Skip to content
Business Efficiency

We Scanned 10 Million Websites. 82.5% Run on Legacy Frameworks.

WebPulse's Common Crawl analysis detected frameworks across 10,002,735 sites. WordPress powers 7.4 million of them. The entire 'modern web' — Next.js, Astro, SvelteKit, Remix, Hugo combined — accounts for 3.2%. The web you read about is not the web that exists.

· 7 min read
Share on X LinkedIn
We Scanned 10 Million Websites. 82.5% Run on Legacy Frameworks.

The Data Set

WebPulse processed Common Crawl WARC segments from June 2026 and identified web frameworks across 10,002,735 unique domains. This is not a survey. It is not a sample. It is a direct analysis of what web servers actually respond with — HTTP headers, HTML meta tags, JavaScript libraries, CSS patterns, and file path structures that identify the underlying framework.

The results contradict the narrative that dominates developer conferences, tech blogs, and framework comparison articles. The modern web — defined as frameworks released after 2015 with component-based architecture, static generation, or edge deployment — accounts for 17.5% of detectable sites. Legacy platforms — WordPress, Drupal, Joomla, Magento — account for 82.5%.

10,002,735
Total sites analyzed
Common Crawl WARC segments, June 2026. Source: WebPulse WARC Scanner.
82.5%
Legacy framework share
WordPress + Drupal + Joomla + Magento + legacy others. Source: WebPulse, June 2026.
17.5%
Modern framework share
Next.js + Astro + SvelteKit + Remix + Hugo + all others. Source: WebPulse, June 2026.

The WordPress Layer

WordPress accounts for 7,427,780 of the 10 million detected sites — 74.3% of the framework-identifiable web. This is not a CMS market share figure (which counts only sites using a CMS). This is the share of all detected frameworks. Nearly three-quarters of the web's detectable infrastructure runs on a single PHP application with 18,247 cumulative CVEs.

The second-largest framework is Shopify at 7.8% — 777,276 sites. Then Drupal at 4.4%, Joomla at 3.5%. The first modern framework in the ranking is Next.js at 2.6% — 263,488 sites. That means WordPress has 28 times as many sites as Next.js. The entire modern stack — Next.js, Angular, Vue, Rails, React, Nuxt, Astro, Hugo, HTMX, Gatsby, Remix, SvelteKit, Eleventy — combined accounts for 856,815 sites, or 8.6%.

7,427,780 sites (74.3%)
WordPress
28× larger than Next.js. Source: WebPulse WARC, June 2026.
263,488 sites (2.6%)
Next.js (largest modern framework)
First modern framework in the ranking. Source: WebPulse WARC, June 2026.
856,815 sites (8.6%)
All modern frameworks combined
Next.js + Angular + Vue + Rails + React + Nuxt + Astro + Hugo + HTMX + Gatsby + Remix + SvelteKit + Eleventy. Source: WebPulse.

The Security Arithmetic

WordPress's 7.4 million sites carry the cumulative weight of 18,247 NVD CVEs. Hugo's 16,743 sites carry zero CVEs. Astro's 20,080 sites carry 60 CVEs. The security exposure is not proportional — it is exponential. Every WordPress site inherits the attack surface of every WordPress plugin, theme, and core vulnerability. A single CVE in a plugin installed on 500,000 sites creates 500,000 potential entry points simultaneously.

The WARC data reveals the scale of this exposure in raw numbers. There are 7.4 million sites that share the same core vulnerability surface. When CISA adds a WordPress plugin to the KEV catalog, when a supply chain attack hits a popular WordPress theme, when a zero-day targets wp-login.php — the blast radius is 7.4 million sites. No other technology in the history of computing has created this concentration of shared vulnerability.

The Geographic Distribution

The WARC data breaks down by TLD. The .com domain accounts for 3.26 million detections. Russia (.ru) follows at 361,543. Germany (.de) at 222,409. Japan (.jp) at 175,103. France (.fr) at 144,324. Brazil (.br) at 143,867. The .gov TLD — government sites — accounts for 14,349 detections. The .edu TLD — educational institutions — accounts for 82,977 detections. These are not personal blogs. They are institutional infrastructure.

14,349
.gov sites detected
Government infrastructure on detectable frameworks. Source: WebPulse WARC, June 2026.
82,977
.edu sites detected
Educational institution infrastructure. Source: WebPulse WARC, June 2026.

What the Developer Echo Chamber Misses

At developer conferences, the conversation is about React Server Components, Astro Islands, SvelteKit runes, and Remix loaders. On Hacker News, the front page features debates between Next.js and Nuxt, comparisons of Bun vs Deno, and announcements of new edge runtimes. This discourse represents the 3.2% — the modern frameworks that account for 320,000 sites out of 10 million.

The other 82.5% — the 8.25 million sites running WordPress, Drupal, Joomla, and Magento — is not represented in developer discourse because the people who maintain those sites do not attend developer conferences. They are small business owners who installed WordPress in 2014. They are government IT teams maintaining Drupal sites from 2011. They are e-commerce operators running Magento installations that were configured by an agency that no longer exists. These are the sites that define the actual security surface of the web.

Share this insight