WordPress (WP or WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database with supported HTTPS. Features include a plugin architecture and a template system, referred to within WordPress as Themes. WordPress was initially created as a blog-publishing system but has evolved to support other web content types, including more traditional mailing lists and forums, media galleries, membership sites, learning management systems (LMS) and online stores. One of the most popular content management system solutions, WordPress, is used by 42.8% of the top 10 million websites as of October 2021.WordPress was released on May 27, 2003, by its founders, American developer Matt Mullenweg and English developer Mike Little, as a fork of b2/cafelog. The software is released under the GPLv2 (or later) license. To function, WordPress has to be installed on a web server, either part of Internet hosting services like WordPress.com or a computer running the software package WordPress.org in order to serve as a network host in its own right. A local computer may be used for single-user testing and learning purposes.
WordPress Foundation owns WordPress, WordPress projects and other related trademarks.
“WordPress is a factory that makes webpages” is a core analogy designed to clarify the functions of WordPress: it stores content and enables a user to create and publish webpages, requiring nothing beyond a domain and a hosting service.
WordPress has a web template system using a template processor. Its architecture is a front controller, routing all requests for non-static URIs to a single PHP file which parses the URI and identifies the target page. This allows support for more human-readable permalinks.
WordPress users may install and switch among many different themes. Themes allow users to change the look and functionality of a WordPress website without altering the core code or site content. Every WordPress website requires at least one theme to be present. Themes may be directly installed using the dashboard’s WordPress “Appearance” administration tool, or theme folders may be copied directly into the themes directory. WordPress themes are generally classified into two categories: free and premium. Many free themes are listed in the WordPress theme directory (also known as the repository), and premium themes are available from marketplaces and individual WordPress developers. WordPress users may also create and develop their custom themes.
WordPress’ plugin architecture allows users to extend a website’s or blog’s features and functionality. As of December 2021, WordPress.org has 59,756 plugins available, each offering custom functions and features enabling users to tailor their sites to their specific needs. However, this does not include the available premium plugins (approximately 1,500+), which may not be listed in the WordPress.org repository. These customisations range from search engine optimisation (SEO) to client portals used to display private information to logged-in users, to content management systems, to content displaying features, such as the addition of widgets and navigation bars. Not all available plugins are always abreast with the upgrades, and as a result, they may not function properly or may not function at all. Most plugins are available through WordPress, either by downloading them and installing the files manually via FTP or the WordPress dashboard. However, many third parties offer plugins through their websites, which are paid packages.
Web developers who wish to develop plugins need to learn WordPress’ hook system, which consists of over 2,000 hooks (as of Version 5.7 in 2021) divided into two categories: action hooks and filter hooks.
Plugins also represent a development strategy that can transform WordPress into all sorts of software systems and applications, limited only by the imagination and creativity of programmers. These are implemented using custom plugins to create non-website systems, such as headless WordPress applications and software as a Service (SaaS) products.
Plugins also could be used by hackers targeting sites that use WordPress, as hackers could exploit bugs on WordPress plugins themselves instead of exploiting the bugs on WordPress itself.
Phone apps for WordPress exist for WebOS, Android, iOS, Windows Phone, and BlackBerry. These applications, designed by Automattic, have options such as adding new blog posts and pages, commenting, moderating comments, replying to comments, and the ability to view the stats.
The WordPress Accessibility Team has worked to improve the accessibility for core WordPress as well as support a clear identification of accessible themes. The WordPress Accessibility Team provides continuing educational support about web accessibility and inclusive design. The WordPress Accessibility Coding Standards state, “All new or updated code released in WordPress must conform with the Web Content Accessibility Guidelines 2.0 at level AA.”
WordPress also features integrated link management, a search engine–friendly, clean permalink structure; the ability to assign multiple categories to posts; and support for tagging posts. Automatic filters are also included, providing standardised formatting and styling of text in posts (for example, converting regular quotes to smart quotes). WordPress also supports the Trackback and Pingback standards for displaying links to other sites linked to a post or an article. WordPress posts can be edited in HTML, using the visual editor, or using one of several plugins that allow for various customised editing features.
Multi-user and multi-blogging
Prior to version 3, WordPress supported one blog per installation, although multiple concurrent copies may be run from different directories if configured to use separate database tables. WordPress Multisites (previously referred to as WordPress Multi-User, WordPress MU, or WPMU) was a fork of WordPress created to allow multiple blogs to exist within one installation but can be administered by a centralised maintainer. WordPress MU allows those with websites to host their blogging communities and control and moderate all the blogs from a single dashboard. WordPress MU adds eight new data tables for each blog.
As of the release of WordPress 3, WordPress MU has merged with WordPress.
b2/cafelog, more commonly known as b2 or cafelog, was the precursor to WordPress. b2/cafelog was estimated to have been installed on approximately 2,000 blogs as of May 2003. It was written in PHP for use with MySQL by Michel Valdrighi, now a contributing developer to WordPress. Although WordPress is the official successor, another project, b2evolution, is also in active development.
WordPress first appeared in 2003 as a joint effort between Matt Mullenweg and Mike Little to create a fork of b2. Christine Selleck Tremoulet, a friend of Mullenweg, suggested the name WordPress.In 2004 the licensing terms for the competing Movable Type package were changed by Six Apart, resulting in many of its most influential users migrating to WordPress. By October 2009, the Open Source CMS MarketShare Report concluded that WordPress enjoyed the greatest brand strength of any open-source content management system.
As of May 2021, WordPress is used by 64.8% of all the websites whose content management system is known. This is 41.4% of the top 10 million websites.
Awards and recognition
Winner of InfoWorld’s “Best of open source software awards: Collaboration”, awarded in 2008.
Winner of Open Source CMS Awards’s “Overall Best Open Source CMS”, awarded in 2009.
Winner of Digital Synergy’s “Hall of Fame CMS Category in the 2010 Open Source”, awarded in 2010.
Winner of InfoWorld’s “Bossie award for Best Open Source Software”, awarded in 2011.
WordPress has a five-star privacy rating from the Electronic Frontier Foundation.
Release and requirements history
Major releases of WordPress are codenamed after well-known jazz musicians, starting from version 1.0. Although only the current release is officially supported, security updates are backported “as a courtesy” to all versions as far back as 3.7. There are also PHP requirements for each WordPress version. This involves both PHP version requirements as well as required PHP extensions plus other optional PHP extensions.
WordPress 5.0 “Bebo”
The December 2018 release of WordPress 5.0, “Bebo”, is named in homage to the pioneering Cuban jazz musician Bebo Valdés.
It included a new default editor, “Gutenberg”, – a block-based editor; it allows users to modify their displayed content in a much more user-friendly way than prior iterations. Blocks are abstract units of markup that, composed together, form the content or layout of a web page. Past content that was created on WordPress pages is listed under what is referred to as a Classic Block. Before Gutenberg, several block-based editors were available as WordPress plugins, e.g. Elementor. Following the release of Gutenberg, comparisons were made between it and those existing plugins.
Classic Editor plugin
The Classic Editor plugin was created as a result of User preferences and helped website developers maintain past plugins only compatible with WordPress 4.9, giving plugin developers time to get their plugins updated & compatible with the 5.0 release. Having the Classic Editor plugin installed restores the “classic” editing experience that WordPress has had up until the WordPress 5.0 release. The Classic Editor plugin will be supported for at least until 2022. The Classic Editor plugin is active on over 5,000,000 installations of WordPress.
Many security issues have been uncovered in the software, particularly in 2007, 2008, and 2015. According to Secunia, WordPress in April 2009 had seven unpatched security advisories (out of 32 total), with a maximum rating of “Less Critical”. Secunia maintains an up-to-date list of WordPress vulnerabilities. In January 2007, many high-profile search engine optimisation (SEO) blogs and many low-profile commercial blogs featuring AdSense were targeted and attacked with a WordPress exploit. A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately. In May 2007, a study revealed that 98% of WordPress blogs were exploitable because they ran outdated and unsupported software versions. To mitigate this problem, WordPress made updating the software a much more accessible, “one-click” automated process in version 2.7 (released in December 2008). However, the filesystem security settings required to enable the update process can be an additional risk. In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress’ security track record, citing problems with the application’s architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other issues. In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top 10 e-commerce plugins showed seven vulnerable ones. To promote better security and streamline the overall update experience, automatic background updates were introduced in WordPress 3.7. Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources and thwart probes. Users can also protect their WordPress installations by taking steps such as keeping all WordPress installations, themes, and plugins updated, using only trusted themes and plugins, and editing the site’s .htaccess configuration file if supported by the webserver to prevent many types of SQL injection attacks and block unauthorised access to sensitive files. It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses and then run scans searching for any vulnerabilities against those plugins. If vulnerabilities are found, they may be exploited to allow hackers to, for example, upload their files (such as a web shell) that collect sensitive information.
Developers can also use tools to analyse potential vulnerabilities, including WPScan, WordPress Auditor, and WordPress Sploit Framework developed by 0pc0deFR. These tools research known vulnerabilities, such as CSRF, LFI, RFI, XSS, SQL injection, and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers.
In March 2015, it was reported that the Yoast SEO plugin was vulnerable to SQL injection, allowing attackers to potentially execute arbitrary SQL commands. The issue was fixed in version 1.7.4 of the plugin. In January 2017, security auditors at Sucuri identified a vulnerability in the WordPress REST API that would allow any unauthenticated user to modify any post or page within site running WordPress 4.7 or greater. The auditors quietly notified WordPress developers, and within six days, WordPress released a high-priority patch to version 4.7.2, which addressed the problem.
As for WordPress 5.2, the minimum PHP version requirement is PHP 5.6, which was released on August 28, 2014, and has been unsupported by the PHP Group and has yet to receive any security patches since December 31, 2018. Thus, WordPress recommends using PHP version 7.3 or greater. In the absence of specific alterations to their default formatting code, WordPress-based websites use the canvas element to detect whether the browser can render emojis correctly. Because Tor Browser does not currently discriminate between this legitimate use of the Canvas API and an effort to perform canvas fingerprinting, it warns that the website is attempting to ‘extract HTML5 canvas image data. Ongoing efforts seek workarounds to reassure privacy advocates while retaining the ability to check for proper emoji rendering capability.
Development and support
Matt Mullenweg and Mike Little were co-founders of the project. The core lead developers include Helen Hou-Sandí, Dion Hulse, Mark Jaquith, Matt Mullenweg, Andrew Ozz, and Andrew Nacin.WordPress is also developed by its community, including WP tester, a group of volunteers who test each release. They have early access to nightly builds, beta versions and release candidates. Errors are documented in a special mailing list or the project’s Trac tool.
Though primarily developed by the surrounding community, WordPress is closely associated with Automattic, founded by Matt Mullenweg.
WordPress Foundation is a non-profit organisation set up to support the WordPress project. The organisation’s purpose is to guarantee open access to WordPress software projects forever. As part of this, the organisation owns and manages WordPress, WordCamp and related trademarks. In January 2010, Matt Mullenweg formed the organisation to own and manage the trademarks of the WordPress project. Previously – from 2006 onwards – Automattic acted as a short-term owner of the WordPress trademarks. From the beginning, he later intended to place the WordPress trademarks with the WordPress Foundation, which did not yet exist in 2006 and eventually took longer to set up than expected.
WordPress Photo Directory
On December 14, 2021, Matt Mullenweg announced the WordPress Photo Directory at the State of the Word 2021 event. It is an open-source image directory for open images maintained by the WordPress project. The image directory aims to provide an open alternative to closed image banks, such as Unsplash, Pixbaby, and Adobe Stock, whose licensing terms have become restrictive in recent years. Use in WordPress themes, for example, is restricted. In January 2022, the project began to gather volunteers, and in February, its developer website was launched, where team representatives were next selected.
WordCamp developer and user conferences
WordCamps are casual, locally organised conferences covering everything related to WordPress. The first such event was WordCamp 2006 in August 2006 in San Francisco, which lasted one day and had over 500 attendees. The first WordCamp outside San Francisco was held in Beijing in September 2007. Since then, there have been over 1,022 WordCamps in over 75 cities in 65 countries worldwide. WordCamp San Francisco 2014 was the last official annual conference of WordPress developers and users in San Francisco, having now been replaced with WordCamp US. First, run in 2013 as WordCamp Europe, regional WordCamps in other geographical regions aim to connect people who aren’t already active in their local communities and inspire attendees to start user communities in their hometowns. In 2019, the Nordic region had its own WordCamp Nordic. The first WordCamp Asia was to be held in 2020 but was cancelled due to the COVID-19 pandemic.
WordPress’ primary support website is WordPress.org. This support website hosts WordPress Codex, the online manual for WordPress and a living repository for WordPress information and documentation, and WordPress Forums, an active online community of WordPress users.