816013 sites analysed

EU Web Technology Landscape

CMS, hosting providers, and consent platforms across 816013 EU websites

WordPress

Top CMS (61.7%)

80407

Sites with CMS

Apache

Top Server (32.1%)

55%

EU-hosted providers

In this report

CMS Distribution Server Technology Hosting Landscape

CMS Distribution

80407 sites with detected CMS

CMS choice directly affects security posture — outdated CMS versions are a leading attack vector. Plugin ecosystems, update frequency, and default security configurations vary significantly between platforms, impacting vulnerability exposure and patch cycles.

WordPress

61.7% (49578)

Wix

7.8% (6287)

TYPO3

4.6% (3688)

Joomla

3.9% (3165)

Magento

3.2% (2609)

Next.js

2.5% (2049)

Shopify

2.5% (2028)

Jimdo Creator

2.4% (1902)

Squarespace

2.2% (1780)

Drupal

1.8% (1423)

Contao Open Source CMS

1.6% (1284)

IONOS MyWebsite

1.4% (1126)

All in One SEO (AIOSEO) 4.9.6.2

0.8% (629)

PrestaShop

0.7% (575)

MyWebsite NOW

0.7% (562)

Server Technology

119432 sites with detected server

Web server software and runtime frameworks. Server version disclosure can aid attackers — but also helps identify outdated, vulnerable infrastructure. End-of-life PHP versions receive no security patches.

Web Servers

Apache

32.1%

nginx

23.9%

Cloudflare

14.9%

Apache 2.4

7.8%

Pepyaka

5.2%

LiteSpeed

5.0%

OVHcloud

2.4%

Squarespace

1.6%

Microsoft-IIS 10.0

1.3%

openresty

1.3%

aruba-proxy

1.2%

IONOS Webserver

1.0%

Apache 2

0.9%

o2switch-PowerBoost-v3

0.8%

Vercel

0.6%

Frameworks & PHP Versions

PHP 7.4 ⚠

17.5%

PHP 8.3

16.8%

PHP 8.2

16.5%

PHP 8.4

11.3%

PHP 8.1

10.2%

ASP.NET

7.8%

PHP 8.0 ⚠

5.2%

PHP 5.6 ⚠

3.1%

PHP 7.3 ⚠

2.9%

PHP 8.5

2.7%

PHP 7.2 ⚠

2.1%

Express (Node.js)

1.5%

PHP 7.0 ⚠

1.2%

PHP 5.3 ⚠

0.7%

PHP 5.4 ⚠

0.6%

Hosting Provider Landscape

855847 sites with hosting data

GDPR Art. 28 requires data processing agreements specifying where data is stored. Art. 44-49 regulate international transfers — hosting with US-headquartered providers triggers Schrems II (CJEU C-311/18) and CLOUD Act considerations, requiring SCCs with supplementary measures.

55%

EU-headquartered provider

45%

Non-EU provider (CLOUD Act / Schrems II)

Top hosting providers

Cloudflare (US · non-EU) 85062 9.9%

IONOS (1&1) (DE · EU) 65088 7.6%

Amazon Web Services (US · non-EU) 55268 6.5%

Hetzner (DE · EU) 50058 5.8%

OVHcloud (FR · EU) 45061 5.3%

Google Cloud (US · non-EU) 37622 4.4%

Strato (DE · EU) 28540 3.3%

Wix (IL · non-EU) 26547 3.1%

Aruba S.p.A. (IT · EU) 14326 1.7%

GoDaddy (US · non-EU) 12780 1.5%

Top hosting countries

29.6%

20.6%

9.8%

6.3%

4.5%

3.7%

2.3%

2.2%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44–49

Methodology

How this data was collected and what it represents.

CMS detection uses multiple signals: HTTP response headers (X-Powered-By, X-Generator), HTML meta generator tags, characteristic URL patterns, CSS class naming conventions, and JavaScript global variables. Detection covers WordPress, Joomla, Drupal, Typo3, Shopify, Wix, Squarespace, and 40+ other platforms.

CMP detection identifies consent management platforms via script sources, cookie names, DOM elements, and IAB TCF API presence (window.__tcfapi). Over 33 CMP vendors are tracked including Cookiebot, OneTrust, Usercentrics, Borlabs Cookie, and Complianz.

Hosting provider identification combines IP geolocation (MaxMind GeoLite2) for server location with ASN/WHOIS data for provider identification and company headquarters mapping.

No individual sites are named. All statistics are aggregated and anonymised. The data represents a snapshot and is updated continuously as new scans complete.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS, accessibility, cookies — in 30 seconds, no account needed.

Scan your website now Security report Accessibility report

Based on automated scans of 816013 European websites. Updated continuously.