Nobody thought we would be writing this headline. Not seriously, anyway. For twenty years, "is WordPress dead?" was a punchline -- the kind of clickbait title that SEO people wrote knowing the answer was always no. WordPress powered 43 percent of the internet. It was, for all practical purposes, the internet's default operating system for websites. Untouchable.
Then 2025 happened.
And now, for the first time in the platform's history, the numbers are going in the wrong direction. Not hypothetically. Not in some niche analysis. The actual, measurable, undeniable numbers.
The first decline in twenty years
WordPress peaked at 43.6 percent market share in mid-2025, according to W3Techs. By March 2026, it had dropped to 42.6 percent. One percentage point might not sound dramatic, but you must understand the context: WordPress had never declined before. Not once. Not during the rise of Squarespace, not during Shopify's explosion, not during the mobile revolution. The line always went up.
It is not going up anymore.
The active domain numbers tell an even starker story. Between February and July 2025, WordPress went from 5.8 million active domains to 4.67 million. That is a 19 percent contraction in five months. Not a slowdown in growth -- an actual reduction in the number of websites running WordPress.
Where are they going? Wix grew 32.6 percent year over year, gaining 3,587 sites directly from WordPress. Squarespace had a net gain of 5,098 former WordPress sites. Shopify keeps absorbing the e-commerce segment. Webflow and Framer are picking up the agency and marketing crowd.
The pattern is clear. Simpler business websites -- the ones that made up the bulk of WordPress's install base -- are leaving.
The governance crisis that broke trust
To understand how WordPress ended up here, you need to understand what happened between Matt Mullenweg and WP Engine. Because it is one of the strangest, most damaging episodes in the history of open-source software.
In September 2024, Mullenweg -- the co-creator of WordPress and CEO of Automattic -- took the stage at WordCamp US and called WP Engine a "cancer to WordPress." Not a competitor. Not a company with disagreements. A cancer. He then demanded that WP Engine pay 8 percent of its gross revenue for WordPress trademark licensing.
When WP Engine refused, WordPress.org blocked them from accessing plugin and theme repositories. This meant that websites hosted on WP Engine -- millions of them -- could not receive security updates or install new plugins through the normal channels. Millions of sites, effectively cut off from the ecosystem, because of a business dispute between two companies.
A federal court had to step in. In December 2024, a preliminary injunction forced Automattic to restore WP Engine's access. But the damage was already compounding.
In January 2025, Automattic reduced its contributions to WordPress Core development from 3,988 hours per week to 45 hours per week. Read that again. From nearly four thousand hours to forty-five. A 99 percent reduction. The company that had been the primary engine behind WordPress development essentially walked away from the project.
Mullenweg deactivated the WordPress.org accounts of five community members. The WordPress Sustainability Team was dissolved. Key contributors -- Riad Benguella, Matias Ventura, Rich Tabor, Anne McCarthy -- stopped contributing. These were not peripheral figures. These were the architects of Gutenberg, the block editor that was supposed to be WordPress's future.
WordPress 6.8, released in 2025, was the only major release that year. The platform had typically shipped two or three per year. Development did not just slow down. It nearly stopped.
Now, Automattic has re-engaged with Core development, and the litigation with WP Engine grinds on through the courts. But the trust damage is difficult to quantify. The open-source community that sustained WordPress for two decades watched its founder use the platform's infrastructure as a weapon in a business dispute. Developers who built careers and businesses on WordPress stability suddenly had to consider: what if it happens again?
Security: 11,334 new vulnerabilities in one year
Even before the governance crisis, WordPress had a security problem. In 2025, it became something closer to a security emergency.
Patchstack's annual report documented 11,334 new vulnerabilities discovered in the WordPress ecosystem during 2025 -- a 42 percent increase from the previous year. Of these, 1,966 were classified as high-severity, which was more than the previous two years combined. By January 2026, new vulnerabilities were being discovered at a rate of 333 per week.
Ninety-one percent of these vulnerabilities came from plugins. Nine percent from themes. Less than one percent from WordPress Core itself. The core software is, it must be said, reasonably secure. But nobody runs core alone. The average WordPress site has 20 to 30 plugins installed, and each one is a potential entry point.
The exploitation timeline is what truly frightens. The median time from vulnerability disclosure to mass exploitation -- meaning attackers actively targeting sites at scale -- is five hours. Not days. Hours. Seventy percent of high-impact vulnerabilities were exploited within seven days. And here is the number that really should make you pause: 46 percent of vulnerabilities had no patch available before they were publicly disclosed. Your site was vulnerable, the world knew it, and there was nothing you could do about it.
A Melapress survey found that 64 percent of WordPress users reported experiencing at least one security breach. Ninety-six percent reported at least one security incident of any severity. These are not hypothetical risks. This is the reality of running WordPress in 2026.
Dead last in performance
You would think that a platform powering 42 percent of the web would at least perform well. You would be wrong.
HTTPArchive's Core Web Vitals data, drawn from real Chrome user experience reports, paints a picture that is -- let's say -- unflattering. Among the six major CMS platforms, WordPress has the lowest Core Web Vitals pass rate at 44.34 percent. Duda leads at nearly 85 percent. Even Wix, a platform this publication has criticized for performance issues, passes at 73 percent. Squarespace manages 69 percent.
WordPress is last. Not close to last. Last.
Only 32 percent of WordPress sites have a good TTFB (Time to First Byte), which is the most basic measure of server responsiveness. The typical WordPress PageSpeed score falls between 60 and 80. Modern frameworks built with Astro, Next.js, or similar tools routinely score 95 to 100.
The reasons are architectural. WordPress renders every page dynamically from a MySQL database on every request unless you layer on caching plugins. The theme system loads CSS and JavaScript for features the page does not use. Each plugin adds its own scripts, styles, and database queries. Twenty plugins later, you have a page that makes 80 database queries and loads 2 megabytes of assets to display what is fundamentally a brochure.
You can optimize this. People do. But optimizing WordPress performance is itself an industry -- a cottage economy of caching plugins, image optimization services, CDN configurations, and database tuning. The fact that an entire ecosystem exists to make WordPress perform acceptably should tell you something about its baseline performance.
The "install and ship" model is what died
Here is where I want to be precise, because nuance matters.
WordPress is not dead for everyone. Disney's blog runs on WordPress. The New York Times uses it. Facebook's corporate site runs on it. Thirty-eight percent of the top 10,000 websites still use WordPress, and many of them will continue to do so for years.
But these are not standard WordPress installations. These are heavily engineered, headless deployments with dedicated development teams, custom caching layers, enterprise-grade security, and budgets that most businesses cannot imagine. They are using WordPress the way a Formula 1 team uses an engine -- extensively modified, professionally maintained, and bearing very little resemblance to what you download from wordpress.org.
What died -- what is measurably dying right now -- is the model that built WordPress's market share in the first place. The model where a small business owner or a freelancer installs WordPress, picks a theme from ThemeForest, adds 15 to 25 plugins for forms and SEO and caching and security and analytics and backups and sliders and social sharing, and considers it done. That model produced websites that are slow, insecure, difficult to maintain, and increasingly invisible to AI search tools.
And businesses are figuring this out. Not because they read articles like this one, but because they see their competitors ranking higher, loading faster, and appearing in ChatGPT recommendations while their WordPress site sits on page three with a Lighthouse score of 62.
The AI search problem
This part gets less attention than it deserves. WordPress's rendering architecture -- server-side PHP generating HTML on each request -- actually works fine for traditional search crawlers and for AI crawlers. Unlike JavaScript-heavy builders, WordPress does output real HTML that GPTBot and Perplexity can read.
But the issue is subtler than that. AI systems do not just crawl content. They evaluate authority signals, structured data, content freshness, internal linking patterns, and site architecture. A WordPress site burdened with plugin conflicts, slow load times, inconsistent schema markup from three different SEO plugins fighting each other, and a flat site structure with 200 uncategorized blog posts does not score well on these evaluations.
The platform itself is not incompatible with AI search. But the way most WordPress sites are built -- hastily, with too many plugins, without strategic architecture -- produces exactly the kind of low-signal, cluttered website that AI systems learn to deprioritize.
What comes next
The honest answer is that we do not know yet. WordPress is not going to disappear tomorrow. Forty-two percent market share is enormous, and institutional inertia is powerful. Many businesses will run WordPress for years simply because switching feels too expensive and too risky.
But the trajectory has changed. For the first time, the momentum is pointing downward. The governance crisis demonstrated that the platform's future depends on the decisions of a single person -- and that person has shown a willingness to use the platform as leverage in personal disputes. The security situation is deteriorating, not improving. Performance trails every major competitor. And the development pace has slowed to a crawl.
If you are currently running a WordPress site for your business, the pragmatic question is not "is WordPress dead" but "what would it cost me to stay versus to leave?" Run the numbers honestly. Factor in the security monitoring you should be paying for. Factor in the performance optimization. Factor in the plugin updates, the compatibility testing after every WordPress update, the hosting costs that scale poorly under load.
Then compare that to a modern alternative -- Webflow for design-led sites, Shopify for e-commerce, a headless CMS for content-heavy operations, or a custom-built site for businesses that need full control. The gap is often smaller than people assume, and sometimes it runs in the other direction entirely.
WordPress gave the internet something remarkable. It democratized publishing. It made the web accessible to people who could not write code. That contribution is genuine and worth acknowledging.
But the platform that accomplished that is not the platform that exists today. What exists today is a system weighed down by its own success -- too many plugins, too much complexity, too little governance, and a founder who set fire to the community's trust when he did not get his way.
The numbers do not lie. And for the first time in twenty years, the numbers say WordPress is shrinking.