WordPress
Powers 43% of the web. Self-hosted gives full control. Open source since 2003.
What should journalists know about WordPress?
WordPress is the default CMS for journalism. The New York Post, TIME, TechCrunch, Vox Media, Al Jazeera, and The Times (UK) all run on it. The Onion migrated to WordPress in 2024. The Times cut its time-to-publish by 34% after switching. No other CMS comes close in market share (42.6% of all websites, 60.4% of CMS-based sites as of early 2026) or ecosystem depth. The self-hosted version (wordpress.org) gives you total control: your server, your data, your rules. WordPress.com (hosted by Automattic) handles maintenance but limits customization. Most serious newsrooms self-host or use WordPress VIP/Newspack. The plugin ecosystem is both WordPress's greatest strength and its biggest liability. In 2025, 11,334 new vulnerabilities were found in the WordPress ecosystem — a 42% increase over 2024. 96% of those were in plugins, not core. 43% could be exploited without authentication. WordPress core itself had only 7 vulnerabilities in 2024, none critical. The Mullenweg/WP Engine dispute (September 2024-present) exposed uncomfortable governance questions: Matt Mullenweg blocked WP Engine from WordPress.org resources, disrupting over a million sites, before a federal court ordered access restored. A jury trial is scheduled for February 2027. 159 Automattic employees — 80% from the WordPress division — left the company in protest. This dispute matters because it revealed how much power one person holds over WordPress.org infrastructure, even though the software itself is open source. For journalists who need a battle-tested CMS with maximum flexibility, WordPress remains the best option. Just budget for security maintenance.
Independent journalism websites. Newsroom publishing at any scale. Membership and newsletter-driven publications. Sites requiring custom workflows, multilingual publishing, or complex content structures. Any publication where owning your data and platform is non-negotiable.
Solo journalists who want zero maintenance — use Ghost or Substack instead. Quick newsletter-only projects where Ghost's native email tools are stronger. Anyone without budget or skills for ongoing security updates. If you can't keep plugins patched, you shouldn't self-host.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Self-hosted WordPress collects no data by default — you control everything. Plugins and themes may collect data independently, and many do without clear disclosure. WordPress.com (hosted) follows Automattic's privacy policy, which includes analytics, advertising on the free tier, and data processing in the US. Jetpack (Automattic's popular plugin) sends data to WordPress.com servers for features like stats and security scanning.
How to protect yourself:
Keep WordPress core, themes, and plugins updated — 1,614 plugins were removed for security concerns in 2024 alone. Use a security plugin (Wordfence or Sucuri). Enable two-factor authentication for all admin and editor accounts. Remove unused plugins and themes — every inactive plugin is attack surface. Use a reputable hosting provider with automatic backups and a web application firewall. Restrict wp-admin access by IP if possible. Disable XML-RPC if you don't need it. Use the Abilities API (WordPress 6.9+) for granular permission control. Monitor for plugin vulnerabilities via Patchstack or WPScan databases.
WordPress core is well-maintained — only 7 vulnerabilities in 2024, none critical. The Abilities API in 6.9 improved permission granularity. But the plugin ecosystem is a minefield: 11,334 vulnerabilities in 2025, 43% exploitable without authentication. Self-hosted gives full data control but demands active maintenance. The Mullenweg/WP Engine dispute revealed a deeper issue: WordPress.org infrastructure is effectively controlled by one company, creating a single point of governance failure for 43% of the web. Rating reflects strong core security offset by ecosystem risk and governance concerns.
Who Owns This
Known issues
Mullenweg/WP Engine dispute (September 2024-present): Mullenweg called WP Engine a 'cancer to WordPress,' demanded 8% of their gross revenue as trademark licensing, then blocked WP Engine from WordPress.org — disrupting updates for 1M+ sites. Court granted WP Engine a preliminary injunction in December 2024 restoring access. 159 Automattic employees took severance and left. Settlement conference in July 2025 failed. Trial set for February 2027. The dispute exposed that WordPress.org — the plugin/theme repository that every self-hosted site depends on — is controlled by Automattic/Mullenweg, not the WordPress Foundation. This is a governance risk for the entire ecosystem. Plugin vulnerability volume: 11,334 new vulnerabilities in 2025 (up 42% from 2024). 96% in plugins. 36% represented actual exploitable threats. Supply chain risk is real — third-party plugins are the primary attack vector. WordPress dropped security support for versions 4.1-4.6 in July 2025. Sites running legacy versions no longer receive patches. Automattic's post-dispute employee exodus (80% from WordPress division) raises questions about long-term development capacity.
Pricing
WordPress.org (self-hosted): free software, you pay for hosting ($5-50+/month). WordPress.com (hosted): free tier with ads, paid plans from $4/month. Newspack (journalism-specific hosted WordPress by Automattic): starts at $750/month, tiered at roughly 0.25% of newsroom gross revenue. WordPress VIP (enterprise): custom pricing for large publishers.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.