Security, Performance and WordPress Analysis of Top 1 Million Sites

Are you interested in learning facts about the top 1 million sites in the world?

In this extensive report, we talk about WordPress usage, security analysis, and performance factors across the most popular websites on the planet.

Did you know that there are more than 1.5 billion hostnames in circulation and roughly 180 million active websites? If you love these types of statistics, check out the monthly Web Server Survey report from Netcraft. The survey focuses on monitoring the Web for all active sites and domain names.

January 2019 Web Server Survey Netcraft
The total number of hostnames and active websites as of January 2019.

With this many sites active at any given time, you know for a fact that there are many winners and many losers. Sites like The Internet Map give a stark perspective on just how dominant certain websites are in comparison to sites that sit in the top 10 million range and beyond.

If you were to start a new website today, how long would it take you to get inside the top 1 million site list? What about top 10,000 or top 1,000? It might take you years before you get even close.

But, it doesn’t have to be a long and hard road.

If you can figure out the major trends across the most popular websites in the world, you can optimize your site in such a way that your growth is steadfast.

This is the premise of our analysis. We are looking at the top 1 million websites as listed by the Alexa directory and trying to understand what technologies are most popular across the board.

Ready to learn all about it? Let’s get to it!

How popular is WordPress?

We know that WordPress has a market share of 60% as a content management system, but how popular is WordPress in the top 1M sites?

To find out, this is the criteria we used during our scan:

  • Check for wp-content, wp-json, and wp-includes in the source of each website.
  • Check for wp-json in the response header.
  • Check for the meta-generator tag in the page source.

And here are the results:

How popular is WordPress?

Our analysis shows that WordPress is used by 26.5% of websites in the top 1M list. The margin for error is roughly 2% as some websites hide information from the public eye.

WordPress has proven time and time again that it is a platform capable of supporting websites of any size and popularity.

Big names like TechCrunch, Marks & Spencer, and Quartz are using WordPress to serve content to millions of monthly visitors.

WordPress popularity

Are you using WordPress on your website? Getting started is easy, and you can instantly reap the benefits of having access to thousands of themes and plugins.

If you need help configuring your WordPress site, check out our tutorials and articles section where we share actionable tips!

And speaking of which, let’s take a look at the most popular WordPress themes and plugins within the top 1M sites list.

The Most Popular Plugins

WordPress is heavily reliant on its plugin ecosystem to provide truly dynamic website experiences. If a developer needs to write custom code to add a feature to his site, then a WordPress user can use a plugin to do the same thing.

One of the things we learned quite quickly is that getting an accurate list for the most popular plugins is quite hard. The reason being is that many WordPress users obfuscate (minify) their CSS and JavaScript files, and in turn block access to certain plugin paths.

Nevertheless, here is an up-to-date chart on the most popular plugins across all WordPress-based sites in the top 1M list:

the most popular WordPress plugins

The results are not unexpected. Contact Form 7 is the most recommended contact plugin out there, included in pretty much every WordPress plugin list ever. Jetpack is great to add numerous social features to WordPress blogs, and Visual Composer helps you design custom websites effortlessly.

We also have Cookie Notice in this top 10 list, which is directly related to GDPR; the new EU data protection legislation that went into effect in early 2018. Also, OneSignal has made it into the top 10. OneSignal is an exceptional WordPress plugin for adding push notifications to your site.

Alright, now that we have looked at the plugins, let’s take a look at themes!

The Most Popular Themes

We have a similar issue here in the sense that theme paths also get obfuscated whenever WordPress files get minified. But, the data we do have is accurate and very much in line with our expectations.

top WordPress themes

It looks like Divi is leading the way as the most popular WordPress theme in the top 1M sites list. And this sounds about right given how much money ElegantThemes has poured into promoting the theme.

Next up, we have a Newspaper and Avada. Since Avada has more than 490,000 sales on ThemeForest — there’s no question in our minds that we would see it on the top 10 themes list.

Avada theme preview
One of the many demo designs provided by the Avada theme.

It has been roughly two years since most WordPress themes come out with multiple demo designs per the theme. As a result, a single theme can accumulate hundreds of thousands of users simply because it provides so many different solutions.

What’s surprising is that we don’t see themes like Thrive or Genesis on this list. Both have had enormous growth over the years, but perhaps not as steady as many would have thought.

WordPress 4.x slowly losing its grasp

For the last WordPress metric, we are looking at the different versions still in rotation. Back in December 2018, WordPress finally released its “highly anticipated” 5.0 version, which came prepackaged with the new Gutenberg Editor.

The community has been reluctant to embrace Gutenberg due to its rigid nature and imposed difficulty for writers. And while Matt Mullenweg has reassured that Gutenberg will improve over time, many have decided not to switch over. As per WordPress: the Classic Editor will be supported until 2021.

Here is the data:


Two months since its release and 60,000 sites in the top 1M list have updated their sites to the latest version.

WordPress 4.x, however, maintains a dominant position, and this has likely to do with the fact that agencies and external developers build many sites. As a result, updating a site from one version to another can cause some major issues.

Now that we know a little bit about WordPress let’s take a look at other interesting facts we have learned.

What is the most popular Web Server?


We ran a thorough analysis of Server Headers to analyze the most popular web servers and proxies among the top 1M websites. And the findings don’t surprise us one bit.

server header analysis

Apache looks like the clear winner here, doesn’t it? Well, while Apache is definitely popular, you have to keep in mind that Cloudflare, OpenResty, SUCURI use Nginx. As a result, Nginx manages to come out slightly on top.

Here is the overall market share data for the most popular web servers:

web server market share

As little as a few years ago, this report would have been upside down — in favor of Apache. But, thanks to the rapid evolution of Nginx and the performance benefits that you can reap, we know that Nginx will only continue to dominate.

Also, if you look at the latest report from Netcraft, you are going to see that Microsoft and Apache are the top of the market share list.

But do remember that our analysis is based on the top 1 million sites. Because Nginx is considered the fastest web server, it doesn’t surprise us that the best websites in the world choose it as their go-to solution.

PHP is in a dominant position

We analyzed the entire sites list for “X-Powered-By” headers, and the results show that PHP is dominantly leading the way.

It’s fair to say that WordPress contributes significantly to this dominance, but it’s also a known fact that PHP has been around for longer than most modern technologies.


X-Powered-By” is a common non-standard HTTP response header (most headers prefixed with an ‘X-‘ are non-standard). It’s often included by default in responses constructed via a particular scripting technology. It’s important to note that it can be disabled and/or manipulated by the server.

Windows appears twice with ASP.NET and PleskLin, but we also have Express and Passenger: two extremely robust Node.js web application frameworks.


And we also have got EasyEngine on the list. EasyEngine is a lesser-known Nginx-based script for running and maintaining WordPress websites.

It comes prepackaged with Redis (for caching), Let’s Encrypt (for SSL), Docker and other top-notch software solutions for creating high-performing WordPress websites.

Which version of PHP is on top?

PHP 7 was released in December 2015, but it’s not even remotely close to being as popular as PHP 5.x — surprising to say the least!

After analyzing the top 1 million sites, we found that 207,399 sites publicly state they are powered by PHP.

Wait for it…

146,227 of the sites in the top 1M are still working with PHP 5.x! Dang…


Despite PHP 5 being so dominant still, it’s nice to see that developers are getting more comfortable to make the switch towards PHP 7.

The fact of the matter is: PHP 7 has better performance over PHP 5.

And given that support for PHP 5.6 (the latest 5.X release) was discontinued in late 2018, now is the best time to make the switch!

Also, we ran a test to see how many of the WordPress sites in the top 1M are running PHP 7 or higher.


And… out of the 82,000+ sites that showed their PHP version — a whopping 40% have already switched to PHP 7.

Secure HTTP Response Headers

In an age where nobody is safe from large-scale security attacks, it pays to invest in securing your website properly.

As such, we wanted to check how many websites are implementing the OWASP Secure Headers list to prevent common web attacks.


The results are not too shabby…

And if you’re wondering why Feature-Policy is implemented so sparsely, it’s an entirely new header policy.

Feature Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. It’s like CSP but instead of controlling security, it controls features!

In short, it helps to prevent the browser from performing actions that could be malicious. In particular, actions related to iFrames, media, and eCommerce.

HTTP/2 On The Rise

Image credit: coolicehost

HTTP/2 was first introduced in 2015, but the adoption has been rather slow, to say the least.

Our report shows that out of all the sites in the top 1M, at least 260,000 have already adopted HTTP/2. That’s almost 1/3 of all the sizes in the list.


There are many reasons why this is so. Many sites are still using old hosting and servers that simply haven’t been upgraded to support HTTP/2.

If you use Apache or NGINX then enabling HTTP/2 for your site is actually really easy.

Most modern web hosting companies, including CDN providers, support HTTP/2 by default. So, if you haven’t made the switch yet, perhaps now is the perfect time to do it!

People Are Still Catching Up to Enable SSL

Google wants publishers to use HTTPS (which now affects SEO rankings as well), and Chrome is marking HTTP sites as non-secure.

If that isn’t a big enough of a reason to switch over, then what is?

Nevertheless, from our analysis, only 50% of the sites in the top 1M list have enabled HTTPS. Kinda crazy if you ask me…


Check this vid out to see what HTTPS is all about and why you should care:

YouTube video

Also… you can get an SSL certificate for your site completely for free using the Let’s Encrypt service.

You can also read our piece on how to set up Let’s Encrypt for your website.

TTFB: Time to First Byte

For all, you performance nerds out there here is an analysis of TTFB.

TTFB: Time to First Byte

  • Time to the first byte for 343,328 sites found to be less than 300ms.
  • 284,070 found to be between 301 to 600ms.
  • 261,629 found to be between 601 to 1000ms.
  • 110,973 sites are above 1000ms.

The industry recommendation is to aim for a server response time that’s less than 200ms.

Most modern sites range from 200-500ms which is considered the “norm”.

However, if your site fluctuates above 600ms, you might want to look into your server configuration.

Concluding notes

  • Data source – Alexa Top 1 Million sites as of 23rd Dec 2018
  • The test was conducted in 2nd week of Jan 2019
  • As you may guess, tests were done using Python.
  • Security was respected for the sites didn’t allow a bot to connect.

Deja un comentario