WordPress — 43 percent of the Web runs on it, and I have cleaned malware off four of them.
The first WordPress site I had was a football blog that nobody read. I set it up in February 2012 on a $2.99 a month shared hosting plan, with a free theme that I can’t remember the name of, but it had a dark background and orange header which I thought was professional. I posted 11 times in 3 months. The most viewed one got 14 views and 7 of them were me testing to see if the formatting was correct on my phone. The blog was quietly removed around May, but the WordPress installation continued for two more years, until I remembered to cancel the hosting. When I did remember, the site was defaced by an automated bot that put a Russian pharmaceutical ad on my homepage. I didn’t know enough to be angry at the right thing. I pointed the finger at the hosting company. I should have been to blame myself for not updating WordPress, but also — and I’ll stand by this — I should be to blame WordPress for being the kind of software that gets exploited as soon as you stop paying attention to it.
This was 12 years ago. Since then, I’ve built or maintained between 30 and 40 WordPress sites, for myself, for friends, for small businesses, for clients who wanted “something simple” and didn’t understand that nothing about running a website is simple once you start caring about performance, security and SEO. WordPress and I are codependent and resentful. I know it too well to love it and too well to leave it.
WordPress was developed in 2003 by Matt Mullenweg and Mike Little, who forked another pre-existing blogging software called b2/cafelog. It was a blogging application. That’s significant to keep in mind, as everything WordPress has become—a complete content management system, an e-commerce platform, a membership site builder, a learning management system, an application framework—was built on a foundation that was designed to allow people to publish paragraphs and pictures in reverse-chronological order. The basic architecture was: posts, pages, categories, tags, front end theme, back end dashboard. That’s the simplicity that made WordPress win. It was easier to use than Drupal, more flexible than Blogger, less expensive than anything else, and it allowed non-technical users to publish content on the internet without having to learn HTML. In 2011, WordPress was used by 13 percent of the top 10 million websites. That number had surpassed 43 percent by 2025. Not 43 percent of blogs. 43% of all websites. The White House website is powered by WordPress. The New York Times blogs were powered by WordPress. Chances are your dentist’s website is built using WordPress. The scale is ludicrous and is not abating.
WordPress’s greatest strength, and most dangerous trap, is the plugin ecosystem. The official repository has more than 59,000 free plugins. Looking for a contact form? There are 400 plugins for that purpose. Need SEO tools? More than 12 million sites have been installed with Yoast. Need e-commerce? WooCommerce transforms WordPress into a complete online store and handles billions of dollars in transactions every year. Looking for a booking system, forum, multilingual site, podcast host, job board, real estate listing, restaurant menu with online ordering? There is a plugin. There’s always a plugin. That’s the issue.
All plugins are code created by other developers that is executed on your server and has full access to your database. There are plugins that are developed by professional teams that have security audits and regular updates. There are some plugins that were developed by one developer in 2017 and haven’t been updated since. Some plugins don’t play nice with other plugins, and only show up on Tuesday afternoons when a certain version of PHP is used to process a certain type of request. I have been spending a whole weekend fixing a site that crashed when people filled out a form. The problem was that there was a caching plugin and a form plugin that both attempted to modify the same WordPress hook. There was no plugin failure per se. They combined to create a white screen of death with an error log that had a stack trace longer than some of my blog posts. I disabled the caching plugin, found another, tested it with all other plugins on the site, and lost 48 hours of my life to a problem that shouldn’t have happened.
It’s the same with the theme ecosystem. There are thousands of free themes and thousands of premium themes ranging from $30 to $200. The best themes (Astra, GeneratePress, Kadence) are light, well-coded, and can be customized without touching CSS. The worst themes are the ones that are bloated with features, load 15 JavaScript files, 8 CSS stylesheets and make a simple 5 page business site take 6 seconds to load. In 2023, I audited a client’s site that was using a popular multipurpose theme (I won’t mention it here, but you’ll know it) and the homepage was making 127 HTTP requests and loading 4.3 megabytes of assets. There were five pages on the site. Five. It didn’t need to be heavier than a high resolution photo and yet here we were waiting 3.5 seconds for a page containing a logo, three paragraphs and a contact button. Rebuilt the site on GeneratePress in a weekend. Same content. Same layout. The load time was reduced to 1.1 seconds. The client asked me what I changed and I replied “everything under the hood”, which was the truth and also allowed me to get away with not having to give a twenty minute explanation about render blocking java script.
Gutenberg, the block editor which replaced the classic editor in WordPress 5.0 back in December 2018, is the most polarizing change in WordPress history, and I say that because WordPress users debate on everything. The classic editor was a basic rich text box. You typed, you formatted with buttons that resembled the ones in Microsoft Word around 2003, you published. It was basic. It was limited. It worked. Gutenberg has replaced it with a block-based editor, in which each element of content (paragraph, heading, image, list, quote, embed) is a block that can be moved, styled, and arranged. This, in theory, provides users with greater control over their layouts, without requiring a page builder plugin. In reality, Gutenberg in its first year was buggy, slow, and lacking in features that the classic editor had. The backlash was so great that the Classic Editor plugin (that adds the old editor) was downloaded more than five million times and WordPress officially pledged to support it until at least 2024. Later they changed it to “as long as it is needed,” which is corporate-speak for “we can’t make people stop using the old thing if they hate the new thing enough.
I was reluctant to switch to Gutenberg for a year, but I did in 2020 and I must say, it’s gotten a lot better. The current version is faster, more stable and actually useful for creating layouts that would have needed Elementor or Divi in the past. Last month I created a landing page with nothing but Gutenberg blocks (columns, cover images, buttons, spacers) and it looked great with no page builder plugin. That’s true progress. But Gutenberg’s aspirations have gone beyond the editor. The Full Site Editing initiative would like Gutenberg to be in charge of everything, from headers and footers to sidebars, template parts and archive layouts, and make the whole site a collection of blocks. There are some theme developers that have taken to this. Others are waiting to see if it stabilises. I’m in the second group. Each time WordPress attempts to do too much too quickly, the people running sites suffer the consequences in broken layouts and unexpected behavior following updates.
Security is a topic that every WordPress site owner should discuss at some point, typically after something has gone wrong. The WordPress core is fairly secure. The team fixes vulnerabilities rapidly and the automatic update system takes care of minor releases. The security issues are almost always due to plugins and themes – abandoned plugins with known security vulnerabilities, premium themes with nulled licenses and backdoors, admin accounts with “password123” as the password. Outdated plugins are the #1 attack vector for WordPress sites, as per Sucuri’s annual reports. In my career, I have cleaned hacked WordPress installations four times. In each case, it was the same: a plugin that had not been updated in more than a year and was known to have a vulnerability that was publicly documented. Every time, the site owner said something like, “I didn’t know I had to update plugins. And every time I thought, they don’t need to know. If you have to be vigilant about your own ecosystem, it’s a design problem with your content management system, not a problem with you.
WooCommerce is worth special mention as it transforms WordPress into something it was never architecturally intended to be: an e-commerce platform for managing inventory, payments, shipping, taxes, and customer accounts. Somehow, miraculously, it works. About 36 percent of all online stores are powered by WooCommerce. I have created 3 WooCommerce stores. The smallest was the one that made jewelry by hand and processed approximately 20 orders per month. The biggest sold industrial supplies and processed three hundred. WooCommerce was ideal for the small shop: free, flexible, and easy to use, the owner was able to take care of it herself after a two-hour training session. WooCommerce began to strain for the larger store. Thousands of products were slow to order process. The checkout page needed seven plugins to accommodate the particular tax, shipping and payment needs. Each WooCommerce update had to be tested with each plugin, as one incompatibility could break the checkout process and cost real cash. I eventually moved that store to Shopify, not because Shopify was better at any one thing, but because Shopify did not require me to babysit a pile of plugins and hope that they all played nice.
The hosting situation is more important for WordPress than for nearly all other software I’ve used, and most people find this out too late. A $3.99 shared hosting plan with WordPress will suffice. It will also be slow, have limited memory, be on a server with hundreds of other sites, and be one traffic spike away from going down. If you choose to host WordPress on a managed host such as Kinsta, WP Engine, or Cloudways, it will be faster, more secure, automatically backed up, and much more expensive ($30-$100 per month depending on the plan). The gap in experience is not insignificant. It is transformative. I transferred a client’s site from a $7 shared host to Kinsta and the Time to First Byte went from 1.8 seconds to 0.3 seconds. The client didn’t know what Time to First Byte was, but she did know that her site was now fast, and she was willing to pay $35 per month for that. This is not well communicated in the WordPress community. All the “start a WordPress site for $2.99!” ads lead to a slow, painful experience, and the user will think that WordPress is to blame, not the underpowered server that’s running it.
My relationship with Matt Mullenweg and Automattic, the company behind WordPress.com, Jetpack, WooCommerce and the WordPress ecosystem, is complicated. For more than 20 years, Mullenweg has been the project’s co-founder and public face, and his leadership has maintained WordPress’ open-source, free, and dominant status. However, sometimes there are some awkward situations, such as Jetpack, which is a product of Automattic that offers security, performance and marketing tools in one package, and is heavily marketed in the WordPress dashboard. It is useful. It’s also huge, has a lot of overhead, and has a reliance on Automattic’s cloud services for functionality that can be achieved with independent plugins without the bloat. But recent governance and commercial contribution conflicts in the WordPress community have left some longtime contributors uncomfortable with the direction of the project. These are the inside-baseball issues that most site owners will never be aware of, but for those who have been around the WordPress world for years, it’s a matter of the health of the project’s leadership.
Nonetheless, with all of that (plugin conflicts, security maintenance, Gutenberg debates, hosting complexity, update anxiety), I’m still building on WordPress in 2026. Not because it is the most suitable tool for all tasks. It is not. Ghost is cleaner for a simple blog. Shopify is less stressful for e-commerce. If you have a static portfolio, a simple HTML website or one like Squarespace is easier. There is nothing else that can compete on the same level in terms of flexibility, cost, community support, extensibility, and ownership that WordPress provides. I can create virtually anything using WordPress. I can pass it on to a client and they can take care of it. I can transfer it from host to host. I can make it my own to a degree that no closed platform can. And when it goes wrong — it always does — there are 14 years of answers on Stack Overflow, YouTube tutorials, blog posts and forum threads ready to help me get it working again.
WordPress is not a beautiful software. It’s a 23-year-old PHP application that’s bound together by backward compatibility, community goodwill, and a collection of plugins that vary from brilliant to dangerous. It is the reason that 43 percent of the web is powered by it, not because it’s the best at anything, but because it’s good enough at everything, and because it allows ordinary people to have their corner of the web without having to ask permission from a platform that may change its terms tomorrow. That’s more important than style. It always has.
