WP Engine has released its 2025 Website Traffic Trends Report, based on first-party data and external sources like Google CrUX and Cloudflare. This is not another vision piece. It is a snapshot of what is already happening on production websites — at scale.
For hosting providers, platform owners, and infrastructure decision-makers, the message is direct: traffic patterns, cost drivers, and performance risks are changing faster than most organizations are prepared for.
Bots are no longer edge cases — they are the baseline
One number sets the tone for the entire report: nearly 1 in 3 web requests globally now comes from bots. This is not limited to classic search crawlers. AI-driven automation is consuming the most expensive parts of modern hosting stacks.
According to the data, bot traffic can account for up to 70% of dynamic resource consumption, directly impacting compute, performance budgets, and operating costs. Even more concerning: 76% of bot traffic is unverified, meaning most sites cannot confidently classify what is hitting their infrastructure.
Despite this, only 38% of organizations currently use dedicated bot-mitigation solutions. For many hosting businesses, this gap represents a growing financial and operational risk.
Security maturity now directly impacts performance and cost
The report shows a clear link between security practices and real-world performance. Sites that fully enforce HTTPS are not just more secure — they are measurably faster.
WP Engine data indicates that sites serving traffic exclusively over HTTPS achieve 1–5 seconds faster Largest Contentful Paint (LCP) compared to sites still using HTTP. Importantly, this performance gap widened over the past year, suggesting that security lag is now a performance liability.
There is also a visible maturity divide by company size. Larger organizations show near-universal adoption of HTTPS and two-factor authentication, while smaller teams lag behind by roughly 25%. For hosting providers serving SMB and mid-market customers, this gap directly affects platform-level performance consistency and support overhead.
Hosting M&A Consultation
Get one-on-one advice on maximizing your hosting company’s valuation and navigating the sale process.
Edge security and filtering are becoming performance tools
Another important signal for infrastructure leaders: security tooling is no longer just defensive. Teams using edge-level security and bot filtering see more stable performance, especially across distant regions.
Filtering automated traffic closer to the user reduces long-haul requests, protects origin infrastructure, and improves consistency under automation-heavy load. Agencies using managed edge security report cleaner traffic profiles and fewer performance spikes compared to teams relying on manual or reactive rules.
This shifts the conversation from “security add-ons” to “baseline traffic management.”
Geography and mobile performance gaps are widening
The report also highlights a growing structural divide in global performance. North America and Europe still lead in LCP results, while high-growth regions such as Asia and Latin America are slowing down. Traffic growth in these regions is outpacing optimization efforts.
A key reason is CDN adoption — or the lack of it. Roughly 50% of the top 10 million sites tracked by Google CrUX still do not use a CDN. Sites that do see an average ~20% improvement in LCP.
Mobile adds another layer of pressure. While mobile is now the dominant source of traffic globally, mobile performance continues to trail desktop across regions. This gap translates directly into user experience loss and higher infrastructure strain.
What this means for hosting leaders heading into 2026
The strongest signal from the report is not about speed alone. In 2026, reliable websites will be built on three connected pillars: intelligent traffic management, security maturity, and performance parity across regions and devices.
Bot traffic is not a future problem. It is already shaping cost structures, analytics accuracy, and infrastructure design. Hosting platforms that treat bots, security, and performance as separate concerns will struggle to scale efficiently.