WordPress is a free and open-source CMS based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 29.4% of the top 10 million websites as of January 2018. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.WordPress has also been used for other application domains such as pervasive display systems (PDS).
WordPress was released on May 27, 2003, by its founders, Matt Mullenweg and Mike Little, as a fork of b2/cafelog. WordPress is released under the GPLv2 (or later) license.
WordPress has a web template system using a template processor. Its architecture is a front controller, routing all requests for non-static URIs to a single PHP file which parses the URI and identifies the target page. This allows support for more human-readable permalinks.
WordPress users may install and switch among different themes. Themes allow users to change the look and functionality of a WordPress website without altering the core code or site content. Every WordPress website requires at least one theme to be present and every theme should be designed using WordPress standards with structured PHP, valid HTML (HyperText Markup Language), and Cascading Style Sheets (CSS). Themes may be directly installed using the WordPress “Appearance” administration tool in the dashboard, or theme folders may be copied directly into the themes directory, for example via FTP. The PHP, HTML and CSS found in themes can be directly modified to alter theme behavior, or a theme can be a “child” theme which inherits settings from another theme and selectively overrides features. WordPress themes are generally classified into two categories: free and premium. Many free themes are listed in the WordPress theme directory, and premium themes are available for purchase from marketplaces and individual WordPress developers. WordPress users may also create and develop their own custom themes. The free theme Underscores created by the WordPress developers has become a popular basis for new themes.
WordPress' plugin architecture allows users to extend the features and functionality of a website or blog. WordPress has over 50,316 plugins available, each of which offers custom functions and features enabling users to tailor their sites to their specific needs. These customizations range from search engine optimization, to client portals used to display private information to logged in users, to content management systems, to content displaying features, such as the addition of widgets and navigation bars. Not all available plugins are always abreast with the upgrades and as a result they may not function properly or may not function at all. Most plugins are available through WordPress themselves, either via downloading them and installing the files manually via FTP or through the WordPress dashboard. However, many third parties offer plugins through their own websites, many of which are paid packages.
WordPress also features integrated link management; a search engine–friendly, clean permalink structure; the ability to assign multiple categories to posts; and support for tagging of posts. Automatic filters are also included, providing standardized formatting and styling of text in posts (for example, converting regular quotes to smart quotes). WordPress also supports the Trackback and Pingback standards for displaying links to other sites that have themselves linked to a post or an article. WordPress posts can be edited in HTML, using the visual editor, or using one of a number of plugins that allow for a variety of customized editing features.
Prior to version 3, WordPress supported one blog per installation, although multiple concurrent copies may be run from different directories if configured to use separate database tables. WordPress Multisites (previously referred to as WordPress Multi-User, WordPress MU, or WPMU) was a fork of WordPress created to allow multiple blogs to exist within one installation but is able to be administered by a centralized maintainer. WordPress MU makes it possible for those with websites to host their own blogging communities, as well as control and moderate all the blogs from a single dashboard. WordPress MS adds eight new data tables for each blog.
As of the release of WordPress 3, WordPress MU has merged with WordPress 
b2/cafelog, more commonly known as b2 or cafelog, was the precursor to WordPress. b2/cafelog was estimated to have been installed on approximately 2,000 blogs as of May 2003. It was written in PHP for use with MySQL by Michel Valdrighi, who is now a contributing developer to WordPress. Although WordPress is the official successor, another project, b2evolution, is also in active development.
WordPress first appeared in 2003 as a joint effort between Matt Mullenweg and Mike Little to create a fork of b2. Christine Selleck Tremoulet, a friend of Mullenweg, suggested the name WordPress.
In 2004 the licensing terms for the competing Movable Type package were changed by Six Apart, resulting in many of its most influential users migrating to WordPress. By October 2009 the Open Source CMS MarketShare Report concluded that WordPress enjoyed the greatest brand strength of any open-source content management system.
As of February 2017, WordPress is used by 58.7% of all the websites whose content management system is known. This is 27.5% of the top 10 million websites.
Most successful WordPress hack attacks are typically the result of human error, be it a configuration error or failing to maintain WordPress, such as keeping core and all plugins up to date, or installing insecure plugins etc.
As per the below pie chart, WordPress plugins are the biggest source of vulnerabilities in WordPress. So far there are 1,305 WordPress plugins vulnerabilities in the WPScan Vulnerability database. That accounts to 54% of the global WordPress vulnerabilities count. Then there are 344 (14.3%) WordPress themes vulnerabilities and 758 (31.5%) WordPress core vulnerabilities.
The most popular vulnerability types in WordPress core, plugins and themes are Cross-site Scripting and SQL Injection. This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 since its inception.
These statistics are based on the information stored in the WPScan Vulnerability Database, which although it is frequently updated it is by no means complete. There are many other vulnerable WordPress plugins and themes out there which are not listed here, or vulnerabilities which have not been made public yet. But at least this gives us a good overview of the state of WordPress vulnerabilities.