Chapter 5: WordPress in 2026 — Modernization vs Departure

Key FSE building blocks as of WordPress 6.8–6.9:

The default theme Twenty Twenty-Five is a fully block-based showcase. For a 2026 build, the developer baseline is: block theme + theme.json design system + patterns for repeated layouts + the Interactivity API for front-end behavior. WPPoland and Atto WP both frame theme.json as the place to define a design system (tokens, scales, variations) rather than scattering CSS across plugins.

The honest caveat: FSE is powerful but has a real learning curve and historically rough edges (template part management, global-styles conflicts, plugin compatibility). Many agencies still ship "classic + Advanced Custom Fields (ACF)" or page-builder stacks because FSE's editorial UX for non-technical authors can be confusing compared to a curated builder.

The data layer: REST API, WPGraphQL, and headless

WordPress exposes three programmatic surfaces that matter for an AI-native, decoupled world:

1. WP REST API — built into core since 4.7. Every post type, taxonomy, and user is available at /wp-json/wp/v2/.... Universal, but chatty (multiple round-trips, over-fetching) and not typed.
2. WPGraphQL — the de facto headless data layer, created by Jason Bahl and now backed by WP Engine. It exposes the WordPress data model as a typed GraphQL schema. As of 2026, WPGraphQL v2 adds persisted queries, per-field cache-control directives, and federation for composing multiple WordPress backends. Paired with wp-graphql-smart-cache it becomes cacheable at the CDN edge.
3. Abilities API (new in 6.9) — a functional, action-oriented API (see below), distinct from the data-fetch REST/GraphQL surfaces.

Headless WordPress in 2026 means: keep WordPress as the editorial back end, render the front end with Next.js, Astro, or similar, and pull content via WPGraphQL or REST.

• Faust.js (WP Engine's headless framework) provides WordPress-specific helpers: preview support, authenticated requests, template hierarchy mapping, and Next.js integration. Its own retrospective and multiple 2026 reviews are candid that Faust.js development slowed; WP Engine spun up a dedicated Headless OSS team to steward Faust.js, WPGraphQL, wp-graphql-smart-cache, wp-graphql-ide, and wp-graphql-content-blocks. The community has partly drifted toward "raw" WPGraphQL + Next.js/Astro without the Faust abstraction.
• Astro has become a popular headless front end for content sites because it ships near-zero JS by default — a strong fit for WordPress blogs and marketing sites where Faust/Next.js can feel heavy.

Headless is a valid but not free choice: you gain performance, security (the WP admin can be firewalled off the public internet), and front-end freedom, but you take on a build pipeline, lose the WYSIWYG "what I edit is what I see" promise of FSE, and break many plugins that assume they render the front end (forms, popups, some SEO output).

The AI story: Jetpack AI, Elementor AI, Yoast AI — and the deeper core shift

There are two layers to "AI in WordPress 2026": the plugin layer (assistive features inside the editor) and the core agent layer (the Abilities API + MCP Adapter). The plugin layer is incremental; the core layer is the genuinely interesting development for an AI-native landscape.

Assistive AI plugins

These are useful but commoditized — every CMS now has comparable in-editor AI. They are not a reason to choose or keep WordPress on their own.

The core agent layer: Abilities API + MCP Adapter (the real news)

WordPress 6.9 ("Gene," released December 2, 2025) shipped the Abilities API into core. An "ability" is a registered capability with a description, typed inputs/outputs, a permission callback, and execution logic — discoverable and callable consistently across PHP, JavaScript, and the REST API. Core ships defaults like core/get-site-info, core/get-user-info, and core/get-environment-info. WordPress 7.0 is slated to add a client-side Abilities API.

On top of that, the official WordPress MCP Adapter (from the "AI Building Blocks for WordPress" initiative, GitHub WordPress/mcp-adapter) bridges Abilities to the Model Context Protocol, so MCP clients — Claude Desktop, Claude Code, Cursor, VS Code — can discover and execute site functionality as MCP tools and read data as MCP resources. Technical specifics from the WordPress Developer Blog (Feb 2026):

• Three built-in MCP tools on activation: mcp-adapter-discover-abilities, mcp-adapter-get-ability-info, mcp-adapter-execute-ability.
• Abilities need a meta.mcp.public flag to be exposed on the default public server.
• Transports: STDIO (local, via WP-CLI) and HTTP (public, via the @automattic/mcp-wordpress-remote proxy).
• Auth: WP-CLI user auth for STDIO; WordPress application passwords or OAuth for HTTP.

WordPress.org itself now runs a Plugin Directory MCP Server (announced March 2026), and tools like MainWP expose multi-site management via MCP. This is strategically significant: rather than every plugin inventing its own AI integration, WordPress is standardizing the functional surface so agents can operate a site — publish, update, configure — not just read it. For the AEO/discoverability side, the Website LLMs.txt plugin (and AI-Ready WP) auto-generate llms.txt with Yoast/Rank Math/SEOPress/AIOSEO integration.

Honest read: this is the most credible argument that "WordPress isn't going anywhere." It gives the dominant CMS a native, standardized agent interface that proprietary platforms will struggle to match in openness. But it is early — most abilities are read-oriented, public exposure is opt-in, and real agentic write workflows need careful permission design to avoid the obvious abuse surface.

Why teams leave: an honest accounting

The reasons are concrete and, in 2026, increasingly defensible.

1. Plugin-driven security debt. Patchstack's State of WordPress Security 2026 whitepaper is blunt: 11,334 new vulnerabilities in 2025 (+42% YoY), of which 91% were in plugins, 9% in themes, and only 6 affected core (all low priority). 46% of disclosed vulnerabilities had no patch at disclosure. Premium components had 3× more Known Exploited Vulnerabilities than free ones, and the weighted median time to first exploit is 5 hours. A separate 217-plugin audit (Appycodes) flags page builders, WooCommerce extensions, membership/LMS, and marketing/popup plugins as the four highest-risk categories. WordPress core is not the problem — the plugin economy is.

2. Plugin sprawl and performance debt. A typical mature WordPress site accumulates 20–40 plugins, each adding queries, scripts, and update obligations. The result is performance debt (slow TTFB, Core Web Vitals struggles) that requires caching plugins, object caches, and CDNs to paper over. Page builders (Elementor, Divi) in particular produce heavy, div-soup markup. Teams that migrate to Webflow or headless often cite "we replaced 25 plugins with platform features" as the real win.

3. Design and authoring lock-in. Page-builder content is hard to extract — Elementor/Divi store layout as proprietary shortcodes/JSON, so leaving the builder often means rebuilding pages. FSE reduces this (it's standard block markup), but the broader perception of WordPress as "fiddly" persists versus the polished, opinionated UX of Webflow or Framer.

4. Governance and trust. New in this cycle and impossible to ignore: the Automattic vs WP Engine conflict. WP Engine sued Mullenweg/Automattic alleging extortion and abuse of power; Automattic alleges trademark infringement and demanded 8% of WP Engine's gross revenue as a royalty. A Feb 2026 filing claims Automattic planned to target 10 hosting companies with royalty fees. Discovery closed May 2026, motion-to-dismiss arguments are set for June 4, 2026, with a jury trial in September 2027. The episode exposed a real architectural truth: the plugin/theme update mechanism is a single point of failure controlled by one person. That governance risk — not features or price — is now the reason many enterprises hesitate. Forks like ClassicPress (Gutenberg-free) exist but are niche.

A realistic upgrade path for a 1,000-page site

The instinct to "rip and replace" is usually wrong for a content-heavy WordPress site. A staged modernization is lower-risk and often sufficient.

When NOT to leave: if your pain is plugin sprawl + performance, Phases 1–4 usually solve it for a fraction of a migration's cost, and you keep your content, SEO equity, and editorial team's muscle memory. A 1,000-page migration risks redirects, SEO regressions, and content-fidelity loss.

When leaving is rational: if you are dependent on a fragile page builder, your team is small and non-technical and wants an opinionated visual tool (→ Webflow/Framer), you need true structured content and a typed API as the primary contract (→ a headless-native CMS like Sanity/Contentful/Payload), or governance/trust is a board-level concern. For e-commerce specifically, WooCommerce's plugin-extension model is among the highest-risk categories — Shopify is often the cleaner exit.

Key Takeaways

• WordPress still dominates (~42% of the web, ~60% of known CMS) but posted its first sustained market-share decline since 2011 in 2026.
• Full-Site Editing is now standard: block themes + theme.json v3 (design tokens, block style variations, shadow/fluid-typography presets) + patterns-with-overrides + the Interactivity API.
• The headless data layer is WPGraphQL v2 (persisted queries, per-field cache directives, federation) plus the REST API; Faust.js slowed and is now stewarded by WP Engine's Headless OSS team, with Astro gaining ground.
• The real AI news is the core Abilities API (WP 6.9, Dec 2025) + official MCP Adapter, giving WordPress a standardized, agent-callable functional surface (STDIO/HTTP transports, application-password/OAuth auth) — a credible "WordPress isn't going anywhere" argument.
• Assistive AI plugins (Jetpack AI ~$10/mo, Elementor AI credit-based, Yoast AI ~$69/yr) are useful but commoditized and not a platform differentiator.
• Security is a plugin problem, not a core problem: 11,334 vulns in 2025 (+42% YoY), 91% in plugins, 46% unpatched at disclosure, 5-hour median time-to-exploit.
• The leading reasons teams leave are plugin sprawl/performance debt, design/builder lock-in, and — newly — the Automattic–WP Engine governance crisis that exposed a single-point-of-failure update mechanism.
• For a 1,000-page site, staged modernization (audit → reduce → harden → block theme → optional headless → AI-enable) beats a risky rip-and-replace; migrate only when the pain is builder lock-in, structured-content needs, or governance trust.

Key References

• W3Techs. Usage Statistics and Market Share of WordPress, May 2026. 2026. https://w3techs.com/technologies/details/cm-wordpress — Authoritative market-share data (42.2% of all sites, 59.6% of CMS market).
• WordPress Developer Blog. From Abilities to AI Agents: Introducing the WordPress MCP Adapter. Feb 2026. https://developer.wordpress.org/news/2026/02/from-abilities-to-ai-agents-introducing-the-wordpress-mcp-adapter/ — Official details on Abilities API + MCP Adapter, transports, auth, built-in tools.
• Kinsta. New features, new blocks, new APIs: what's new in WordPress 6.9. Dec 2025. https://kinsta.com/blog/wordpress-6-9/ — WP 6.9 "Gene" release (Dec 2, 2025), Abilities API, Accordion/Math blocks.
• Patchstack. State of WordPress Security in 2026 (Whitepaper). 2026. https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/ — 11,334 vulns (+42%), 91% in plugins, 46% unpatched, 5-hour exploit window.
• Appycodes. WordPress Plugin Vulnerability Risk: A 217-Plugin Security Audit. 2026. https://appycodes.dev/blog/wordpress-plugin-vulnerability-study-2026/ — Highest-risk categories (page builders, WooCommerce, LMS, popups), PVR scoring.
• Faust.js. A Retrospective on 4+ Years of Faust.js. 2026. https://faustjs.org/blog/a-retrospective-on-4-years-of-faust-js/ — Candid account of Faust.js trajectory and the Headless OSS team.
• SmartWP. Headless WordPress: A Practical 2026 Guide. 2026. https://smartwp.com/headless-wordpress/ — WPGraphQL vs REST, Next.js/Astro front ends, when headless makes sense.
• WordPress Developer Blog. What's new for developers? (February 2026). Feb 2026. https://developer.wordpress.org/news/2026/02/whats-new-for-developers-february-2026/ — theme.json v3, Pattern Overrides, Connectors API alpha.
• WordPress.org Make/Meta. Plugin Directory MCP Server. Mar 2026. https://make.wordpress.org/meta/2026/03/20/plugin-directory-mcp-server/ — Official MCP server over the plugin directory.
• Make WordPress Core. Client-Side Abilities API in WordPress 7.0. Mar 2026. https://make.wordpress.org/core/2026/03/24/client-side-abilities-api-in-wordpress-7-0/ — Roadmap for Abilities API in 7.0.
• Elementor. 10 Best AI WordPress Plugins in 2026. 2026. https://elementor.com/blog/ai-wordpress-plugin/ — Feature/pricing comparison of AI plugins (Jetpack AI, Elementor AI, Yoast, AI Engine).
• TechCrunch. Automattic planned to target 10 competitors with royalty fees, WP Engine claims. Feb 12, 2026. https://techcrunch.com/2026/02/12/automattic-planned-to-target-10-competitors-with-royalty-fees-wp-engine-claims-in-new-filing/ — Governance/lawsuit reporting.
• WP vs WPE Report. WordPress vs WP Engine Conflict Timeline. 2026. https://wpvswpe.report/ — Timeline incl. June 4, 2026 motion hearing and Sept 2027 jury trial.
• Pravin Kumar. WordPress Is Losing Market Share for the First Time in a Decade. 2026. https://www.pravinkumar.co/blog/wordpress-losing-market-share-webflow-migration-2026 — Migration drivers (governance, plugin debt) toward Webflow.
• WordPress.org. Website LLMs.txt Plugin. 2026. https://wordpress.org/plugins/website-llms-txt/ — Auto-generates llms.txt with Yoast/Rank Math/SEOPress/AIOSEO integration.