Skip to content

SYSTEM Cited by 1 source

WordPress

WordPress (wordpress.org) is the dominant open-source PHP-based content management system on the web — 40%+ of all websites run on it. Released 2003; GPL-licensed; 24 years old as of 2026.

Role on this wiki

Canonical counter-example in Cloudflare's 2026-04-01 EmDash launch post. Cloudflare positions WordPress as structurally incompatible with two 2026-era requirements:

  1. Plugin security. WordPress plugins are PHP scripts that hook directly into WordPress core. No isolation: a plugin has direct access to the WordPress site's database and filesystem. Installing a plugin means trusting it with everything. Result (per Patchstack 2025): 96% of WordPress security issues originate in plugins; 2025 had more high-severity vulnerabilities in the WordPress ecosystem than the prior two years combined.
  2. Hosting model. WordPress requires provisioning and managing servers; "there's no avoiding the need to pre-provision instances and run some amount of idle compute, or share resources in ways that limit performance." Structurally non-serverless. Contrast with scale-to-zero serverless runtimes.

The marketplace problem

WordPress.org "manually reviews and approves each plugin" in its marketplace — the plugin review queue is 800+ deep with a ≥2 week wait. The vulnerability surface of WordPress plugins is so wide that "all parties rely on marketplace reputation, ratings and reviews." Plus: because plugins run in the same execution context as WordPress itself and are deeply intertwined with WordPress code, "some argue they must carry forward WordPress' GPL license."

These combine into the plugin-marketplace-lock-in dynamic: to be trusted, your plugin must be in the marketplace; to be in the marketplace, your plugin must likely be GPL; GPL plus marketplace-as-sole- distribution imposes specific commercial constraints on plugin authors that don't exist in (e.g.) npm/PyPI/Packagist.

Theme architecture (same problem at a different layer)

WordPress themes are also deeply privileged. Integration goes through functions.php"an all-encompassing execution environment, enabling your theme to be both incredibly powerful and potentially dangerous." The more popular a theme, the more of a target it is.

Achievements

Cloudflare's post acknowledges WordPress's scale of impact explicitly: "A triumph of open source that enabled publishing at a scale never before seen. … democratised publishing for millions; many lives and livelihoods being transformed by this ubiquitous software." WordPress is not framed as a failed project; it's framed as a 24-year-old architecture that predates modern sandboxing / serverless / capability-security primitives.

Migration off

Cloudflare's EmDash ships two WordPress migration paths:

  • WXR export — the standard WordPress export file format.
  • EmDash Exporter plugin on the WordPress side, exposing a secure endpoint protected by a WordPress Application Password; the receiving EmDash instance pulls via that endpoint.

Custom post types (which on WordPress typically required heavy plugins like Advanced Custom Fields forcing everything into a single posts table) map cleanly onto EmDash's native collections.

Seen in

Last updated · 200 distilled / 1,178 read