Skip to content
Security & Trust

Government Sites: Running a Nation's Web on 18,005 CVEs

The White House runs WordPress. So do thousands of government agencies worldwide. Public infrastructure on a legacy foundation.

· 7 min read
Share on X LinkedIn
Government Sites: Running a Nation's Web on 18,005 CVEs

The Public Sector Legacy

Our scan detected WordPress on whitehouse.gov. That's the digital front door of the United States government, running on a framework with 18,005 known vulnerabilities in the National Vulnerability Database.

The White House is not alone. Government agencies worldwide default to WordPress because of procurement processes that prioritize low upfront cost, established vendor ecosystems, and 'nobody gets fired for choosing WordPress.'

The Procurement Trap

Government technology procurement evaluates frameworks on criteria designed 15 years ago: vendor availability, training material availability, hosting flexibility, content editor usability. None of these criteria measure security posture, AI-readiness, or total cost of ownership.

The result: governments consistently choose the cheapest framework to acquire and the most expensive to operate. WordPress wins the procurement. Taxpayers pay the maintenance.

The National Security Dimension

Government websites aren't just information portals. They process citizen data, serve critical public services, and represent national infrastructure. Running these services on a framework with active entries in CISA's Known Exploited Vulnerabilities catalog is a national security decision made by default, not by design.

30-40%
Government sites on WordPress (estimated)
Modeled estimate. Source for whitehouse.gov: our WebPulse scanner detection (verified). Broader percentage is an estimate, not a census.
35+
Average government site plugin count
Modeled estimate. Not verified by government audit. Government sites may have more plugins for compliance, accessibility, and analytics requirements.
45-90 days
Average time to patch a government WordPress site
Modeled estimate based on published federal IT procurement timelines. Not measured directly.

What This Means

The gap between vulnerability disclosure and patch deployment on government sites is measured in months, not hours. During that window, every government WordPress site running the affected plugin or theme is a known, documented target.

The frameworks that score highest on our index — Astro, Hugo, Next.js — have fundamentally smaller attack surfaces. A static site served from a CDN has no PHP execution layer, no database to inject, no plugins to exploit. The attack surface isn't smaller — it's categorically different.

Governments that move to modern frameworks don't just save money. They reduce national infrastructure risk. That's a security decision that should be made consciously, not inherited from a procurement process designed for a different era.

Related industries
Related regions
North America Western Europe
Share this insight