Skip to content
Security & Trust

WordPress Powers 43% of the Web (W3Techs). It Scores 45 Out of 100.

The most widely deployed framework (W3Techs) is also one of its most vulnerable. Here's what the data says.

· 6 min read
Share on X LinkedIn
WordPress Powers 43% of the Web (W3Techs). It Scores 45 Out of 100.

WordPress runs 43% of the entire web. That number is often cited as a success story. The data suggests it's a risk assessment.

After scoring WordPress across 7 dimensions — security, performance, ecosystem health, AI-readiness, developer experience, market trajectory, and cost of ownership — it lands at 45/100 in our scoring. That puts it at #22 out of 25 frameworks we track.

The Security Problem

WordPress has accumulated over 11,000 CVEs in its lifetime. 387 of those are critical severity. 23 appear in CISA's Known Exploited Vulnerabilities catalog — meaning they're being actively used in attacks right now.

This isn't a bug count from a decade ago. In 2025 alone, Patchstack reported 11,334 new WordPress vulnerabilities, a 42% year-over-year increase. The plugin ecosystem — WordPress's greatest feature — is also its greatest liability.

The AI-Readiness Gap

WordPress scores 35/100 on AI-Readiness — the second-lowest dimension. It was built for humans browsing pages in browsers. Its output is bloated HTML with plugin-injected scripts, unstructured content, and weak API support.

In a world where AI agents are becoming the primary consumers of web content, WordPress sites are increasingly invisible. They produce content that's hard for machines to parse, slow to serve, and expensive to maintain.

What This Means

If your site is primarily content — a blog, marketing site, documentation — Astro (84/100) or Hugo (75/100) will give you better security, better performance, better AI-readiness, and dramatically lower hosting costs.

WordPress isn't dying. But the web it was built for is.

Share this insight