Naturally, 40% isn't over 50%, so we can't say "most" are made with WordPress.
In fact, we can't even say "made with" WordPress.
The cited statistic explicitly explains it avoids the term "made with WordPress" and chooses "uses WordPress" because there are many websites that use WordPress for a blog in a subdomain (e.g. blog.thunderbird.net), and the main www website is made with something else.
Nevertheless, 40% is nothing to scoff at, and while the study is from 2021 and usage may have changed somewhat since then, it's unlikely that a drastic change has occurred. The front page of W3Techs.com even features a table that says this:
| CMS | Usage |
|---|---|
| WordPress | 43.7% |
| Shopify | 4.6% |
| Wix | 3.1% |
| Squarespace | 2.2% |
| Joomla | 1.6% |
I don't see Drupal there. Most importantly, I don't see Django, Rails, or Node there, either. It could be that some technologies are harder to discover about since they don't automatically output a generator declaration in HTML or HTTP, which means researchers can't easily tell something is powered by these other frameworks. Or it could simply be that everybody uses PHP, and statistics about these other frameworks that almost nobody uses are hidden somewhere within the W3Techs.com website.
Anyway, as we can see, WordPress remains used by most, err, a significant number of websites, which means that features that WordPress provides, such as RSS, are also available in most, err, a significant number of websites by default. If you're wondering whether or not WordPress is good enough for you, just remember that most, err, a significant number of websites use it, and they're doing just fine.
Except for all the spam, hacking attempts, and vulnerabilities and exploits found in WordPress plugins.
But those problems only happen with WordPress because WordPress is used by most, err, a significant number of websites. Bad actors operate a business of abuse, and like any business, there are costs, profit margins, and Return of Investment's (ROIs). The ROI for exploiting a technology used by most, err, a significant number of websites is much greater than the ROI of exploiting a technology used by 1.6% of the websites like Joomla.
That's why WordPress gets more spam and hacking attempts than other technologies: because everybody uses it.
There are only two kinds of [content management frameworks]: the ones people complain about and the ones nobody uses
A snowclone of a famous saying by Bjarne Stroustrup (accessed 2024-11-08).
If a hacker figures out how to spam a WordPress website, they figure out how to spam 40% of websites of the entire web. By default, this is trivial to do.
To post a comment on WordPress, an HTTP client (e.g. a web browser) needs to send a POST HTTP request to the /wp-comments.php endpoint. This works on any WordPress website by default. Which means if you can craft this request with a bot, it WILL work on most websites made with WordPress because they will be on the default settings unless they have enabled a plugin to deal with spam comments.
Similarly, /wp-login.php is the endpoint for logging in that all WordPress websites have by default. Most of the automated hacking attempts I personally get in my WordPress website are bots trying log in using the username admin. These bots aren't trying to hack MY website which is made with WordPress, they're trying to hack ANY website that is made with WordPress.
If any WordPress website has the credentials admin for username admin or 123456 for password, it will probably get hacked, because bots are constantly trying to hack into every single website on the Internet using these credentials and the WordPress login endpoint.
To be clear: the bots aren't smart. They don't even check if a website is made with WordPress or not. They don't need to. When 40% of the websites use WordPress, it's easier to just assume every single website is made with WordPress and get it right 40% of the time than waste time checking. In practice, it's going to be less than 40%, because they "use" WordPress in a subdomain, not "made" entirely with WordPress. But the point stands. Websites that aren't made with WordPress get hit with WordPress-based hacking attempts too.
Because everybody uses WordPress.
References
- https://w3techs.com/blog/entry/40_percent_of_the_web_uses_wordpress (accessed 2024-11-02) ↩︎