I've been doing WordPress for 15 years. I love it and I'm tired of it at the same time. Not tired in the "I'm moving to Webflow" way. Tired of the lies - the small ones and the big ones. The "free CMS", the "open source community", the "40% of the web" brag. All of it. Here's what's actually going on.
The "40% of the web" line is a cope
Yeah, it's probably true. But most of those sites are throwaway blogs and directory junk. WordPress makes it trivial to spin up a basic content site, so of course the number is huge. Quantity isn't quality. Stop quoting it like it proves something.
Core is broken
Vanilla WordPress, fresh install, no plugins - and XML-RPC is wide open. The moment your site goes live, bots start brute-forcing wp-login. You shouldn't need a plugin to not get owned on day one. That's not a minor gap, that's a design failure.
Then there's SEO. You need a plugin for basic meta titles. You need a plugin for descriptions. Meta tags. In 2026. There's no excuse for that. SEO should be native by now.
You can't just flip one switch to kill comments site-wide. The settings sprawl across multiple screens and are absurdly complex for a feature most sites don't even want anymore. A single "Comments: off" checkbox would save millions of hours of googling and plugin installs.
There's a full admin page at /wp-admin/options.php that lists every option in the database and lets you edit it. It's been there forever. It's actually useful. And there's literally no link to it anywhere in the admin UI. You either know the URL or you don't. That's just weird.
WordPress has Recovery Mode for when a plugin fatals your site. Nice feature - except the recovery link only goes to one admin email. A site can have ten admins, any of them can break something, but only the "main" admin gets the recovery email. If you're admin number two and you crash the site, you're locked out. Your only way back is FTP or SSH. In 2026. Bonkers.
And instead of fixing any of this, Automattic keeps bolting more React and builder tooling onto the editor. The wrong direction. What core needs is hardening, slimming, cutting dependencies. Maybe even a real fork into something modern. It's long overdue and nobody wants to say it out loud.
I tried contributing. There's a "good first bugs" list, so I picked one - an underperforming function, open for 8 years, with a couple of stale PRs sitting on it. I posted mine. Silence. If that's the on-ramp for new contributors, no wonder core moves like it does.
Free isn't free
Core WordPress is bare-minimum. To get a real, usable site you need a stack of plugins. Running a store? You need WooCommerce, a pile of Woo add-ons (because Woo doesn't ship with invoicing or most payment gateways), an SMTP plugin, a security plugin, 2FA, SEO, and something like ACF or Pods for custom content types.
Most of those plugins have a "free" tier that's a gateway drug. You hit a wall, then pay. Forty bucks here, sixty there. Individually cheap, but it compounds. And it's almost always a yearly subscription. So before your site earns a single euro, you're already locked into hosting, domain, and a stack of renewals.
"Just cancel the subscriptions" isn't a real answer. The moment a plugin stops updating and a vulnerability drops, your site is a sitting duck. Pay or get hacked. Those are the options.
Most site owners also end up paying for maintenance - because knowing how to configure all these plugins and fix the gaps between them is its own full-time skill. So "free CMS" quietly becomes hosting + domain + 6–10 subscriptions + a retainer. Let's stop pretending it's free.
And the market knows it. Core is free. Hosting is cheap because WordPress runs on ancient PHP and weak shared boxes. Themes are free. Plugins are free. So everyone expects everything around WordPress to cost nothing too - designing, implementing, cleaning up hacked installs, performance, SEO. All of it. Treated like it should cost nothing. That's a bad deal for everyone doing the actual work.
The GPL racket
Plugins are what makes WordPress different from every other CMS. In theory, a non-developer can buy hosting, click together a few plugins, and turn a blog into a shop, a directory, a booking system, whatever. That's incredible.
But try to actually sell a plugin and you hit a wall. People don't want to pay. And the GPL crowd will tell you that you can't sell the code anyway - you can only sell "support" or "updates". That's bullshit. If your plugin is good and stable, you shouldn't be forced to sell babysitting on top of it. You're selling a license to use software, like every other commercial software on earth.
Meanwhile entire scammer networks buy one license, strip it, and resell the same plugin on hundreds of "GPL sites" for a few bucks. Basically nothing you can do about it, because it's PHP and anyone with a text editor can edit a plugin.
Automattic also gatekeeps wordpress.org. Plugins can get banned if the directory team doesn't like how they're sold. A loud chunk of the community - moderators, GPL purists, people who personally benefit from the status quo - will fight any attempt to charge for code by waving the license at you. The people benefiting most from that setup aren't the small developers. They're the resellers and the platform owners.
The community fiction
Site owners, freelancers, agencies, theme shops, plugin shops, core contributors, hosts - all lumped together as "the WordPress community". WordCamps, WordUps, meetups everywhere. On the surface, one big family.
Underneath, it's tense. Plugin developers ally with other plugin developers because they share enemies (the GPL resellers), but they're also competing with each other, so the alliances are shallow. Plugin devs and theme devs are in permanent conflict because there's no clean line between what a theme should do and what a plugin should do. I've opened sites with custom CSS in five different places - core, theme, three plugins - all fighting each other. That's not a community. That's a turf war with a friendly logo on top.
And the bar to call yourself a "WordPress developer" is on the floor. If you can install WordPress and pick a theme, you can call yourself one. There's no real distinction between that and someone who can build a custom theme from scratch, write a real plugin, or debug core. After 15 years, it's genuinely hard to differentiate yourself in a market where the word means nothing.
Automattic's two faces
The mission is "free and open source, for everyone". Meanwhile Automattic runs WordPress.com for profit, takes huge sponsor money, and quietly buys up plugin companies. They're a for-profit business extracting enormous value from an ecosystem they frame as community-owned. You can't preach open source on stage and run a hosting empire backstage and pretend there's no tension.
Here's the part that gets me. WordPress looks open source, but in practice it's basically in Automattic's hands. If you're a small plugin developer, you're on your own. But the second your work gets popular and solves a real pain point, Automattic can just take it. They can fold it into core. They can copy it and ship their own version. They can buy you. The best case for you is they throw some money your way - and they don't even have to do that.
Beside Automattic, the big winners are scammers, GPL resellers, and a handful of hosting giants. Everyone else is small fries. Freelancers can still pull in a few hundred bucks building sites - but that tier is being eaten by AI fast. The money is consolidating: Automattic, the Elementor owners, a couple of big hosts. Hundreds of thousands of people contribute to the ecosystem. A handful of companies capture almost all the value. That's not a community. That's a supply chain.
The WP Engine drama showed exactly how this works. Grow big enough inside the WordPress world and eventually one of Automattic's tentacles comes out, grabs you, and either devours you or kills you. It wasn't a one-off. It was the mask slipping. It's not a family. It's a pond, and there's one big fish in it.
Users lose too
Most of this is from a developer's seat, but users are paying for this mess just as much. Because core is so bare-minimum and because "anyone can build a WordPress site", the experience is wildly inconsistent. One WordPress site is a polished, fast, accessible portal. The next one - same CMS - is a slow, broken disaster hosted on the cheapest shared box by someone building their second site ever. Users have no way to tell the difference until they're on the page.
If core had real quality baked in - speed, SEO, security, sane defaults - the floor would be much higher and every site in the world would benefit. Right now "it's WordPress" tells a user almost nothing about what they're about to experience. And that's on core.
What I actually want
Two things. Either serious competition - a truly open CMS, genuinely community-owned, where the only thing you pay for is hosting. That would break this whole weird economy overnight. Or WordPress core finally grows up: lean, fast, secure, SEO-aware by default, with a clean line between core, plugins (features), and themes (layout). Right now everything is tangled and it feels toxic to work in.
The uncomfortable truth is that nobody in power actually wants core to be good. If core shipped proper SEO, proper performance, proper security - most small plugin businesses lose their moat and disappear. So maybe WordPress is partly a facade. A smoke screen that lures small fish in, lets them grow a bit, then eats them when they get big enough to matter.
I'm not leaving. I've spent 15 years on this thing. It's a huge part of my life and I'm actually good at it. But I'm done pretending it's something it isn't. WordPress is still the best tool for a huge chunk of the web. I just want it to stop lying about what it is.
Revolution or collapse
Here's the part nobody in the WordPress world wants to hear. The era where WordPress had no real alternative is ending. AI is already writing whole sites, whole themes, whole plugins. Every month the tooling gets better. The moat that protected the WordPress empire - "it's the easiest way to build a site" - is evaporating. Fast.
Long term, I see exactly two paths:
Revolution. The community wakes up, pushes back on the Automattic-owned "open source" theater, forces core to become genuinely lean, fast, secure and SEO-aware, draws a clean line between core/plugins/themes, and opens the contributor pipeline to people who actually want to fix things. WordPress earns its 40% by being good, not by being entrenched.
Collapse. Nothing changes. Core keeps bloating. The contributor pipeline keeps ghosting people. Automattic keeps extracting. Small devs and small agencies get picked off one by one by AI and by the big players. And WordPress slowly turns into the Roman Empire of the web - still huge on a map, still quoting old stats, rotting from the inside while the world moves on.
This is a wake-up call. Not a goodbye. I'd rather see the revolution. But if nothing changes, the collapse is already on the calendar - we're just arguing about the date.