# WordPress

> Powers 43% of the web. Self-hosted gives full control. Open source since 2003.

**Source:** https://fieldwork.news/tools/wordpress
**Official site:** https://wordpress.org
**Category:** publishing

## Security rating

- **Rating:** adequate
- **Rating note (required when citing):** WordPress core is well-maintained — only 7 vulnerabilities in 2024, none critical. The Abilities API in 6.9 improved permission granularity. But the plugin ecosystem is a minefield: 11,334 vulnerabilities in 2025, 43% exploitable without authentication. Self-hosted gives full data control but demands active maintenance. The Mullenweg/WP Engine dispute revealed a deeper issue: WordPress.org infrastructure is effectively controlled by one company, creating a single point of governance failure for 43% of the web. Rating reflects strong core security offset by ecosystem risk and governance concerns.
- **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending
- **Last reviewed:** 2026-04-02
- **Last agent-verified:** 2026-04-02

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Newsrooms and independent journalists who need full ownership of their publishing platform. Organizations that want extensibility — memberships, newsletters, paywalls, custom workflows. Anyone publishing at scale who can handle (or hire for) ongoing maintenance.

## Editorial take

WordPress is the default CMS for journalism. The New York Post, TIME, TechCrunch, Vox Media, Al Jazeera, and The Times (UK) all run on it. The Onion migrated to WordPress in 2024. The Times cut its time-to-publish by 34% after switching. No other CMS comes close in market share (42.6% of all websites, 60.4% of CMS-based sites as of early 2026) or ecosystem depth. The self-hosted version (wordpress.org) gives you total control: your server, your data, your rules. WordPress.com (hosted by Automattic) handles maintenance but limits customization. Most serious newsrooms self-host or use WordPress VIP/Newspack. The plugin ecosystem is both WordPress's greatest strength and its biggest liability. In 2025, 11,334 new vulnerabilities were found in the WordPress ecosystem — a 42% increase over 2024. 96% of those were in plugins, not core. 43% could be exploited without authentication. WordPress core itself had only 7 vulnerabilities in 2024, none critical. The Mullenweg/WP Engine dispute (September 2024-present) exposed uncomfortable governance questions: Matt Mullenweg blocked WP Engine from WordPress.org resources, disrupting over a million sites, before a federal court ordered access restored. A jury trial is scheduled for February 2027. 159 Automattic employees — 80% from the WordPress division — left the company in protest. This dispute matters because it revealed how much power one person holds over WordPress.org infrastructure, even though the software itself is open source. For journalists who need a battle-tested CMS with maximum flexibility, WordPress remains the best option. Just budget for security maintenance.

## Best for / not for

**Best for:** Independent journalism websites. Newsroom publishing at any scale. Membership and newsletter-driven publications. Sites requiring custom workflows, multilingual publishing, or complex content structures. Any publication where owning your data and platform is non-negotiable.

**Not for:** Solo journalists who want zero maintenance — use Ghost or Substack instead. Quick newsletter-only projects where Ghost's native email tools are stronger. Anyone without budget or skills for ongoing security updates. If you can't keep plugins patched, you shouldn't self-host.

## Pricing

- **Pricing:** WordPress.org (self-hosted): free software, you pay for hosting ($5-50+/month). WordPress.com (hosted): free tier with ads, paid plans from $4/month. Newspack (journalism-specific hosted WordPress by Automattic): starts at $750/month, tiered at roughly 0.25% of newsroom gross revenue. WordPress VIP (enterprise): custom pricing for large publishers.
- **Free option:** yes

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** partial
- **Data jurisdiction:** Self-hosted: wherever you host it — you choose the jurisdiction. WordPress.com: United States (Automattic, San Francisco). WordPress VIP: US and EU hosting options available.

**Privacy policy TL;DR:** Self-hosted WordPress collects no data by default — you control everything. Plugins and themes may collect data independently, and many do without clear disclosure. WordPress.com (hosted) follows Automattic's privacy policy, which includes analytics, advertising on the free tier, and data processing in the US. Jetpack (Automattic's popular plugin) sends data to WordPress.com servers for features like stats and security scanning.

**Practical mitigations (operational guidance, not optional):**

Keep WordPress core, themes, and plugins updated — 1,614 plugins were removed for security concerns in 2024 alone. Use a security plugin (Wordfence or Sucuri). Enable two-factor authentication for all admin and editor accounts. Remove unused plugins and themes — every inactive plugin is attack surface. Use a reputable hosting provider with automatic backups and a web application firewall. Restrict wp-admin access by IP if possible. Disable XML-RPC if you don't need it. Use the Abilities API (WordPress 6.9+) for granular permission control. Monitor for plugin vulnerabilities via Patchstack or WPScan databases.

## Ownership & business

- **Owner:** WordPress Foundation (nonprofit, holds the trademark) / Automattic Inc. (operates WordPress.com, WordPress VIP, and effectively controls WordPress.org infrastructure)
- **Funding model:** WordPress.org: open-source community project. Automattic: raised $896M total funding (Series D: $300M from Salesforce Ventures in 2019). Valued at $7.5B. Revenue ~$710M in 2024, up 11.2% year-over-year.
- **Business model:** WordPress.org is free open-source software. Automattic generates revenue from WordPress.com hosting plans, WooCommerce (ecommerce), Jetpack (security/performance), WordPress VIP (enterprise hosting for publishers), Tumblr, and advertising. Matt Mullenweg holds a significant ownership stake; all employees received A12 shares in October 2024.
- **Open source:** yes

**Known issues:** Mullenweg/WP Engine dispute (September 2024-present): Mullenweg called WP Engine a 'cancer to WordPress,' demanded 8% of their gross revenue as trademark licensing, then blocked WP Engine from WordPress.org — disrupting updates for 1M+ sites. Court granted WP Engine a preliminary injunction in December 2024 restoring access. 159 Automattic employees took severance and left. Settlement conference in July 2025 failed. Trial set for February 2027. The dispute exposed that WordPress.org — the plugin/theme repository that every self-hosted site depends on — is controlled by Automattic/Mullenweg, not the WordPress Foundation. This is a governance risk for the entire ecosystem. Plugin vulnerability volume: 11,334 new vulnerabilities in 2025 (up 42% from 2024). 96% in plugins. 36% represented actual exploitable threats. Supply chain risk is real — third-party plugins are the primary attack vector. WordPress dropped security support for versions 4.1-4.6 in July 2025. Sites running legacy versions no longer receive patches. Automattic's post-dispute employee exodus (80% from WordPress division) raises questions about long-term development capacity.

---
Canonical HTML: https://fieldwork.news/tools/wordpress
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology