The Ghost Web
A business closes. The owner cancels the credit card, stops answering the phone, moves on. But the website? The shared hosting account is on annual billing — paid through September. The domain auto-renewed last month. The WordPress installation sits there, serving cached pages to bots, running plugins last updated in 2021, accumulating vulnerabilities nobody will ever patch.
The Math of Abandonment
If half of all businesses fail within five years, and most businesses built a website at some point, the web is accumulating abandoned sites faster than active ones replace them. Shared hosting plans are cheap enough that cancellation isn't urgent. Domain registrars auto-renew unless you opt out. The default is persistence — the default is a ghost site.
These ghost sites don't disappear from the crawlable web. Common Crawl finds them. Google indexes them. Bots visit them. They appear in our scan as valid WordPress detections. They have the same CVE exposure as actively maintained sites. But nobody is watching, nobody is patching, and nobody is responding to incidents.
The Security Externality
Ghost sites become vectors. Unmaintained WordPress installations get compromised and used for malware distribution, SEO spam injection, phishing pages, and botnet command-and-control. The business is dead. The website is alive — and hostile. The web's biggest security problem isn't poorly maintained active sites. It's the vast layer of sites with no owner at all.
Nobody's Responsibility
Hosting providers don't proactively patch abandoned accounts. Registrars don't check if the business behind a domain still exists. WordPress.org doesn't deactivate dormant installations. The entire infrastructure assumes someone is responsible. For ghost sites, nobody is. The result is a growing layer of unmanaged, vulnerable, exploitable web infrastructure that nobody owns, nobody monitors, and nobody will ever fix.
