WordPress powers 42.8% of all websites and holds 62% of the CMS market, nearly half the internet. This twenty-three-year-old content management system was originally designed for blogging.
While this sounds like dominance, it marks the highest point on a curve now bending downward for the first time in WordPress history.
This article asks three questions and answers each one definitively. No hedging.
- In the age of AI agents and agentic coding, is WordPress really needed?
- Is bespoke better?
- Is WordPress 7.0 going in the right direction?
The State of the Kingdom
Before we interrogate the future, we need to see the present clearly.
WordPress peaked at 65.2% of the CMS market in 2022, but is now 62% and dropping. Its overall web share also dipped from 43.6% in January 2025 to 42.8% in early 2026—the platform's first meaningful decline.
The HTTP Archive's 2025 Web Almanac describes this shift as WordPress moving "from a focus on expansion to one on stabilization."
Stabilization is a polite word for what happens when the world moves and you do not.
The WordPress ecosystem reported 11,334 new security vulnerabilities in 2025, a 42% increase from the prior year. Ninety-one percent of these vulnerabilities were in plugins; over half of developers notified by Patchstack failed to release a fix before public disclosure.
WordPress sites are attacked every 32 minutes on average. Only 36% of WordPress mobile sites pass Google's Core Web Vitals.
A governance crisis compounds these issues. In September 2024, Automattic CEO Matt Mullenweg publicly called WP Engine "a cancer to WordPress," leading to a lawsuit and counter-lawsuit.
This resulted in WP Engine's access to WordPress.org plugin updates being blocked, affecting hundreds of thousands of sites. Other consequences included 159 employee departures, a 99% reduction in Automattic's open-source contributions, the dissolution of the sustainability team, and banning of prominent contributors.
A federal judge granted WP Engine a preliminary injunction in December 2025, ordering access restored within 72 hours. A full trial is expected in 2027.
That is the kingdom in March 2026.
Question 1: Is WordPress Really Needed?
The Non-Technical Answer
Think of WordPress like a department store that opened in 2003 when there were few alternatives. For years, if you wanted a website, WordPress was the obvious choice—affordable, flexible, and surrounded by a massive ecosystem of designers, developers, and support resources.
Today, the landscape is unrecognizable. AI coding tools like Claude Code, Cursor, and Bolt.new can generate complete, production-ready websites in hours, not weeks.
Lovable, an AI site builder, hit $300 million in annual revenue in just eight months. Bolt.new deployed over one million AI-generated websites on Netlify in five months; small businesses using AI report 87% time and 78% cost savings.
The question is not whether WordPress can still build websites; of course it can. Rather, it's whether WordPress's complexity, maintenance burden, and security exposure are justified when AI alternatives deliver superior results faster and cheaper.
For simple marketing sites, blogs, and small business presences—WordPress's core market—the honest answer is increasingly no. The floor has risen; what required WordPress in 2015 now requires only a conversation with an AI agent and a modern hosting platform.
For complex content operations at scale, like large publishing houses or enterprise intranets, WordPress's content management strengths still matter. Its editorial workflow, user roles, and plugin ecosystem serve these use cases well.
However, headless CMS platforms like Strapi and Sanity are absorbing market share by offering better developer experience and multi-channel distribution.
WordPress is not needed the way it once was; it is familiar. These are different things.
The Technical Answer
WordPress's architecture is a PHP monolith backed by MySQL, rendering pages through a theme layer that tightly couples content, presentation, and logic. Every page load involves bootstrapping the entire WordPress application—loading active plugins, querying the database, executing template hierarchy logic, and rendering HTML server-side.
This architecture made sense in 2003 but is now a performance liability. WordPress ranks last among major CMS platforms for Core Web Vitals compliance.
The dependency chain is staggering: a typical WordPress site loads 20-60 active plugins, each adding database queries, scripts, and stylesheets, while expanding the attack surface.
Modern frameworks like Next.js, Astro, and SvelteKit take fundamentally different approaches. Static generation pre-renders pages at build time, delivering HTML from a CDN with zero server-side computation per request.
Server components stream HTML progressively; edge rendering places logic at network points closest to users. These are not incremental improvements, but architectural paradigm shifts WordPress cannot adopt without ceasing to be WordPress.
Performance data is stark: 60% of Astro sites pass Core Web Vitals versus 38% for WordPress. An Astro static site loads in 0.9 seconds, compared to 2.8 seconds for a comparable WordPress site.
Astro ships 90% less JavaScript. Next.js sites migrating from WordPress report Lighthouse score improvements from 63 to 91.
WordPress can be optimized—aggressive caching, CDN layers, lightweight themes, minimal plugins—but those optimizations are fighting the architecture rather than leveraging it. You are spending engineering effort to make WordPress behave like something it is not.
AI coding agents compound this disadvantage. Claude Code, in an agentic terminal session, can scaffold a complete Next.js application with authentication, database integration, API routes, and deployment configuration in one session.
The generated code is type-safe, tree-shakeable, and deploys to edge networks by default. There is no plugin ecosystem, theme compatibility matrix, or database bloat to manage.
The 64,782 tracked vulnerabilities in the WordPress ecosystem are not a bug; they are a feature of its extensibility model. This model assumes trust in thousands of independent plugin developers with inconsistent security practices and no guaranteed patching timeline.
Bespoke applications have attack surfaces proportional to their actual functionality. WordPress sites' attack surfaces are proportional to their plugin count.
The Verdict: Is WordPress Really Needed?
No. WordPress is no longer necessary for most of its current use cases. It remains viable for large-scale editorial operations where content management workflow justifies architectural tradeoffs.
For everything else—the majority of the 42.8%—better tools exist and are improving monthly.
Question 2: Is Bespoke Better?
The Non-Technical Answer
"Bespoke" used to mean "expensive." A custom website required a team of developers, months of work, and a budget starting at $15,000.
WordPress existed precisely because most businesses couldn't afford bespoke, making its value proposition economic, not technical.
AI has inverted this equation.
When Claude Opus 4.5 scores 80.9% on SWE-bench Verified, outperforming all human candidates in Anthropic's assessments, the cost of custom software development drops structurally. AI now writes 30% of Microsoft's code and over a quarter of Google's.
Among Y Combinator's Winter 2025 cohort, 21% of companies have 91% AI-generated codebases. Gartner forecasts 60% of new software code will be AI-generated by 2026.
Practically, a developer using AI coding tools can build a custom website in days, not months. The cost of a bespoke site has collapsed from $15,000-$50,000 to a fraction, and time-to-launch compressed from 8-24 weeks to days.
Maintenance shifts from managing a plugin ecosystem (11,334 vulnerabilities per year) to maintaining code you actually wrote and understand.
Bespoke is not just better; it is now accessible. The democratization WordPress once provided—making websites available to everyone—is superseded by AI making custom software accessible to all.
There is a caveat: AI-generated code can introduce vulnerabilities. Studies show AI co-authored pull requests have 2.74x higher rates of security issues, with one analyst predicting $1.5 trillion in technical debt by 2027 from AI-generated code.
Bespoke is better but requires the same discipline as good software: code review, testing, and architectural intention. The tool is more powerful, yet human judgment remains essential.
The Technical Answer
The technical case for bespoke hinges on three advantages: performance, security, and ownership.
Performance. A bespoke Next.js or Astro application is compiled, tree-shaken, and deployed to edge networks. There's no runtime framework bootstrapping, plugin initialization chain, or database queries for static configuration data.
The performance ceiling is defined by physics (network latency, CDN proximity), not architectural overhead. A bespoke Astro site serving static HTML from a CDN edge node will always outperform a WordPress site loading PHP, executing hooks, querying MySQL, and assembling a response.
Security. A bespoke application's attack surface is its own code, with no shared vulnerability database because there is no shared codebase. You are not exposed to forgotten plugin CVEs or trusting third-party developers to patch vulnerabilities before exploitation.
Your dependencies are explicit, auditable, and locked to specific versions via package management.
Ownership. A WordPress site exists within WordPress's gravitational field; theme updates can break customizations, and plugin compatibility constrains upgrades. The Gutenberg editor imposes design assumptions.
WordPress 7.0's direction will affect your site regardless of your agreement. A bespoke application has no such dependency; you control architecture, deployment, update cadence, and feature roadmap.
The counterargument—that bespoke requires ongoing developer maintenance—has weakened substantially. AI coding agents can debug, refactor, and extend bespoke codebases as effectively as they build them.
The maintenance burden of AI-managed custom code is now comparable to a WordPress installation managed without AI. Custom code also avoids the entropy of an aging plugin ecosystem.
The Total Cost of Ownership (TCO) comparison has flipped. WordPress was traditionally cheaper for years 1-3, then more expensive after year 4.
With AI-assisted development, bespoke is competitive from day one and increasingly advantaged over time. It offers no annual plugin licenses, managed hosting premiums, security audit costs for third-party code, or emergency patches for abandoned plugin vulnerabilities.
The Verdict: Is Bespoke Better?
Yes. For the vast majority of new web projects in 2026, AI-assisted bespoke development delivers superior performance, security, and long-term economics compared to WordPress. The historic cost advantage justifying WordPress's complexity has evaporated.
Bespoke is now the pragmatic choice, not the premium one.
Question 3: Is WordPress 7.0 Going in the Right Direction?
The Non-Technical Answer
WordPress 7.0, targeted for April 9, 2026, is making two big bets: collaboration and AI.
The collaboration bet is straightforward. WordPress 6.9 introduced block-level Notes—threaded, resolvable comments attached to content blocks.
WordPress 7.0 will extend this into real-time multi-user editing, like Google Docs for website content. This offers meaningful improvement for editorial teams, responding to collaborative editing normalized by tools like Notion and Google Workspace.
The AI bet is more ambitious. WordPress proposes merging an "AI Client" into core, making AI features available to any user without third-party plugins.
The Abilities API (6.9) creates a registry of WordPress capabilities that AI agents can discover and invoke. An official MCP Adapter lets AI tools like Claude Desktop interact with WordPress programmatically.
The stated goal: "By WordPress version 7.0, any WordPress user should be able to access, use, and build powerful AI features."
This is the right instinct. If AI is the future of how people build and manage websites, WordPress needs native AI capabilities to remain relevant.
The problem is that WordPress is adding AI to a foundation showing cracks. The governance crisis has fractured community trust, Automattic cut its open-source contributions by 99%, and prominent contributors have been banned.
The ecosystem's security posture is deteriorating. Adding AI features to an architecturally dated, governance-challenged platform is like installing a Tesla engine in a car with a cracked frame; the engine is impressive, but the car still has structural problems.
The collaboration features are genuinely useful, and AI integration is strategically necessary. However, neither addresses fundamental issues like WordPress's performance deficit, security vulnerability surface, or monolithic PHP architecture.
Nor do they address the governance crisis that has shaken institutional confidence in the project's stewardship.
The Technical Answer
WordPress 7.0's technical direction reveals both sophistication and denial.
The Abilities API is well-designed, providing a standardized interface for plugins, themes, and core to expose capabilities as discoverable, invokable functions. Combined with the MCP Adapter, AI agents can interact with WordPress in a structured way—creating posts, modifying settings, querying content—without brittle API hacks.
This is forward-thinking architecture, acknowledging AI agents as first-class consumers of web infrastructure.
The AI Client merge into core is ambitious but risky; WordPress's update model pushes changes to 478 million sites. Embedding AI capabilities in core means maintaining AI infrastructure (model integrations, prompt handling) at WordPress's vast scale and update cadence.
This is fundamentally different from maintaining a PHP template engine. AI APIs change rapidly, and model capabilities evolve monthly, meaning WordPress's quarterly release cycle may be too slow to keep pace, creating a perpetual gap with the state of the art.
Gutenberg Phase 3 (Collaboration) is technically sound. The block-level Notes system uses a well-structured data model, and planned real-time collaboration builds on established techniques validated at scale by Google Docs and Figma.
Full Site Editing adoption grew 145% in 2025, and Gutenberg adoption reached 60%. The editor is mature and stable.
What 7.0 does not address:
The performance architecture. WordPress remains a synchronous PHP application that bootstraps on every request. There is no server component model, streaming, edge rendering, or static generation.
The performance gap with modern frameworks is widening, not narrowing, and 7.0 does nothing to close it.
The plugin security model. With 91% of vulnerabilities originating in plugins and more than half of developers failing to patch before disclosure, the plugin ecosystem is WordPress's greatest liability. 7.0 proposes no changes to plugin review processes, sandboxing, or automated vulnerability scanning.
The database architecture. WordPress's
wp_postsandwp_postmetatables store structured content in an untyped key-value schema designed for blog posts. This creates performance bottlenecks at scale and makes content modeling unnecessarily complex.Purpose-built headless CMS platforms like Sanity and Strapi offer typed content schemas, GraphQL APIs, and real-time collaboration out of the box.
The governance model. WordPress's technical direction is inseparable from its governance; a single individual controls both Automattic (the for-profit company) and WordPress.org (the community infrastructure). The events of 2024-2025 demonstrated that this power concentration can be weaponized.
This includes blocking a hosting company from plugin updates, banning contributors, and slashing community contributions. No technical innovation can offset such institutional instability.
WordPress 7.0 is adding features that modern platforms already have while failing to address the structural deficits driving adoption away. The direction is partially right (AI integration, collaboration) and partially evasive (performance, security, governance).
The Verdict: Is WordPress 7.0 Going in the Right Direction?
Partially. The AI and collaboration investments are strategically correct and technically competent, but insufficient. WordPress 7.0 improves the interior of a building whose foundation needs reinforcement.
The performance architecture, security model, and governance structure—the factors determining WordPress's survival—remain unaddressed.
The Final Accounting
WordPress is not dying tomorrow; 42.8% of the web does not evaporate overnight. However, the conditions making WordPress dominant—lack of affordable alternatives, scarcity of talent, complex custom software—have been systematically dismantled by AI.
The numbers tell a story that is already in motion:
- WordPress market share is declining for the first time in its history
- 11,334 new vulnerabilities were discovered in the ecosystem last year
- Only 36% of WordPress mobile sites pass Core Web Vitals
- AI coding tools have compressed custom site development from months to days
- Lovable hit $300M ARR in eight months; Bolt.new deployed 1M sites in five months
- 92% of US developers now use AI coding tools daily
- Gartner forecasts 60% of new code will be AI-generated by 2026
WordPress will continue to power legacy installations for years, serving large editorial operations dependent on its content management workflow. It will maintain meaningful market share because migration has friction and inertia is powerful.
But for new projects—an entrepreneur, an agency, a startup—the rational choice in 2026 is to build bespoke with AI assistance. The result will be faster, more secure, higher-performing, and cheaper to maintain.
WordPress's value proposition has been eclipsed not by a single competitor but by a paradigm shift in how software gets made.
The future of WordPress is not extinction. It is irrelevance—the slow fade of a platform that solved yesterday's problem while the world moved on to solving tomorrow's.