Blog Viewer

Global Website Hacking Statistics 2020 - Rising Concerns

By lissa coffeey posted Mon November 30, 2020 11:13 AM


The state of website hacking statistics should be an alarm to every developer, agency or website owner. This insight from the statistics can give points to be focused on all of the above stakeholders as almost every software can be “hacked” in some way.

While cyber attacks are nothing new, thanks to COVID-19, the threat is more real than ever.

The global impact of coronavirus, as well as its implications, such as quarantine measures, a remote workforce, and the length of the pandemic, have led to attacks that are more aggressive than ever.

According to Forbes, the largest cyber attack in history is predicted to occur in the next six months. Over 1 million WordPress websites were already hacked in 2020 (source : WP Hacked Help)

cyber security threat projection 2023
cyber security hacking stats 2020 IBM

For  companies, cybersecurity is now an every-day issue. Everyday websites get hacked and some of it can be fatal to the businesses getting attacked.

“Cybercrime is the greatest threat to every company in the world.” IBM’s chairman, president and CEO

Following the compilation of must-know website hacking statistics can give a better idea of current statistics. Take a look. Before that I have made an infographic showing top cyber security breaches of 2020 below.

Website hacking statistics

A study was made that stated that there is an attack every 39 seconds on average on the web and the non-secure usernames and passwords that are being used give attackers more chance of success.  (Source: Security Magazine)

Not all attacks are successful in hacking. We see thousands of attacks targeted at the websites they protect every day. Their firewall system logs and monitors these attacks and the web application firewall makes sure the attacks won’t be successful.

Hackers steal 75 records every second.   (Source: Breach Level Index)

The average number of records stolen per second shown by the facts. In general, breaches are actually rare, but a lot of records are stolen at once when they happen, as seen previously.

73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.  (Source:

Only when we talk about targeted attacks, this is true. A targeted attack means that a hacker has specifically chosen a site and is trying to find an entry point. 

Bots are used to implement attacks targeted at websites or web applications. Usually meaning that a specific vulnerability is being searched through an automated tool in software with vulnerability or the website. 

Vulnerabilities in popular plugins of WordPress sites are often targets of hackers. A firewall with virtual patches is needed in such cases for protection.

Hackers create 300,000 new pieces of malware daily. (Source: McAfee)

In 2017 alone, there were more than 317 million new pieces of malware – computer viruses or other malicious software, created (Source: CNN)We do not yet know the statistics for how many were created daily in 2019 unfortunately.

On average 30,000 new websites are hacked every day. (Source: Forbes)

Unwittingly, these 30000 sites, are largely legitimate small business sites, based on WordPress and are distributing malware in various forms, it can be Wordpress ransomware or other kind of widespread hacks such as redirect hack (where, a wordpress site redirects to another site infected with malicious code), pharma hack, DDOS attack etc. 

Website Hacking Statistics for WordPress

Because of the massive user-base of WordPress, it is one of the main targets of hackers. The wide range of third-party plugins used by users are mainly threatened, rather than the WordPress itself. 

Since WordPress allows users to extend the basic functionalities of the platform using different kinds of components/plugins, the effectiveness of the security tactics used for the WordPress core is not extended.

Most common vulnerabilities found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.

Not surprisingly, the highest number of vulnerabilities (542) in 2018 were registered in WordPress since WordPress is used by over 35% of all websites which is a 30% increase from 2017 (Figure 5).

The current number of plugins is 54,971 and the number of plugins has actually decreased since the end of 2018, according to the WordPress official site.

The number of WordPress vulnerabilities is still increasing, despite the slow growth or decrease of new plugins. The code quality of plugins, or the popularity of WordPress as CMS is an explanation that motivates more attackers to develop attack tools and try luck in searching for security holes in the code.

A very worrisome fact about website hacking statistics: 98% of WordPress vulnerabilities are related to plugins. (See Figure 7 below.)

The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.

XSS attacks are the biggest threats to WordPress sites according to CVE Details. The second most popular type of attack is code execution and third are different bypass vulnerabilities.

What is even the most worrisome is that in the best WordPress Security Plugins To Secure Your Website , they have around 21 million downloads and many of these plugins have a security vulnerability which can lead to injection of malicious code on your site. (Source: WP Hacked Help)

As WordPress is open source and anyone can create a plugin and publish it, code analysis is not performed before it is sent out for the world. Since there are no serious security standards for these plugins, WordPress plugins are prone to vulnerabilities unfortunately. 

Website Hacking Statistics: Web Application Vulnerabilities

Web applications have become the #1 target for the exploitation of vulnerabilities and unfortunately, all kinds of software are prone to security breaches according to statistics.

Around 70 types of weaknesses in web applications researchers found in 2018. As always, cross-site scripting (XSS) vulnerabilities are present in many web applications. (Source: PT Security)

46% of web applications have critical vulnerabilities. - Acunetix’s report “Web Application Vulnerability 2019”

Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (Source: PT Security)

30% of web applications are vulnerable to XSS. - Acunetix’s report “Web Application Vulnerability 2019”

The attackers goal usually is to make the victim involuntarily run a maliciously injected script, which is executed by a trusted web application. This way, the cybercriminal can steal the user’s data, or even modify the applications to send sensitive data to any recipient.

87% of websites have mid-level weaknesses. - Acunetix’s report “Web Application Vulnerability 2019”

There is variation in information from different sources for website hacking statistics. According to ENISA Threat Landscape Report made in 2018 the most popular type of attacks were SQL injections which were leading with 51%. Local File Inclusion comes in second place with 34% and cross-site scripting comes in third with 8%.

People Are More Worried About Cyber Attack Than Real-Life Attack

According to a study, Americans are more worried about cybercrime than violent crimes (including terrorism, being murdered, and being sexually assaulted). Not only are Americans more worried about cybercrime than other crimes, but their worries about cybercrimes has been consistent for about a decade now. (Source:

Out of 13 crimes measured in the study, Americans continue to worry most about cybercrimes. 71% worry about the hacking of personal data while 67% about identity theft which can be seen from the picture above.

Only 24% of people participating in the study were worried about being a victim of terrorism, 22% were worried about being attacked while driving, 20% about being sexually assaulted, and 17% about being murdered, to put in perspective.

The study of more than 4,000 organizations across the US, UK, Germany, Spain, and the Netherlands found that most organizations are unprepared and would be seriously impacted by a cyber-attack. It states that a whopping 73 percent of companies are not ready for a cyber-attack. (Source:

Countries with the most visits to pirated websites

By country, the United States was the most prolific in visits to pirate websites: 17 billion in 2018. Russia came in second, with 14 billion visits, followed by Brazil, with 10.2 billion. In Europe, France is the first to appear on the list, with 7.339 million visits. The other two European countries in the Top 10 are the United Kingdom (5.75 billion) and Germany (5.156 million). 

India (in fourth position, with 9.589 million visits), Turkey (sixth position, with 7.335 million visits, just behind France), also appears on the list of the ten countries with the most visits to pirated websites. Ukraine (seventh position, with 6.126 million visits) and Indonesia (eighth position, with 6.075 million visits and just ahead of the United Kingdom and Germany).

There are multiple readings for this data, as analyzed by Andy Chatterley, CEO and co-founder of MUSO. One is that the success of pirated television lies in the abundance of platforms, which leads many users to find a way to consume without paying any of the alternatives, although it is likely that they are paying to legally access others. 

A frequent cause is hacking a specific series from a particular platform: many users prefer to access content irregularly to avoid subscribing to a service in which they are not really interested.

According to data from this London company, in 2018 pirate websites received almost 190,000 million visits. 49.38% of the visits were looking for content related to television to see if they could pay for pay channels. Another 17.9% of the visits were looking to see free premiere movies.

Despite the success of Spotify and the huge number of platforms for streaming music, music was the third most pirated content in 2018, with 15.87% of visits to pirated websites. Access to the news was responsible for 11.49% of these visits, while pirated software barely accounted for 6.16%.

The visits to pirate websites 60% of these impacts were taken, while access to torrents just assumed 13%. All this despite the fact that most European countries, as well as the United States, are more proactive when it comes to blocking pirated websites. However, after the closure of one, the birth of another is practically imminent.

How many websites are hacked every day?

On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small businesses sites that are unwittingly distributing malware. 

How much does cyber crime cost?

Cybercrime will cost the world $6 trillion by 2021

How many people use WordPress sites?

WordPress is used by over 35% of all websites and it is unsurprisingly also registered as the one with the highest number of vulnerabilities. About 98% of WordPress vulnerabilities are related to plugins. 

How often do web hacks take place?

Hackers attack every 39 seconds, on average 2,244 times a day.   


How important it is to be on top of what happens with the company, the people and software being used is highlighted by these statistics.

Cyber Security Checklist To Follow At Your Workplace

Here are some of the checklist points which can be implemented at to secure your remote workforce during COVID -19 and beyond.

  • Ensure that antivirus software is in place on any device used for business purposes, including laptops, mobile phones and tablets.
  • Make sure employees know exactly what social engineering attacks are, and why they are so dangerous.
  • Instruct employees on how to spot phishing emails, designed to manipulate employees by impersonating company executives.
  • Alert employees to vishing (phone) scams which may target business or personal cell phone number.
  • Remind the dangers of sharing personal information on any channels, including social media.
  • Implement an action plan that includes alerting the IT department when phishing or vishing threats are identified.
  • Have a VPN in place for employees to log into when working on a public network.
  • Remind employees to install updates on all devices to with latest software patches.
  • Encourage the use of separate computers for personal and work-related data.
  • Create strong password policies to be used on any device, whether company-issued or personal.
  • Utilize password management software to generate secure passwords and ensure policies are followed.
  • Implement Single Sign-On (SSO) software to provide a higher level of security.
  • Activate multi-factor authentication (MFA) whenever it is available

For Website Owners

In case of website owners, especially those using wordpress as a CMS, Keeping the website, updated and monitored are important steps for being alert and secure.

Always being aware of the components used on web applications and removing the ones not being used will also ensure security. 

Choose a trustworthy hosting provider. Periodically scan your website for malware (there are number of free wordpress security scanners available online) so that you can fix hacked wordpress site by yourself . If not, then, Choosing the right security provider for the WordPress site of any web application is also very important.

It is recommended to understand the WordPress security plugin ecosystem and how they all work. Find one that can offer virtual patching and before enabling a firewall on your web app, take a look at the code. 

When it comes to security, research before buying. Be critical and be smart.