Skip to main content
809955 sites analysed

EU Web Technology Landscape

CMS, hosting providers, and consent platforms across 809955 EU websites

WordPress

Top CMS (61.1%)

149883

Sites with CMS

Apache

Top Server (34.3%)

56%

EU-hosted providers

In this report

CMS Distribution Server Technology Hosting Landscape

CMS Distribution

149883 sites with detected CMS

CMS choice directly affects security posture — outdated CMS versions are a leading attack vector. Plugin ecosystems, update frequency, and default security configurations vary significantly between platforms, impacting vulnerability exposure and patch cycles.

WordPress
61.1% (91561)
Wix
7.3% (10954)
TYPO3
5.5% (8194)
Joomla
4.3% (6420)
Magento
3.3% (5012)
Jimdo Creator
2.4% (3626)
Next.js
2.2% (3366)
Shopify
2.1% (3158)
Drupal
2.0% (2928)
Contao Open Source CMS
1.8% (2757)
Squarespace
1.8% (2662)
IONOS MyWebsite
1.6% (2466)
All in One SEO (AIOSEO) 4.9.5.1
1.3% (1933)
MyWebsite NOW
0.8% (1171)
PrestaShop
0.7% (1030)

Server Technology

224429 sites with detected server

Web server software and runtime frameworks. Server version disclosure can aid attackers — but also helps identify outdated, vulnerable infrastructure. End-of-life PHP versions receive no security patches.

Web Servers

Apache
34.3%
nginx
24.0%
Cloudflare
13.4%
Apache 2.4
8.6%
Pepyaka
4.9%
LiteSpeed
4.2%
OVHcloud
2.8%
Squarespace
1.4%
IONOS Webserver
1.1%
Microsoft-IIS 10.0
1.1%
aruba-proxy
1.0%
openresty
1.0%
o2switch-PowerBoost-v3
1.0%
Apache 2
0.7%
Vercel
0.5%

Frameworks & PHP Versions

PHP 8.2
17.6%
PHP 7.4 ⚠
17.4%
PHP 8.3
16.5%
PHP 8.4
11.5%
PHP 8.1
10.5%
ASP.NET
6.5%
PHP 8.0 ⚠
5.5%
PHP 5.6 ⚠
3.1%
PHP 7.3 ⚠
3.1%
PHP 7.2 ⚠
2.2%
PHP 8.5
1.9%
PHP 7.0 ⚠
1.3%
Express (Node.js)
1.2%
PleskLin
0.9%
PHP 5.3 ⚠
0.7%

Hosting Provider Landscape

421407 sites with hosting data

GDPR Art. 28 requires data processing agreements specifying where data is stored. Art. 44-49 regulate international transfers — hosting with US-headquartered providers triggers Schrems II (CJEU C-311/18) and CLOUD Act considerations, requiring SCCs with supplementary measures.

56%

EU-headquartered provider

44%

Non-EU provider (CLOUD Act / Schrems II)

Top hosting providers

Cloudflare (US · non-EU) 43166 10.2%
IONOS (1&1) (DE · EU) 41881 9.9%
Hetzner (DE · EU) 29098 6.9%
Amazon Web Services (US · non-EU) 27105 6.4%
OVHcloud (FR · EU) 24023 5.7%
Strato (DE · EU) 21427 5.1%
Google Cloud (US · non-EU) 18000 4.3%
Wix (IL · non-EU) 13607 3.2%
GoDaddy (US · non-EU) 8697 2.1%
Mittwald (DE · EU) 7662 1.8%

Top hosting countries

DE
41.1%
US
21.2%
FR
11.5%
GB
4.9%
NL
3.1%
IT
2.8%
IE
2.0%
CA
1.6%
DK
1.5%
PL
1.4%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44–49

Methodology

How this data was collected and what it represents.

CMS detection uses multiple signals: HTTP response headers (X-Powered-By, X-Generator), HTML meta generator tags, characteristic URL patterns, CSS class naming conventions, and JavaScript global variables. Detection covers WordPress, Joomla, Drupal, Typo3, Shopify, Wix, Squarespace, and 40+ other platforms.

CMP detection identifies consent management platforms via script sources, cookie names, DOM elements, and IAB TCF API presence (window.__tcfapi). Over 33 CMP vendors are tracked including Cookiebot, OneTrust, Usercentrics, Borlabs Cookie, and Complianz.

Hosting provider identification combines IP geolocation (MaxMind GeoLite2) for server location with ASN/WHOIS data for provider identification and company headquarters mapping.

No individual sites are named. All statistics are aggregated and anonymised. The data represents a snapshot and is updated continuously as new scans complete.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS, accessibility, cookies — in 30 seconds, no account needed.

Scan your website now Security report Accessibility report

Based on automated scans of 809955 European websites. Updated continuously.