WordPress Made the Internet Worse

WordPress powers forty-three percent of the web. Forty-three percent. Nearly half of all websites, running on the same creaking, wheezing, eternally-patched software that was originally built in 2003 to let people post their thoughts about their cats.

And yet here we are, twenty-three years later, and this software, this bloated carcass of a blogging tool, has metastasized across the internet like a tumor that learned to franchise.

This is presented, usually, as a triumph. Democratization. The people have spoken, and they have chosen WordPress. Who are we to argue with forty-three percent?

Forty-three percent of people also believe in astrology. Forty-three percent of people think they're above-average drivers. Forty-three percent is not a validation. Forty-three percent is a warning.

I am here to argue with forty-three percent.

The Promise

The promise was beautiful. Anyone can have a website. You don't need to know how to code. You don't need to understand servers or databases or any of the dark machinery that makes the internet work. You just install WordPress, pick a theme, and start typing. Your voice, on the internet, for free or nearly free. This was the dream.

And for a moment, maybe, it was true. In 2005, in 2008, when the alternatives were learning HTML by hand or paying a developer thousands of dollars, WordPress was a gift. It was a door that had been locked, now open. People walked through it. Millions of people. Then tens of millions. Then hundreds of millions.

The door is still open. But the room on the other side has filled up with garbage. And the garbage is breeding. And the people who live in the garbage have convinced themselves it smells like roses, because they've been breathing it so long they've forgotten what clean air tastes like.

Sixty Thousand Plugins

There are, as of this writing, over sixty thousand plugins in the WordPress repository. Sixty thousand. This number is presented as a feature. Look at all the things you can do! Need a contact form? There's a plugin. Need SEO tools? There's a plugin. Need to optimize your images, cache your pages, secure your login, add a slider, integrate with Mailchimp, connect to Zapier, display a popup, track your analytics, compress your CSS, lazy-load your images, minify your JavaScript? There's a plugin for each of these things. There are, in fact, dozens of plugins for each of these things. Competing plugins. Overlapping plugins. Plugins that do the same thing in slightly different ways, maintained by different people with different levels of competence and different levels of commitment to keeping their code from catching fire.

Picture the man who maintains a WordPress plugin. Picture him in his apartment, in his underwear, at three in the morning, mass-replying to support tickets from strangers who want to know why his free software doesn't work with their pirated theme. Picture the look in his eyes. That is the face of the infrastructure that runs forty-three percent of the web.

Sixty thousand plugins, and every single one of them is a door that someone left unlocked.

Do you know what happens when you install a WordPress plugin? You are trusting a stranger with your website. You are trusting that this stranger, who you have never met, who may live anywhere in the world, who may have written this code five years ago and never looked at it since, has not made any mistakes. You are trusting that they understood security. You are trusting that they tested their code. You are trusting that they will continue to maintain it as WordPress itself changes, as PHP changes, as the entire landscape of web development shifts beneath everyone's feet.

You are trusting a stranger, and you are doing it ten times, twenty times, thirty times, because the average WordPress site runs thirty plugins and every single one of them is a liability. Thirty open wounds, dressed in cheerful branding, bleeding quietly into your database.

The Hacks

WordPress sites get hacked constantly. Constantly. There are entire companies whose sole business is cleaning up hacked WordPress sites. This is their whole thing. They wake up in the morning, they clean malware out of WordPress installations, they go to sleep, they wake up and do it again. There is enough hacked WordPress to sustain these companies, to pay their employees, to rent their offices, to fund their growth. The sheer volume of compromised WordPress is an economy unto itself.

Think about this. Truly think about it. There are men who have bought houses with the money they made cleaning up WordPress hacks. There are children who have gone to college on the tuition of WordPress failures. An entire class of professionals exists solely because WordPress cannot stop failing, and these professionals pray, in their hearts, that it never learns to stop, because if WordPress ever became secure, they would have to find real jobs.

And whose fault is this? Everyone's. No one's. The plugin developer who didn't sanitize an input. The theme author who left a backdoor, maybe on purpose, maybe by accident. The site owner who didn't update for six months because updating is scary and sometimes it breaks things. WordPress itself, which has made architectural decisions that prioritize backwards compatibility over security, that allow plugins to do almost anything, that treats the database like a junk drawer and the filesystem like a suggestion.

But mostly it is the fault of a system that was never designed to be what it has become. WordPress was designed to be a blogging platform. It has become the foundation of the commercial web. It is being used to run e-commerce stores, membership sites, learning management systems, real estate listings, job boards, social networks. It is being asked to do things it was never meant to do, and it is doing them badly, and when it fails, everyone blames the plugins.

The Speed

A WordPress site, out of the box, with a theme and a handful of plugins, will load in three to five seconds. This is considered acceptable by WordPress standards. This is considered fast, even, by people who have been so thoroughly marinated in WordPress that they have forgotten what fast looks like.

Three to five seconds is not fast. Three to five seconds is an eternity. Three to five seconds is long enough for half your visitors to leave. Three to five seconds is long enough for Google to decide your site isn't worth ranking. Three to five seconds, in 2026, with fiber optic cables circling the globe and data centers on every continent, is an embarrassment. It is the digital equivalent of arriving at a dinner party on horseback and expecting applause.

But WordPress doesn't care about speed. WordPress cares about features. WordPress cares about plugins. WordPress cares about making it easy to add one more thing, and then one more thing, and then one more thing, until your site is loading forty-seven JavaScript files and making ninety-three database queries to display a single page of text.

And then, when the site is slow, there are plugins to make it faster. Caching plugins. Optimization plugins. Plugins that try to undo the damage caused by the other plugins. A whole category of software whose purpose is to bandage the wounds inflicted by the software it's running on. And these caching plugins have their own bugs, their own security holes, their own compatibility issues. It's wounds all the way down.

And the people who sell these caching plugins, these optimization plugins, these bandages for a patient who refuses to stop stabbing himself - these people speak at conferences. They write blog posts. They have podcasts. They have built careers explaining how to make WordPress less terrible, and not one of them has paused to ask why we are all pretending this is normal.

The Developers

WordPress created a generation of developers who don't know how to develop. I say this with some sympathy, because the system was designed to make this happen. WordPress told people: you don't need to learn to code. Just use plugins. Just use themes. Just drag and drop. And people believed it, because they wanted to believe it, because learning to code is hard and time-consuming and WordPress offered a shortcut.

So now we have "WordPress developers" who have never written a line of code that wasn't copied from Stack Overflow. We have "WordPress experts" who couldn't explain how a database works if you held a gun to their head. We have an entire professional class of people whose skills are confined to a single platform, who are helpless the moment they step outside it, who have built their careers on a foundation of someone else's code that they do not understand and cannot fix when it breaks.

I have met these people. I have sat across tables from them. I have watched them click through admin panels with the confidence of surgeons, never suspecting that they are not surgeons at all, that they are children playing with scalpels, that the patient on the table is bleeding from thirty plugin wounds and nobody in the room knows how to stitch.

This is not their fault. They were told this was a path. They followed the path. The path led here, to a clearing full of broken websites and security breaches and four-second load times, and they are standing in this clearing wondering why everyone is so angry. And the worst part is that some of them are good people. Earnest people. People who genuinely wanted to help, who believed what they were told, who did everything right according to the rules of a game that was rigged from the start.

The Comparison

Facebook made the internet worse by turning it into a surveillance machine, by making everyone addicted to outrage, by spreading misinformation at scale, by enabling genocide. Instagram made it worse by poisoning the minds of teenagers, by creating impossible beauty standards, by turning everyone into a brand. TikTok made it worse by reducing all human thought to fifteen-second clips, by making attention spans shorter than goldfish, by being a probable vector for foreign influence operations.

WordPress didn't do any of that. WordPress didn't make anyone addicted or depressed or radicalized. WordPress just made the internet slower, less secure, more fragile. WordPress just taught a generation of people that building for the web means installing plugins and hoping for the best. WordPress just turned website development into an endless cycle of updates and patches and fixes, a treadmill that never stops, a hamster wheel that goes nowhere.

This is a lesser crime. I acknowledge this. If I had to choose between WordPress and Facebook, I would choose WordPress every time. But this is a false choice. The alternative to WordPress was never Facebook. The alternative to WordPress was learning to build things properly. The alternative was web standards, and clean code, and sites that load in under a second, and security that doesn't depend on sixty thousand strangers not making mistakes.

We could have had that. Instead, we have WordPress.

The Hostages

The worst part is that it's too late now. Forty-three percent of the web is a hostage situation. All those sites, all those businesses, all those livelihoods, locked into a platform they can't easily leave. Migration is expensive. Migration is risky. Migration means hiring actual developers, paying actual money, spending actual time. Most people won't do it. Most people will stay on WordPress forever, updating their plugins, patching their security holes, wondering why their site is slow, not knowing that there's another way, not believing it even if you told them.

And WordPress knows this. WordPress is counting on this. The stickiness is the strategy. Make it easy to get in, make it hard to get out, and collect your forty-three percent like rent from tenants who can't afford to move.

This is not an accident. This is not an unfortunate side effect. This is the business model. This is the plan, executed perfectly, over twenty-three years, by people who smile at conferences and talk about community and open source and democratization while forty-three percent of the web rots beneath them.

I have moved people off WordPress. I have seen what's on the other side. Sites that load in 200 milliseconds. Sites that don't get hacked. Sites that don't need thirty plugins to do basic things. Sites that are just HTML and CSS and maybe a little JavaScript, sitting on a server, doing their job, not breaking, not needing constant attention, not waking anyone up at 3am with a security alert.

It's beautiful over there. It's quiet. The air is clean.

But most people will never see it. They're stuck in the WordPress clearing, updating their plugins, waiting for the next patch, hoping nothing breaks.

And somewhere, Matt Mullenweg is giving another keynote about democratizing publishing, and the audience is applauding. They are always applauding. They have been applauding for twenty-three years. And if you listen closely, beneath the applause, you can hear forty-three percent of the web groaning under the weight of sixty thousand plugins, you can hear the databases straining and the servers sweating and the small business owners crying into their keyboards at 2am because their site is hacked again and they don't understand why and nobody will help them.

But nobody listens closely. Nobody wants to hear it. The applause is warm, and the keynote is inspiring, and the future is bright, and somewhere a plugin developer in his underwear is mass-replying to support tickets, and somewhere a WordPress site is being hacked, and somewhere a small business owner is learning that the door they walked through led nowhere good, and the applause continues, and the applause continues, and the applause continues.