WordPress in April 2026: 3 Documented Events That Changed Migration Urgency
Three primary-source events. WordPress founder Matt Mullenweg's internal memo. Three plugin supply-chain attacks in one week. The WooCommerce Core team lead's public admission of the platform's biggest problems.
Hassan Jamal·May 22, 2026·12 min read
Executive Summary
- ✓April 14, 2026: Matt Mullenweg posted an internal memo admitting 'the wheels have fallen off' WordPress. Reported by The Repository with direct quotes.
- ✓April 5 to 7, 2026: Three plugin supply-chain attacks landed in one week. Essential Plugin (31 plugins, ~400K installs, backdoor planted 8 months prior). Smart Slider 3 Pro (800K installs, update server hijacked). WowShipping Pro (unauthenticated RCE).
- ✓April 16, 2026: WooCommerce Core team lead at Automattic publicly admitted the platform's three biggest problems on r/woocommerce: plugin fatigue, fear of updating, and performance.
- ✓Patchstack 2025 report: 7,966 WordPress vulnerabilities in 2024. 96% in plugins. 43% require zero authentication. Average WooCommerce store runs 30 active plugins per Studio Wombat's 10,000-store study.
- ✓Migration is now a risk-management question, not a vanity PageSpeed question. The longer a business site stays on WordPress, the more attack surface it carries.
This is a primary-source dump. Three independent events from April 2026, every claim linked to its original publication. No opinion. The events speak for themselves.
Event 1: Matt Mullenweg Internal Memo (April 14, 2026)
On April 14, 2026, WordPress founder Matt Mullenweg posted in WordPress's internal core-committers Slack channel a wide-ranging critique of the platform he founded. The post was reported in full by The Repository, an independent WordPress newsletter.
Mullenweg's Exact Words (April 14, 2026)
“We are not being killed by competition, I believe we have done this to ourselves.”
“When Cloudflare can ship the entire functionality of WordPress, and then some, in 2 months, we can take longer than that to almost not ship one sub-menu of our Settings screen.”
“We are operating at a level of collective delusion that is quite impressive.”
“We keep driving away some of the most valuable people and rejecting them when they try to contribute.”
Source: The Repository →
The context matters. Mullenweg is the founder of WordPress (2003), the CEO of Automattic (which owns WordPress.com, WooCommerce, Jetpack, Tumblr, and others), and the unilateral controller of the WordPress.org plugin directory. When he says "the wheels have fallen off" in an internal memo to his own core committers, this is not external criticism. This is the founder describing his own ship.
The Cloudflare reference is specific. Throughout 2025 and into 2026, Cloudflare has been shipping content management features (Workers, Pages, R2 storage, D1 database, Stream video) at a pace that makes the WordPress.org core team's ship cadence look glacial. Mullenweg's complaint is not vague. It is a specific competitive concern from a founder watching his core platform fall behind.
Event 2: Three Plugin Supply-Chain Attacks in One Week (April 5 to 7, 2026)
Three documented WordPress plugin compromises hit in a single seven-day window. All three were supply-chain attacks (the plugin update mechanism itself was the attack vector, not the user's installation).
Attack 1: Essential Plugin Suite (31 plugins, ~400,000 active installs)
The Essential Plugin suite was acquired on Flippa for six figures by an unknown party. A backdoor was planted in version 2.6.7 in August 2025 that sat dormant for 8 months before activating in April 2026. WordPress.org permanently closed all 31 plugins on April 7, 2026.
Attack 2: Smart Slider 3 Pro (800,000+ active installs)
The Smart Slider 3 Pro plugin update server was compromised. Version 3.5.1.35 shipped with a remote access toolkit embedded. Any site that auto-updated during the compromise window received the malicious payload. The plugin maintainers issued an emergency clean release within 48 hours, but every site that auto-updated in the window remained compromised until manual remediation.
Attack 3: WowShipping Pro (RCE backdoor)
WowShipping Pro received an unauthenticated remote-code-execution backdoor in an update. Unlike the Essential Plugin and Smart Slider attacks, this one allowed any attacker on the internet to execute code without authentication. The vulnerability was patched within days but the install base remained partially exposed until forced updates rolled through.
The scale data comes from Patchstack's 2025 State of WordPress Security report: 7,966 new WordPress vulnerabilities in 2024. 96 percent in plugins, not core. 43 percent require zero authentication (any internet user can exploit them). 1,614 plugins were removed from the WordPress.org directory in 2024 for unpatched issues.
The pattern matters more than the individual attacks. Three plugin compromises in one week is not three coincidences. It is a structural problem with the WordPress plugin distribution model. Plugins can be acquired by anyone (Flippa, GitHub, direct purchase). Plugin update servers are individually controlled and individually vulnerable. Auto-updates push code from those servers to millions of sites with no intermediate review.
Event 3: WooCommerce Core Team Lead Public Admission (April 16, 2026)
On April 16, 2026, a WooCommerce Core team lead at Automattic posted publicly on r/woocommerce asking the community for direct feedback. The Reddit account (u/sunyatasattva) is verified as a WooCommerce team member. The post identified the three biggest user complaints in the platform's own engineering team's words.
The WooCommerce Team's Own Admission
1. Plugin fatigue. “Having to install 30+ plugins, then troubleshooting becomes a nightmare.”
2. Fear of updating. “People are scared updating might break something.”
3. Performance. “The store becoming sluggish.”
Source: r/woocommerce thread →
The independent data backs the admission. Studio Wombat's 10,000-store study confirmed the average WooCommerce store runs 30 active plugins. Average plugin count is not an aspirational target. It is the median real-world install. The platform's own team is acknowledging what their own data has shown for years.
The plugin fatigue problem connects directly back to Event 2 (the supply-chain attacks). When the average WooCommerce store runs 30 plugins, the attack surface scales with each plugin. A single compromised plugin in the stack can take down the entire store. Plugin fatigue is not just a user-experience complaint. It is a security exposure that the platform's engineering lead is now publicly acknowledging.
What These Three Events Mean for Migration Urgency
Migration urgency in 2026 is no longer a vanity PageSpeed question. It is a risk-management question. The April 2026 events shifted the calculus on three specific dimensions.
Dimension 1: Platform direction risk. The founder of WordPress is publicly admitting the platform is losing ground to competitors and that contributors are being driven away. This is not an external attack. This is the source. A business betting its website on WordPress for the next 5 years is now betting on a platform whose founder is publicly questioning its trajectory.
Dimension 2: Plugin supply-chain risk. Three documented compromises in one week. 96 percent of WordPress vulnerabilities are in plugins. The plugin distribution model has no intermediate review between a compromised plugin author and millions of auto-updating sites. A WooCommerce store with 30 plugins has 30 independent supply-chain risks. Custom Next.js sites have zero plugins. The attack surface delta is structural.
Dimension 3: Operational complexity risk. The WooCommerce engineering lead is publicly acknowledging that plugin fatigue, fear of updating, and performance are the platform's three biggest problems. None of these are problems custom-coded Next.js sites have. There are no plugins to install, no update fear (the code is the deployment), and performance is structurally faster.
The Honest Counterpoint: When WordPress Still Wins
WordPress has 15+ years of plugin ecosystem for niche verticals (LMS, complex membership, church management, vertical-specific SaaS integrations) that would cost $30,000+ to build custom. For businesses that depend on niche plugins as core revenue drivers, migration cost can outweigh the migration benefit. This analysis is about migration urgency, not migration certainty.
The right question is "when does the risk of staying exceed the cost of migrating". For business marketing sites and standard e-commerce stores (the majority of WordPress sites), the April 2026 events shifted that line. For niche-plugin-dependent businesses, the line moved less. PandaCodeGen will tell clients honestly which category they fall into during a free migration cost review.
About PandaCodeGen
PandaCodeGen is a US LLC custom Next.js web development agency founded February 2026. Fixed pricing from $1,500 (Starter) to $10,000+ (Scale+). Every project ships with a written 90+ PageSpeed refund guarantee. 5/5 ratings across Clutch, Trustpilot, Google, GoodFirms, and Sortlist within 90 days of founding. Free 60-second site audit at pandacodegen.com with no email required.
Should you migrate now or wait?
Book a free 30-minute discovery call. Hassan will audit your current WordPress site, identify the specific plugins carrying supply-chain risk, run a PageSpeed benchmark, and give you an honest verdict on whether migration makes sense for your business in 2026. No sales pitch. No obligation.
Related Reading
- ✓WordPress Migration Cost in 2026 — full pricing breakdown by site size and complexity
- ✓WordPress AI Security Risk 2026 — the AI plugin vulnerability class that exposed 100K sites
- ✓Why We Chose Next.js Over WordPress in 2026 — the engineering decision framework
- ✓WordPress vs Next.js — head-to-head on performance, security, and total cost of ownership
Full guides at wordpress-migration-cost, wordpress-ai-security-risk-2026, why-we-chose-nextjs-over-wordpress-2026, and wordpress-vs-nextjs.
Frequently Asked Questions
Frequently Asked Questions
Hassan Jamal·May 22, 2026·12 min read
Related Articles
AEO Playbook: Get Cited by ChatGPT, Claude & Perplexity in 30 Days
The exact AEO playbook we bake into every Starter and Growth build. Cited across ChatGPT, Claude, Perplexity, and Google AI Overview, with the GSC receipts that prove it works on a brand new domain.
What Does a Website Developer Agency Actually Do in 2026?
A website developer agency builds, migrates, and maintains custom-coded sites. This guide covers what services to expect, how much agencies charge in 2026, questions to ask before signing, and red flags that separate legitimate partners from padded quotes.
How Much Does a Website Cost in 2026? Real Pricing by Build Type
A website costs $0 to $50,000+ in 2026. The number that matters is what someone in your situation actually pays. This guide breaks down real costs by build type, business size, and the hidden fees that turn affordable platforms into expensive long-term commitments.