According to the State of the Web March 2015 study published by Menlo Security, that scanned 50,000 unique domains, 21 percent of sites have known vulnerabilities.
“The home page of each of the 750,000 domains in the Alexa 1 Million was visited once,” Kowsik Guruswamy, CTO of Menlo Security told eWEEK. “This was not an active scan against a single site to crawl the various pages, it was a single page load through a browser that also fetched all of the assets from CDNs (Content Delivery Networks), iframes, ad-networks, etc.”
Looking into the data, Guruswamy said that the breakdown of vulnerable software shows that, 10 percent of scanned sites were running a vulnerable version of PHP, where “vulnerable” means the site was running any of the versions of PHP that show at least one outstanding vulnerability in the CVE database. Vulnerable web server software was also common with four percent running a vulnerable version of Apache HTTP and four percent running a vulnerable version of Microsoft Internet Information Server (IIS).