WordPress at 15: core is bare-minimum, ecosystem is broken

A 15-year WordPress developer calls the platform’s core "bare-minimum," requiring plugins for basic functionality like SEO or comment moderation — one admin page exists but isn’t linked anywhere in the UI [devto]. The dependency on plugins creates bloat, security holes, and a fragmented user experience. The real product isn’t WordPress, the author argues, it’s the plugin ecosystem, where Automattic and third-party scammers extract most of the value.

Automattic controls the ecosystem’s gateways: WordPress.org, plugin approvals, and WordCamp access. This centralization contradicts the open-source ethos, the author says, as independent developers face arbitrary rejections while Automattic pushes its own paid tools [devto]. The community prioritizes GPL enforcement over usability, security, or inclusivity, letting governance stagnate.

Technical debt is rampant. Core still lacks modern PHP practices, has inconsistent APIs, and ships with legacy code that no one maintains. Security flaws in popular plugins go unpatched for months, but the blame lands on small developers — not the platform that enables the chaos.

The author sees two paths: revolution or collapse. Revolution means the community forces core to be lean, secure, and modern — stripping bloat and decentralizing control. Collapse means WordPress fades as AI-powered site builders and modern frameworks offer better UX and security. There is no sustainable middle ground where Automattic keeps control and developers keep subsidizing it.