Article

How AI Killed WordPress

By ·

The CMS that built the modern web is being replaced by a markdown file, a static-site generator, and a conversation with a model.

For nearly two decades, WordPress was the default answer to “how do I put a website together?” It earned that position. An enormous community, a plugin for almost any feature you could name, and an admin dashboard that let a non-developer publish a blog post or change the homepage in minutes. Hosting was cheap, themes were plentiful, and a forum thread usually explained the fix.

That accessibility built the modern web. Small businesses, charities, journalists and consultants all leaned on WordPress because it lowered the cost of being online to almost nothing. Want a contact form? Install a plugin. Want an online shop? Install WooCommerce. Want a new look? Switch the theme. At its peak the platform powered roughly 43% of the public web, with a plugin repository past 60,000 entries and a theme economy worth a small industry on its own. The trade-off was rarely visible from the dashboard, and for years it stayed hidden.

The vulnerability problem

The same plugin ecosystem that made WordPress easy made it dangerous. Every plugin is third-party code running inside your site, often touching the database, often holding stale dependencies, often abandoned by the original author. Patchstack’s 2024 annual report recorded 7,966 new vulnerabilities disclosed across the WordPress ecosystem in a single year, a 34% increase on 2023. The first half of 2025 added another 4,462, with 96% landing in plugins, 4% in themes, and cross-site scripting alone accounting for over a third of categories. Patchstack and Wordfence between them assigned more than 10,000 CVEs in 2025, outpacing both MITRE and Microsoft as CVE numbering authorities. Almost none of the volume sits in WordPress core; the plugin economy that drove adoption is the same one driving the breach reports.

WordPress ecosystem vulnerability disclosures, 2023 - H1 2025. Total CVEs by year, plugin/theme split for H1 2025, and vulnerability class share.

The high-profile incidents follow the same shape. The LiteSpeed Cache plugin, installed on over six million sites, shipped a chain of privilege-escalation and account-takeover flaws through 2024 that put administrative access one HTTP request away. The Bricks Builder theme framework was caught with an unauthenticated remote code execution that was exploited in the wild within days of disclosure. Each followed the same arc: patch shipped, deployment lagged, mass scanning, compromised sites.

The maths is unforgiving. A typical small-business site runs ten to twenty plugins, each with its own update cadence, maintainer, and attack surface. Miss one security release and a credential-stealing skimmer or SEO-spam injector lands inside the site within hours of the CVE going public. Add managed hosting, security plugins, backup plugins, caching plugins and a CDN to make the database-driven pages feel fast, and the “free” CMS quietly turns into a recurring monthly bill with a recurring monthly risk attached.

What changed

Static websites have always been the secure answer. No database, no PHP runtime, no admin login to brute-force, no plugin to neglect. The catch was the work itself: tedious to build, tedious to update. Editing HTML by hand is not a product manager’s idea of a good afternoon, and no marketing team wanted to learn Hugo or Jekyll to fix a typo on the about page.

AI removed that friction, and a new generation of static-site generators picked up the slack on the build side. Astro, in particular, has become the natural successor to a WordPress brochure site: a single project compiles to flat HTML and JavaScript, served from a CDN at near-instant page-load speeds, with content authored as plain markdown. Pair it with a hosting target like Azure Static Web Apps or Cloudflare Pages and the operational footprint shrinks to a Git repository and a deploy pipeline. There is no admin panel to compromise, no database to inject, no PHP runtime to patch.

With Claude sitting alongside the project, editing is no longer “open the file and remember the syntax.” It is a conversation. “Add a new case study to the homepage in the same style as the others.” “Change the pricing table to show three tiers instead of two.” “Draft a blog post about last week’s release and slot it into the news section.” The model reads the existing patterns in the repository and matches them, so the site stays consistent without anyone policing a style guide.

What Claude replaces

A static site backed by Git and edited through Claude reproduces almost everything people actually used WordPress for. Publishing a post is a paragraph dropped into the conversation, formatted to match the existing entries, committed, pushed, live within seconds. Adding a page or feature is a sentence in plain English; Claude writes the markup, wires the navigation, mirrors the existing CSS, and opens a pull request so a reviewer sees the exact diff before it ships - something a WordPress plugin install has never offered. Routine maintenance - dependency bumps, broken-link checks, image-size audits, accessibility fixes - becomes a series of small scoped tasks the model handles on demand, each landing as a commit with a clear message, so the site’s history doubles as its audit trail. And resilience comes free: every version of the site lives in the repository, one revert away from any change that goes wrong, redeployable to a new host in minutes from the same source.

We took our own advice earlier this month. applicationreadiness.com came off WordPress and onto Astro on Azure Static Web Apps. Publishing a post is now a slash command and a Git commit, build times are seconds, hosting cost is a rounding error, and the patch obligations that used to consume a meaningful slice of the operations week have gone to zero. The site is also faster on every measurable axis, because the CDN serves prebuilt HTML.

WordPress is not going away tomorrow. Roughly forty per cent of the web still runs on it, and for sites that genuinely need a multi-author editorial workflow with role-based permissions it remains a reasonable choice. But for the long tail of small-business sites, brochureware, consultant pages and personal blogs - the sites that made up most of the WordPress install base - the calculation has shifted. The work the dashboard used to make easy can now be done in a conversation, and the security debt that came with it can be left behind.

AI did not kill WordPress by competing with it. It killed the reason most people put up with it.

#ai#wordpress#astro#security#web-publishing