Skip to content
Original research

2,245,592 sites scanned. Two very different webs.

Tranco top-100K (the elite). Common Crawl (the broad web). The picture changes completely depending on where you look.

51.5% modern

For the first time, more than half of detected frameworks on the world's top websites are modern. The tipping point has arrived.

The pattern

The higher the rank, the more modern the infrastructure.

The elite moved first. The long tail hasn't.

Top 100
0%
19 detected Angular, Next.js, Drupal
Top 500
0%
91 detected Next.js, WordPress, Drupal
Top 1,000
0%
152 detected Next.js, WordPress, Drupal
Top 5,000
0%
1214 detected Next.js, WordPress, Drupal
Top 10,000
0%
1621 detected Drupal, WordPress, Next.js
Modern
Legacy
Framework distribution

What the world's top websites run

WordPress
30.4%
30.4%
Drupal
27.0%
27.0%
Next.js
17.0%
17.0%
Angular
4.2%
Nuxt.js
3.5%
Shopify
2.6%
Spring
2.4%
Rails
2.4%
Astro
1.9%
Vue.js
1.8%
Modern
Legacy
41.7%
Modern
14,837 sites
58.3%
Legacy
20,705 sites

At the top 100: 79% modern. At the top 10,000: the split is nearly even. Across the full web: legacy still leads.

The Two Webs

The top and the broad web are two different planets.

Tranco top-100K shows the elite. Common Crawl shows the rest. The gap is the finding.

Top 10,000 sites
51.5%
modern

The tipping point exists — but only at the top. Next.js leads. Venture-funded, engineering-led companies migrated.

Broad web (2,144,827 scanned)
11.9%
modern

WordPress at 62.5%. The web that most businesses actually run is overwhelmingly legacy.

Read: The 6% Reality →
Broad web — 2,144,827 detections

What the real web runs

wordpress
62.5%
62.5%
drupal
22.5%
22.5%
nextjs
3.0%
joomla
2.9%
spring
1.7%
rails
1.6%
angular
1.0%
nuxtjs
0.8%
shopify
0.7%
laravel
0.6%
vue
0.6%
astro
0.4%
Modern
Legacy

Source: WebPulse Common Crawl WARC scan. 2,144,827 framework detections. Among detected frameworks only.

Active threat exposure

CISA Known Exploited Vulnerabilities by framework

Vulnerabilities confirmed to be actively exploited in the wild. Federal agencies are required to remediate these. 1642 total entries in the catalog.

WordPress
4
4
Drupal
5
5
Spring
5
5
Magento
3
3
Joomla
3
3
Laravel
3
3
Rails
3
3
React
2
2
Django
0
Next.js
0
Astro
0
Hugo
0
Vue.js
0
Angular
0

Source: CISA Known Exploited Vulnerabilities catalog. Updated 2026-07-15. Count reflects entries where the framework or its ecosystem is the affected product.

Methodology

How we did this

Domain list: Research-grade domain rankings used in academic security papers, aggregating multiple ranking sources and filtering for manipulation.

Detection: Our open-source framework detector analyzes HTML content, HTTP headers, cookies, JavaScript references, and meta tags. 25 framework signatures with multi-signal confidence scoring.

Detection rate: 31.1% — many top sites use custom frameworks, heavy CDN obfuscation, or server-side rendering that strips framework signatures. Our detection is conservative by design: we'd rather miss a framework than misidentify one.

Generation classification: "Modern" = frameworks designed for static generation, edge rendering, or API-first architecture (post-2016). "Legacy" = traditional server-rendered CMS and monolithic frameworks.