Three Datasets. One Conclusion.
The 'dead internet theory' — the idea that most of the web is bots talking to bots on abandoned infrastructure — has been dismissed as conspiracy thinking. It's not. Cloudflare confirms bots outnumber humans. WebPulse confirms 74% of the crawlable web runs one CMS. The NVD confirms that CMS carries 18,005 known vulnerabilities. Three independent datasets, three independent methodologies, one convergent conclusion: most of the web is unmaintained legacy infrastructure visited primarily by machines.
The Zombie Layer
The web doesn't have a demolition crew. When a business closes, its website stays up. The domain registration lapses, but the shared hosting account might run for years on autopay. The WordPress installation sits there — unpatched, unmonitored, accumulating CVEs. Nobody logs in. Nobody updates plugins. The site serves cached pages to bots that crawl it on schedule, generating the illusion of a living web.
How many of those 7.4 million WordPress detections are actively maintained? We can't measure that directly from a crawl. But we can measure proxy signals: outdated PHP versions, end-of-life WordPress cores, plugins abandoned by their developers. The indicators suggest a significant fraction of the detectable WordPress web is running on autopilot — alive in the technical sense, dead in every meaningful one.
The Convergence
Bot traffic (53%) + WordPress dominance (74%) + vulnerability accumulation (18,005 CVEs) = a web where the majority of traffic is automated, the majority of sites run one framework, and that framework has the largest attack surface in software history. This isn't three separate findings. It's one finding measured three ways: the web's center of gravity is unmaintained legacy infrastructure visited by machines.
The living web — actively maintained sites serving human visitors with modern infrastructure — is the minority on every axis. Minority of traffic (47% human). Minority of frameworks (5% modern). Minority of security posture (sites with current patches). The 'dead internet' isn't a theory. It's what 10 million sites and 81 million requests per second look like when you measure them honestly.
Why This Matters for Owners
If you run a living business on the zombie web, you share infrastructure with the dead. Your WordPress installation is in the same plugin ecosystem, targeted by the same automated exploit tools, indexed by the same bots that visit millions of abandoned sites. The bots don't distinguish between your actively maintained WordPress site and the closed bakery next door. Your attack surface is their attack surface. Your framework is their framework. The zombie web is not someone else's problem — it's the neighborhood your site lives in.
