It was originally created as a tool to publish blogs but has evolved to support publishing other web content, including more traditional websites, mailing lists, Internet forums, media galleries, membership sites, learning management systems, and online stores.

Available as free and open-source software, WordPress is among the most popular content management systems – it was used by 22.52% of the top one million websites as of December 2024[update].

Themes allow users to change the look and functionality of a WordPress website without altering the core code or site content.

[14] WordPress' plugin architecture allows users to extend or depreciate the features and functionality of a website or blog.

[15][16] As of December 2021[update], WordPress.org has 59,756 plugins available,[17] each of which offers custom functions and features enabling users to tailor their sites to their specific needs.

[20] Plugins also represent a development strategy that can transform WordPress into all sorts of software systems and applications, limited only by the imagination and creativity of programmers.

These are implemented using custom plugins to create non-website systems, such as headless WordPress applications and Software as a Service (SaaS) products.

Before version 3, WordPress supported one blog per installation, although multiple concurrent copies may be run from different directories if configured to use separate database tables.

As the development of b2/cafelog slowed down, Matt Mullenweg began pondering the idea of forking b2/cafelog and new features that he would want in a new CMS, in a blog post written on January 24, 2003.

[35][36] In 2004, the licensing terms for the competing Movable Type package were changed by Six Apart, resulting in many of its most influential users migrating to WordPress.

[37][38] By October 2009, the Open Source CMS MarketShare Report concluded that WordPress enjoyed the greatest brand strength of any open-source content management system.

[4][5] Starting September 2024, Mullenweg engaged WordPress, Wordpress.com, and Automattic in a dispute leading to a lawsuit with hosting company WP Engine, causing widespread community concern.

A cumulative list of WordPress security vulnerabilities, not all of which have been corrected in the version current at any time, is maintained by SecurityScorecard.

[130] A separate vulnerability on one of the project site's web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1.

[132] To help mitigate this problem, WordPress made updating the software a much easier, "one-click" automated process in version 2.7 (released in December 2008).

[135] In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS.

[137] Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources, and thwart probes.

Users can also protect their WordPress installations by taking steps such as keeping all WordPress installations, themes, and plugins updated, using only trusted themes and plugins,[138] and editing the site's .htaccess configuration file if supported by the webserver to prevent many types of SQL injection attacks and block unauthorized access to sensitive files.

If vulnerabilities are found, they may be exploited to allow hackers to, for example, upload their files (such as a web shell) that collect sensitive information.

These types of tools research known vulnerabilities, such as CSRF, LFI, RFI, XSS, SQL injection, and user enumeration.

[144] In the absence of specific alterations to their default formatting code, WordPress-based websites use the canvas element to detect whether the browser can correctly render emoji.

Ongoing efforts seek workarounds to reassure privacy advocates while retaining the ability to check for proper emoji rendering capability.

Though largely developed by the community surrounding it, WordPress is closely associated with Automattic, the company founded by Matt Mullenweg.

[149][10][152] In January 2010, Matt Mullenweg formed the organization[149] to own and manage the trademarks of WordPress project.

[155][156] In January 2022, the project began to gather volunteers, and in February, its own developer website was launched, where team representatives were next selected.