WordPress (WP, WordPress.org) is a PHP-based content management system (CMS) that works with either a MySQL or MariaDB database. A plugin architecture and a template system, referred to as Themes in WordPress, are among the features. WordPress began as a blog-publishing platform, but it has since expanded to include more traditional mailing lists and forums, as well as media galleries, membership sites, learning management systems (LMS), and online stores. WordPress is one of the most widely used content management systems, with 42.8 percent of the top 10 million websites using it as of October 2021.

As a fork of b2/cafelog, WordPress was released on May 27, 2003, by its founders, American developer Matt Mullenweg and English developer Mike Little. The software is licensed under the GNU General Public License version 2 (or later).

WordPress must be installed on a web server to function, either as part of an Internet hosting service like WordPress.com or on a computer running the WordPress.org software package to act as a network host in its own right. Single-user testing and learning can be done on a local computer.

Overview

The analogy “WordPress is a factory that makes webpages” is a core metaphor for the functions of WordPress: it stores content and allows users to create and publish webpages with nothing more than a domain and a hosting service.

WordPress has a template processor and a web template system. Its architecture is based on a front controller that routes all non-static URI requests to a single PHP file that parses the URI and determines the target page. This enables more human-readable permalinks to be supported.

Themes

WordPress users can install and switch between a variety of themes. Themes allow users to customize the appearance and functionality of a WordPress website without having to change the core code or content. At least one theme is required for every WordPress website. Themes can be installed directly from the dashboard using the “Appearance” administration tool, or theme folders can be copied directly into the themes directory. Themes for WordPress are divided into two categories: free and premium. The WordPress theme directory (also known as the repository) contains a large number of free themes, and premium themes can be purchased from marketplaces and individual WordPress developers. Users of WordPress can also design and develop their own custom themes.

Plugins

The plugin architecture of WordPress allows users to extend a website’s or blog’s features and functionality. WordPress.org has 59,756 plugins available as of December 2021, each of which provides custom functions and features that allow users to customize their sites to their specific needs. This does not include the premium plugins (approximately 1,500+) that are available but may not be listed in the WordPress.org repository. Search engine optimization (SEO), client portals for displaying private information to logged-in users, content management systems, and content display features such as the addition of widgets and navigation bars are all examples of customizations. Because not all available plugins are always up to date with the latest upgrades, they may not function properly or at all. The majority of plugins are available directly from WordPress, either by downloading and manually installing the files via FTP or through the WordPress dashboard. Many third parties, however, provide plugins through their own websites, with many of them being paid packages.

Web developers who want to create plugins should learn WordPress’ hook system, which has over 2,000 hooks divided into two categories: action hooks and filter hooks (as of Version 5.7 in 2021).

Plugins are also a development strategy that can turn WordPress into a wide range of software systems and applications, limited only by the programmers’ imagination and creativity. Non-website systems, such as headless WordPress applications and Software as a Service (SaaS) products, are created using custom plugins.

Hackers could also use plugins to target WordPress-powered sites, as hackers could exploit bugs in plugins rather than in WordPress itself.

Mobile applications

WordPress apps are available for WebOS, Android, iOS, Windows Phone, and BlackBerry. These Automattic-designed applications include features like adding new blog posts and pages, commenting, moderating comments, and replying to comments, as well as the ability to view stats.

Accessibility

The WordPress Accessibility Team has worked to improve core WordPress accessibility and to make it easier to identify accessible themes. The WordPress Accessibility Team offers on-going education on web accessibility and inclusive design. “All new or updated code released in WordPress must conform with the Web Content Accessibility Guidelines 2.0 at level AA.” according to the WordPress Accessibility Coding Standards.

Other features

WordPress also includes integrated link management, a clean, search engine–friendly permalink structure, the ability to assign multiple categories to posts, and post tagging. Automatic filters are also included, ensuring that text in posts is formatted and styled consistently (for example, converting regular quotes to smart quotes). For displaying links to other sites that have linked to a post or article, WordPress also supports the Trackback and Pingback standards. WordPress posts can be edited in HTML, with the visual editor, or with one of the many plugins that provide a variety of customized editing options.

Multi-user and multi-blogging

Prior to version 3, WordPress only supported one blog per installation, though if configured to use separate database tables, multiple concurrent copies could be run from different directories. WordPress Multisites (previously known as WordPress Multi-User, WordPress MU, or WPMU) is a fork of WordPress that allows multiple blogs to exist within a single installation while being managed by a single administrator. WordPress MU allows website owners to host their own blogging communities, as well as manage and moderate all of them from a single dashboard. For each blog, WordPress MS adds eight new data tables.

WordPress MU has been merged with WordPress since the release of WordPress 3.

History

The precursor to WordPress was b2/cafelog, also known as b2 or cafelog. As of May 2003, b2/cafelog was estimated to have been installed on around 2,000 blogs. Michel Valdrighi, who is now a contributing developer to WordPress, wrote it in PHP for use with MySQL. Despite the fact that WordPress is the official successor, another project, b2evolution, is still in development.

WordPress began as a collaboration between Matt Mullenweg and Mike Little in 2003 to create a fork of b2. A friend of Mullenweg’s, Christine Selleck Tremoulet, suggested the name WordPress.

Six Apart changed the licensing terms for the competing Movable Type package in 2004, causing many of its most influential users to migrate to WordPress. WordPress had the strongest brand strength of any open-source content management system by October 2009, according to the Open Source CMS MarketShare Report.

WordPress is used by 64.8 percent of all websites with a content management system as of May 2021. This accounts for 41.4 percent of the top ten million websites on the internet.

Awards and recognition
  • Winner of InfoWorld‘s “Best of open source software awards: Collaboration”, awarded in 2008.
  • Winner of Open Source CMS Awards’s “Overall Best Open Source CMS”, awarded in 2009.
  • Winner of digital synergy’s “Hall of Fame CMS category in the 2010 Open Source”, awarded in 2010.
  • Winner of InfoWorld‘s “Bossie award for Best Open Source Software”, awarded in 2011.
  • WordPress has a five star privacy rating from the Electronic Frontier Foundation.
Release history

Starting with version 1.0, the main releases of WordPress are codenamed after well-known jazz musicians.

Security updates are backported “as a courtesy” to all versions as far back as 3.7, even though only the current release is officially supported.

Legend:Old version, not maintainedOlder version, still maintainedCurrent stable versionLatest preview versionFuture release
VersionCode nameRelease dateNotes
0.7noneMay 27, 2003Used the same file structure as its predecessor, b2/cafelog, and continued the numbering from its last release, 0.6.
Only 0.71-gold is available for download in the official WordPress Release Archive page.
1.0DavisJanuary 3, 2004Added search engine friendly permalinks, multiple categories, dead-simple installation and upgrade, comment moderation, XFN support, Atom support.
1.2MingusMay 22, 2004Added support of Plugins; which same identification headers are used unchanged in WordPress releases as of 2011.
1.5StrayhornFebruary 17, 2005Added a range of vital features, such as the ability to manage static pages and a template/Theme system. It was also equipped with a new default template (code named Kubrick). designed by Michael Heilemann.
2.0DukeDecember 31, 2005Added rich editing, better administration tools, image uploading, faster posting, improved import system, fully overhauled the back end, and various improvements to Plugin developers.
2.1EllaJanuary 22, 2007Corrected security issues, a redesigned interface, enhanced editing tools (including integrated spell check and auto save), and improved content management options.
2.2GetzMay 16, 2007Added widget support for templates, updated Atom feed support, and speed optimizations.
2.3DexterSeptember 24, 2007Added native tagging support, new taxonomy system for categories, and easy notification of updates, fully supports Atom 1.0, with the publishing protocol, and some much needed security fixes.
2.5BreckerMarch 29, 2008Major revamp to the dashboard, dashboard widgets, multi-file upload, extended search, improved editor, an improved plugin system and more.
2.6TynerJuly 15, 2008Added new features that made WordPress a more powerful CMS: it can now track changes to every post and page and allow easy posting from anywhere on the web.
2.7ColtraneDecember 11, 2008Administration interface redesigned fully, added automatic upgrades and installing plugins, from within the administration interface.
2.8BakerJune 10, 2009Added improvements in speed, automatic installing of themes from within administration interface, introduces the CodePress editor for syntax highlighting and a redesigned widget interface.
2.9CarmenDecember 19, 2009Added global undo, built-in image editor, batch plugin updating, and many less visible tweaks.
3.0TheloniousJune 17, 2010Added a new theme APIs, merged WordPress and WordPress MU, creating the new multi-site functionality, new default theme “Twenty Ten” and a refreshed, lighter admin UI.
3.1ReinhardtFebruary 23, 2011-Added the Admin Bar, which is displayed on all blog pages when an admin is logged in, and Post Format, best explained as a Tumblr-like micro-blogging feature. It provides easy access to many critical functions, such as comments and updates. Includes internal linking abilities, a newly streamlined writing interface, and many other changes.
3.2GershwinJuly 4, 2011Focused on making WordPress faster and lighter. Released only four months after version 3.1, reflecting the growing speed of development in the WordPress community.
3.3SonnyDecember 12, 2011Focused on making WordPress friendlier for beginners and tablet computer users.
3.4GreenJune 13, 2012Focused on improvements to theme customization, Twitter integration and several minor changes.
3.5ElvinDecember 11, 2012Support for the Retina Display, color picker, new default theme “Twenty Twelve”, improved image workflow.
3.6OscarAugust 1, 2013New default theme “Twenty Thirteen”, admin enhancements, post formats UI update, menus UI improvements, new revision system, autosave and post locking.
3.7BasieOctober 24, 2013Automatically apply maintenance and security updates in the background, stronger password recommendations, support for automatically installing the right language files and keeping them up to date.
3.8ParkerDecember 12, 2013Improved admin interface, responsive design for mobile devices, new typography using Open Sans, admin color schemes, redesigned theme management interface, simplified main dashboard, “Twenty Fourteen” magazine-style default theme, second release using “Plugin-first development process”.
3.9SmithApril 16, 2014Improvements to editor for media, live widget and header previews, new theme browser.
4.0BennySeptember 4, 2014Improved media management, embeds, writing interface, easy language change, theme customizer, plugin discovery and compatibility with PHP 5.5 and MySQL 5.6.
4.1DinahDecember 18, 2014Twenty Fifteen as the new default theme, distraction-free writing, easy language switch, Vine embeds and plugin recommendations.
4.2PowellApril 23, 2015New “Press This” features, improved characters support, emoji support, improved customizer, new embeds and updated plugin system.
4.3BillieAugust 18, 2015Focus on mobile experience, better passwords and improved customizer.
4.4CliffordDecember 8, 2015Introduction of “Twenty Sixteen” theme, and improved responsive images and embeds.
4.5ColemanApril 12, 2016Added inline linking, formatting shortcuts, live responsive previews, and other updates under the hood.
4.6PepperAugust 16, 2016Added streamlined updates, native fonts, editor improvements with inline link checker and content recovery, and other updates under the hood.
4.7VaughanDecember 6, 2016Comes with new default theme “Twenty Seventeen”, Video Header Support, PDF preview, custom CSS in live preview, editor Improvements, and other updates under the hood.
4.8EvansJune 8, 2017The next-generation editor. Additional specific goals include the TinyMCE inline element / link boundaries, new media widgets, WYSIWYG in text widget. End Support for Internet Explorer Versions 8, 9, and 10.
4.9TiptonNovember 16, 2017Improved theme customizer experience, including scheduling, frontend preview links, autosave revisions, theme browsing, improved menu functions, and syntax highlighting. Added new gallery widget and updated text and video widgets. Theme editor gives warnings and rollbacks when saving files that produce fatal errors.
5.0BeboDecember 6, 2018New block-based editor Gutenberg with new default theme “Twenty Nineteen”.
5.1BettyFebruary 21, 2019PHP version upgrade notices and block editor improvements.
5.2JacoMay 7, 2019Include Site Health Check, PHP error protection, the all-new block directory, and update package signing.
5.3KirkNovember 12, 2019Polish current user interactions and make user interfaces more user friendly. New default theme “Twenty Twenty”, designed by Anders Norén.
5.4AdderleyMarch 31, 2020Social Icons and Buttons blocks added, blocks customization and user interface improved, added features for personal data exports, custom fields for menu items, blocks improvements for developers.
5.5EckstineAugust 11, 2020Added lazy-loading images, XML sitemaps by default, auto-updates to plugins and themes, and improvements to the block editor.
5.6SimoneDecember 8, 2020New default theme “Twenty Twenty-One,” Gutenberg enhancements, automatic updates for core releases, increased support for PHP 8, application passwords for REST API authentication, improved accessibility.
5.7EsperanzaMarch 9, 2021New editor is easier to use, do more without writing custom code, simpler default color palette, from HTTP to HTTPS in a single click, new Robots API, lazy-load your iframes and ongoing cleanup after update to jQuery 3.5.1.
5.8TatumJuly 20, 2021Block widgets, query loop blocks, block themes, List View, Pattern Transformations, Duotone, new theme.json file, dropped IE11 support, WebP image support, new block support flags.
WordPress 5.0 “Bebo”

The “Bebo” release of WordPress 5.0, which was released in December 2018, is named after the pioneering Cuban jazz musician Bebo Valdés.

It came with a new default editor called “Gutenberg” – a block-based editor that allows users to edit their displayed content in a much more user-friendly way than previous versions. Blocks are amorphous markup units that, when combined, form the content or layout of a web page. Past content created on WordPress pages is categorized as a Classic Block. Several block-based editors, such as Elementor, were available as WordPress plugins prior to Gutenberg. Comparisons were made between Gutenberg and the existing plugins after its release.

Classic Editor plugin

The Classic Editor Plugin was created in response to user feedback and was designed to help website developers maintain older plugins that were only compatible with WordPress 4.9.8, giving them time to update and make their plugins compatible with the 5.0 release. The Classic Editor plugin restores the “classic” editing experience that WordPress had prior to the release of WordPress 5.0. Until at least 2022, the Classic Editor Plugin will be supported.

Over 5,000,000 WordPress installations use the Classic Editor plugin.

Vulnerabilities

Many security flaws in the software have been discovered, particularly in 2007, 2008, and 2015. WordPress had seven unpatched security advisories (out of 32 total) in April 2009, according to Secunia, with a maximum rating of “Less Critical” WordPress vulnerabilities are kept up to date by Secunia.

A WordPress exploit was used to target and attack many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs using AdSense, in January 2007. A separate vulnerability on one of the project’s web servers allowed an attacker to inject exploitable code into some WordPress 2.1.1 downloads in the form of a back door. This was fixed in the 2.1.2 release, and an advisory issued at the time advised all users to upgrade right away.

According to a study published in May 2007, 98 percent of WordPress blogs were exploitable due to outdated and unsupported versions of the software. In version 2.7, WordPress made updating the software a much easier, “one click” automated process, in part to address this issue (released in December 2008). The filesystem security settings required to enable the update process, on the other hand, can be a security risk.

Stefan Esser, the founder of the PHP Security Response Team, criticized WordPress’ security record in a June 2007 interview, citing issues with the application’s architecture that made it unnecessarily difficult to write code that was secure from SQL injection vulnerabilities, among other issues.

Some of the top 50 most downloaded WordPress plugins were discovered to be vulnerable to common Web attacks like SQL injection and XSS in June 2013. Seven of the top ten e-commerce plugins were found to be vulnerable in a separate investigation.

Automatic background updates were introduced in WordPress 3.7 in order to improve security and streamline the update experience in general.

Security plugins that prevent user enumeration, hide resources, and thwart probes can be used to protect individual WordPress installations. Users can also protect their WordPress installations by keeping all WordPress installations, themes, and plugins up to date, using only trusted themes and plugins, and editing the site’s.htaccess configuration file if the web server supports it to prevent SQL injection attacks and block unauthorized access to sensitive files. It’s especially important to keep WordPress plugins up to date because would-be hackers can easily list all of a site’s plugins and then run scans looking for vulnerabilities in those plugins. If vulnerabilities are discovered, they could be used to allow hackers to upload their own files (such as a web shell) that collect sensitive data.

WPScan, WordPress Auditor, and WordPress Sploit Framework, all developed by 0pc0deFR, are among the tools that developers can use to assess potential vulnerabilities. These tools look into known security flaws like CSRF, LFI, RFI, XSS, SQL injection, and user enumeration. However, because not all vulnerabilities can be detected by tools, it’s a good idea to double-check the code of third-party plugins, themes, and other add-ons.

The Yoast SEO plugin was reported to be vulnerable to SQL injection in March 2015, allowing attackers to potentially execute arbitrary SQL commands. The problem was fixed in the plugin’s version 1.7.4.

Sucuri security auditors discovered a vulnerability in the WordPress REST API in January 2017 that allowed any unauthenticated user to change any post or page on a site running WordPress 4.7 or higher. The auditors quietly alerted WordPress developers, and within six days, WordPress released a high-priority patch for version 4.7.2 that fixed the issue.

The minimum PHP version requirement for WordPress 5.2 is PHP 5.6, which was released on August 28, 2014, and has been unsupported by the PHP Group since December 31, 2018, and has not received any security patches. As a result, WordPress recommends that you use PHP version 7.3 or higher.

WordPress-based websites use the canvas element to detect whether the browser can render emoji correctly in the absence of specific alterations to their default formatting code. Tor Browser warns that the website is attempting to ‘extract HTML5 canvas image data’ because it does not distinguish between this legitimate use of the Canvas API and an attempt to perform canvas fingerprinting. Ongoing efforts are being made to find workarounds that will reassure privacy advocates while still allowing users to test for proper emoji rendering capability.

Development and support

Key developers

The project was co-founded by Matt Mullenweg and Mike Little. Helen Hou-Sand, Dion Hulse, Mark Jaquith, Matt Mullenweg, Andrew Ozz, and Andrew Nacin are among the core lead developers.

WP testers, a group of volunteers who test each release, are also part of the WordPress community. They have access to nightly builds, beta versions, and release candidates before the general public. Errors are tracked using the project’s Trac tool or a special mailing list.

WordPress is closely associated with Automattic, the company founded by Matt Mullenweg, despite the fact that it was largely developed by the community around it. The WordPress trademark was handed over to the newly formed WordPress Foundation on September 9, 2010, which is an umbrella organization that supports WordPress.org (including the software and archives for plugins and themes), bbPress, and BuddyPress.

WordCamp developer and user conferences

WordCamps are informal, locally organized conferences that cover all things WordPress. WordCamp 2006, which took place in August 2006 in San Francisco and drew over 500 people, was the first of its kind. In September 2007, Beijing hosted the first WordCamp outside of San Francisco. Since then, more than 1,022 WordCamps have taken place in more than 75 cities across 65 countries. WordCamp San Francisco 2014 was the last official annual WordPress developer and user conference held in San Francisco; WordCamp US has since taken its place. Regional WordCamps in other geographical regions were first held in 2013 as WordCamp Europe, with the goal of connecting people who aren’t already active in their local communities and inspiring attendees to start user communities in their hometowns. WordCamp Nordic was held in the Nordic region in 2019 .
The first WordCamp Asia was supposed to take place in 2020, but it was canceled due to the COVID-19 outbreak.

Support

WordPress.org is the primary support website for the platform. WordPress Codex, the online manual for WordPress and a living repository for WordPress information and documentation, and WordPress Forums, an active online community of WordPress users, are both hosted on this support website.