WordPress powers 42.8% of all websites on earth. Nearly half the internet runs on a twenty-three-year-old content management system originally designed for blogging. That number sounds like dominance. It is also the highest point on a curve that has started bending downward for the first time in WordPress history.
This article asks three questions and answers each one definitively. No hedging.
- In the age of AI agents and agentic coding, is WordPress really needed?
- Is bespoke better?
- Is WordPress 7.0 going in the right direction?
The State of the Kingdom
Before we interrogate the future, we need to see the present clearly.
WordPress peaked at 65.2% of the CMS market in 2022. Today that number is 60.7% and dropping. The overall web share dipped from 43.6% in January 2025 to 42.8% in early 2026 — the first meaningful decline the platform has ever recorded. The HTTP Archive's 2025 Web Almanac describes this as WordPress shifting "from a focus on expansion to one on stabilization."
Stabilization is a polite word for what happens when the world moves and you do not.
Meanwhile, the WordPress ecosystem reported 11,334 new security vulnerabilities in 2025 — a 42% increase over the prior year. Ninety-one percent of those vulnerabilities live in plugins. More than half of the developers notified by Patchstack failed to release a fix before public disclosure. WordPress sites are attacked every 32 minutes on average. Only 36% of WordPress mobile sites pass Google's Core Web Vitals.
And then there is the governance crisis. In September 2024, Automattic CEO Matt Mullenweg publicly called WP Engine "a cancer to WordPress." What followed was a lawsuit, counter-lawsuit, the blocking of WP Engine's access to WordPress.org plugin updates (affecting hundreds of thousands of sites), 159 employee departures, a 99% reduction in Automattic's open-source contributions, the dissolution of the sustainability team, and the banning of prominent contributors from WordPress.org. A federal judge granted WP Engine a preliminary injunction in December 2025, ordering Automattic to restore access within 72 hours. A full trial is expected in 2027.
That is the kingdom in March 2026.
Question 1: Is WordPress Really Needed?
The Non-Technical Answer
Think of WordPress like a department store that opened in 2003 when there were few alternatives. For years, if you wanted a website, WordPress was the obvious choice — affordable, flexible, and surrounded by a massive ecosystem of designers, developers, and support resources.
Today, the landscape is unrecognizable. AI coding tools like Claude Code, Cursor, and Bolt.new can generate a complete, production-ready website in hours, not weeks. Lovable, an AI site builder, hit $300 million in annual revenue in just eight months. Bolt.new deployed over one million AI-generated websites on Netlify in five months. Small businesses building with AI report 87% time savings and 78% cost savings compared to traditional methods.
The question is not whether WordPress can still build websites. Of course it can. The question is whether the complexity, maintenance burden, and security exposure of WordPress are justified when AI-assisted alternatives deliver equivalent or superior results faster and cheaper.
For simple marketing sites, blogs, and small business presences — the bread and butter of WordPress's 42.8% — the honest answer is increasingly no. The floor has risen. What required WordPress in 2015 now requires a conversation with an AI agent and a modern hosting platform.
For complex content operations at scale — large publishing houses, universities, enterprise intranets — WordPress's content management strengths still matter. The editorial workflow, user roles, and plugin ecosystem serve these use cases. But even here, headless CMS platforms like Strapi and Sanity are absorbing market share by offering better developer experience and multi-channel distribution.
WordPress is not needed the way it once was. It is familiar. Those are different things.
The Technical Answer
WordPress's architecture is a PHP monolith backed by MySQL, rendering pages through a theme layer that tightly couples content, presentation, and logic. Every page load involves bootstrapping the entire WordPress application — loading active plugins, querying the database, executing template hierarchy logic, and rendering HTML server-side.
This architecture made sense in 2003. It is now a performance liability. WordPress ranks last among major CMS platforms for Core Web Vitals compliance. The dependency chain is staggering: a typical WordPress site loads 20-60 active plugins, each hooking into WordPress's event system, adding database queries, enqueuing scripts and stylesheets, and expanding the attack surface.
Modern frameworks — Next.js, Astro, SvelteKit — take fundamentally different approaches. Static generation pre-renders pages at build time, delivering HTML from a CDN with zero server-side computation per request. Server components stream HTML progressively. Edge rendering places logic at network points closest to users. These are not incremental improvements. They are architectural paradigm shifts that WordPress cannot adopt without ceasing to be WordPress.
The performance data is stark. Sixty percent of Astro sites pass Core Web Vitals versus 38% for WordPress. An Astro static site loads in 0.9 seconds; a comparable WordPress site takes 2.8 seconds. Astro ships 90% less JavaScript. Next.js sites migrating from WordPress report Lighthouse score improvements from 63 to 91.
WordPress can be optimized — aggressive caching, CDN layers, lightweight themes, minimal plugins — but those optimizations are fighting the architecture rather than leveraging it. You are spending engineering effort to make WordPress behave like something it is not.
AI coding agents compound this disadvantage. Claude Code, operating in an agentic terminal session, can scaffold a complete Next.js application with authentication, database integration, API routes, and deployment configuration in a single session. The generated code is type-safe, tree-shakeable, and deploys to edge networks by default. There is no plugin ecosystem to manage, no theme compatibility matrix, no database bloat accumulating over years.
The 64,782 tracked vulnerabilities in the WordPress ecosystem are not a bug. They are a feature of WordPress's extensibility model — a model that assumes trust in thousands of independent plugin developers with inconsistent security practices and no guaranteed patching timeline. Bespoke applications have attack surfaces proportional to their actual functionality. WordPress sites have attack surfaces proportional to their plugin count.
The Verdict: Is WordPress Really Needed?
No. WordPress is no longer necessary for the majority of its current use cases. It remains viable for large-scale editorial operations where the content management workflow justifies the architectural tradeoffs. For everything else — and that is most of the 42.8% — better tools exist and are getting better by the month.
Question 2: Is Bespoke Better?
The Non-Technical Answer
"Bespoke" used to mean "expensive." A custom-built website required a team of developers, months of work, and a budget that started at $15,000 and climbed from there. WordPress existed precisely because most businesses could not afford bespoke. The WordPress value proposition was always economic, not technical.
AI has inverted this equation.
When Claude Opus 4.5 scores 80.9% on SWE-bench Verified — outperforming every human candidate on Anthropic's internal engineering assessments — the cost of custom software development drops structurally. AI now writes 30% of Microsoft's code and more than a quarter of Google's. Among Y Combinator's Winter 2025 cohort, 21% of companies have codebases that are 91% AI-generated. Gartner forecasts that 60% of new software code will be AI-generated by 2026.
What does this mean practically? A developer using AI coding tools can build a custom website in days, not months. The cost of a bespoke site has collapsed from $15,000-$50,000 to a fraction of that. The time-to-launch has compressed from 8-24 weeks to days. The maintenance burden shifts from managing a plugin ecosystem (11,334 new vulnerabilities per year) to maintaining code you actually wrote and understand.
Bespoke is not just better. It is now accessible. The democratization that WordPress once provided — making websites available to everyone — is being superseded by a new democratization: AI making custom software available to everyone.
There is a caveat. AI-generated code can introduce vulnerabilities. Studies show AI co-authored pull requests have 2.74x higher rates of security issues. One analyst predicts $1.5 trillion in technical debt by 2027 from AI-generated code. Bespoke is better, but it requires the same discipline that good software has always required — code review, testing, and architectural intention. The tool is more powerful. The human judgment remains essential.
The Technical Answer
The technical case for bespoke hinges on three advantages: performance, security, and ownership.
Performance. A bespoke Next.js or Astro application is compiled, tree-shaken, and deployed to edge networks. There is no runtime framework bootstrapping. No plugin initialization chain. No database queries for configuration data that could be static. The performance ceiling is defined by the laws of physics (network latency, CDN proximity) rather than by architectural overhead. A bespoke Astro site serving static HTML from a CDN edge node will always be faster than a WordPress site loading PHP, executing hooks, querying MySQL, and assembling a response.
Security. A bespoke application's attack surface is its own code. There is no shared vulnerability database because there is no shared codebase. You are not exposed to CVEs in plugins you installed three years ago and forgot about. You are not trusting that the developer of a contact form plugin with 50,000 installations will patch a cross-site scripting vulnerability before it is exploited in automated mass-scale attacks. Your dependencies are explicit, auditable, and locked to specific versions via package management.
Ownership. A WordPress site exists within WordPress's gravitational field. Theme updates can break customizations. Plugin compatibility matrices constrain upgrade paths. The Gutenberg editor imposes design assumptions. WordPress 7.0's direction — whatever it turns out to be — will affect your site whether or not you agree with the direction. A bespoke application has no such dependency. You control the architecture, the deployment, the update cadence, and the feature roadmap.
The counterargument — that bespoke requires ongoing developer maintenance — has weakened substantially. AI coding agents can debug, refactor, and extend bespoke codebases as effectively as they can build them. The maintenance burden of custom code managed with AI tools is now comparable to the maintenance burden of a WordPress installation managed without them. And the custom code does not accumulate the entropy of an aging plugin ecosystem.
The Total Cost of Ownership (TCO) comparison has flipped. WordPress was traditionally cheaper for years 1-3 and more expensive after year 4. With AI-assisted development, bespoke is competitive from day one and increasingly advantaged over time — no annual plugin licenses, no managed WordPress hosting premiums, no security audit costs for third-party code, no emergency patches for vulnerabilities in abandoned plugins.
The Verdict: Is Bespoke Better?
Yes. For the vast majority of new web projects in 2026, bespoke development — assisted by AI coding agents — delivers superior performance, security, and long-term economics compared to WordPress. The historic cost advantage that justified WordPress's complexity has evaporated. Bespoke is now the pragmatic choice, not the premium one.
Question 3: Is WordPress 7.0 Going in the Right Direction?
The Non-Technical Answer
WordPress 7.0, targeted for April 9, 2026, is making two big bets: collaboration and AI.
The collaboration bet is straightforward. WordPress 6.9 introduced block-level Notes — threaded, resolvable comments attached directly to content blocks. WordPress 7.0 will extend this into real-time multi-user editing. Think Google Docs, but for website content. This is a meaningful improvement for editorial teams and a direct response to the collaborative editing that tools like Notion and Google Workspace have normalized.
The AI bet is more ambitious. WordPress is proposing to merge an "AI Client" into core, making AI features available to any WordPress user without third-party plugins. The Abilities API, introduced in 6.9, creates a registry of WordPress capabilities that AI agents can discover and invoke. An official MCP (Model Context Protocol) Adapter lets AI tools like Claude Desktop, Cursor, and VS Code interact with WordPress programmatically. The stated goal: "By WordPress version 7.0, any WordPress user should be able to access, use, and build powerful AI features."
This is the right instinct. If AI is the future of how people build and manage websites, WordPress needs native AI capabilities to remain relevant.
But here is the problem: WordPress is adding AI to a foundation that is showing cracks. The governance crisis has fractured community trust. Automattic cut its open-source contributions by 99%. Prominent contributors have been banned. The ecosystem's security posture is deteriorating. Adding AI features to an architecturally dated, governance-challenged platform is like installing a Tesla engine in a car with a cracked frame. The engine is impressive. The car still has structural problems.
The collaboration features are genuinely useful. The AI integration is strategically necessary. But neither addresses the fundamental issues: WordPress's performance deficit, its security vulnerability surface, its monolithic PHP architecture, or the governance crisis that has shaken institutional confidence in the project's stewardship.
The Technical Answer
WordPress 7.0's technical direction reveals both sophistication and denial.
The Abilities API is well-designed. It provides a standardized interface for plugins, themes, and core to expose capabilities as discoverable, invokable functions. Combined with the MCP Adapter, this means AI agents can interact with WordPress in a structured way — creating posts, modifying settings, querying content — without screen-scraping or brittle API hacks. This is forward-thinking architecture that acknowledges AI agents as first-class consumers of web infrastructure.
The AI Client merge into core is ambitious but risky. WordPress's update model pushes changes to 478 million sites. Embedding AI capabilities in core means maintaining AI infrastructure (model integrations, prompt handling, response parsing) at WordPress's scale and update cadence. This is fundamentally different from maintaining a PHP template engine. AI APIs change rapidly. Model capabilities evolve monthly. WordPress's quarterly release cycle may be too slow to keep pace, creating a perpetual gap between WordPress's AI features and the state of the art.
Gutenberg Phase 3 (Collaboration) is technically sound. The block-level Notes system uses a well-structured data model, and the planned real-time collaboration builds on established techniques (operational transformation or CRDTs) that Google Docs and Figma have validated at scale. Full Site Editing adoption grew 145% in 2025. Gutenberg adoption has reached 60%. The editor is mature and stable.
What 7.0 does not address:
The performance architecture. WordPress remains a synchronous PHP application that bootstraps on every request. There is no server component model, no streaming, no edge rendering, no static generation. The performance gap with modern frameworks is widening, not narrowing, and 7.0 does nothing to close it.
The plugin security model. With 91% of vulnerabilities originating in plugins and more than half of developers failing to patch before disclosure, the plugin ecosystem is WordPress's greatest liability. 7.0 proposes no changes to plugin review processes, sandboxing, or automated vulnerability scanning.
The database architecture. WordPress's
wp_postsandwp_postmetatables store structured content in an untyped key-value schema that was designed for blog posts. This creates performance bottlenecks at scale and makes content modeling unnecessarily complex. Purpose-built headless CMS platforms like Sanity and Strapi offer typed content schemas, GraphQL APIs, and real-time collaboration out of the box.The governance model. WordPress's technical direction is inseparable from its governance. A single individual controls both Automattic (the for-profit company) and WordPress.org (the community infrastructure). The events of 2024-2025 demonstrated that this concentration of power can be weaponized — blocking a hosting company from plugin updates, banning contributors, slashing community contributions. No amount of technical innovation can offset institutional instability.
WordPress 7.0 is adding features that modern platforms already have while failing to address the structural deficits that are driving adoption away. The direction is partially right (AI integration, collaboration) and partially evasive (performance, security, governance).
The Verdict: Is WordPress 7.0 Going in the Right Direction?
Partially. The AI and collaboration investments are strategically correct and technically competent. But they are insufficient. WordPress 7.0 is improving the interior of a building whose foundation needs reinforcement. The performance architecture, security model, and governance structure — the things that actually determine whether WordPress survives the next decade — remain unaddressed.
The Final Accounting
WordPress is not dying tomorrow. Forty-two-point-eight percent of the web does not evaporate overnight. But the conditions that made WordPress dominant — the absence of affordable alternatives, the scarcity of development talent, the complexity of building custom software — have been systematically dismantled by AI.
The numbers tell a story that is already in motion:
- WordPress market share is declining for the first time in its history
- 11,334 new vulnerabilities were discovered in the ecosystem last year
- Only 36% of WordPress mobile sites pass Core Web Vitals
- AI coding tools have compressed custom site development from months to days
- Lovable hit $300M ARR in eight months; Bolt.new deployed 1M sites in five months
- 92% of US developers now use AI coding tools daily
- Gartner forecasts 60% of new code will be AI-generated by 2026
WordPress will continue to power legacy installations for years. It will serve large editorial operations that depend on its content management workflow. It will maintain a meaningful market share simply because migration has friction and inertia is powerful.
But for new projects — for the entrepreneur launching a business, the agency building a client site, the startup establishing a web presence — the rational choice in 2026 is to build bespoke with AI assistance. The result will be faster, more secure, higher-performing, and cheaper to maintain. WordPress's value proposition has been eclipsed not by a single competitor but by a paradigm shift in how software gets made.
The future of WordPress is not extinction. It is irrelevance — the slow fade of a platform that solved yesterday's problem while the world moved on to solving tomorrow's.