The Data Set
WebPulse processed Common Crawl WARC segments from June 2026 and identified web frameworks across 10,002,735 unique domains. This is not a survey. It is not a sample. It is a direct analysis of what web servers actually respond with — HTTP headers, HTML meta tags, JavaScript libraries, CSS patterns, and file path structures that identify the underlying framework.
The results contradict the narrative that dominates developer conferences, tech blogs, and framework comparison articles. The modern web — defined as frameworks released after 2015 with component-based architecture, static generation, or edge deployment — accounts for 17.5% of detectable sites. Legacy platforms — WordPress, Drupal, Joomla, Magento — account for 82.5%.
The WordPress Layer
WordPress accounts for 7,427,780 of the 10 million detected sites — 74.3% of the framework-identifiable web. This is not a CMS market share figure (which counts only sites using a CMS). This is the share of all detected frameworks. Nearly three-quarters of the web's detectable infrastructure runs on a single PHP application with 18,247 cumulative CVEs.
The second-largest framework is Shopify at 7.8% — 777,276 sites. Then Drupal at 4.4%, Joomla at 3.5%. The first modern framework in the ranking is Next.js at 2.6% — 263,488 sites. That means WordPress has 28 times as many sites as Next.js. The entire modern stack — Next.js, Angular, Vue, Rails, React, Nuxt, Astro, Hugo, HTMX, Gatsby, Remix, SvelteKit, Eleventy — combined accounts for 856,815 sites, or 8.6%.
The Security Arithmetic
WordPress's 7.4 million sites carry the cumulative weight of 18,247 NVD CVEs. Hugo's 16,743 sites carry zero CVEs. Astro's 20,080 sites carry 60 CVEs. The security exposure is not proportional — it is exponential. Every WordPress site inherits the attack surface of every WordPress plugin, theme, and core vulnerability. A single CVE in a plugin installed on 500,000 sites creates 500,000 potential entry points simultaneously.
The WARC data reveals the scale of this exposure in raw numbers. There are 7.4 million sites that share the same core vulnerability surface. When CISA adds a WordPress plugin to the KEV catalog, when a supply chain attack hits a popular WordPress theme, when a zero-day targets wp-login.php — the blast radius is 7.4 million sites. No other technology in the history of computing has created this concentration of shared vulnerability.
The Geographic Distribution
The WARC data breaks down by TLD. The .com domain accounts for 3.26 million detections. Russia (.ru) follows at 361,543. Germany (.de) at 222,409. Japan (.jp) at 175,103. France (.fr) at 144,324. Brazil (.br) at 143,867. The .gov TLD — government sites — accounts for 14,349 detections. The .edu TLD — educational institutions — accounts for 82,977 detections. These are not personal blogs. They are institutional infrastructure.
What the Developer Echo Chamber Misses
At developer conferences, the conversation is about React Server Components, Astro Islands, SvelteKit runes, and Remix loaders. On Hacker News, the front page features debates between Next.js and Nuxt, comparisons of Bun vs Deno, and announcements of new edge runtimes. This discourse represents the 3.2% — the modern frameworks that account for 320,000 sites out of 10 million.
The other 82.5% — the 8.25 million sites running WordPress, Drupal, Joomla, and Magento — is not represented in developer discourse because the people who maintain those sites do not attend developer conferences. They are small business owners who installed WordPress in 2014. They are government IT teams maintaining Drupal sites from 2011. They are e-commerce operators running Magento installations that were configured by an agency that no longer exists. These are the sites that define the actual security surface of the web.


