CMS Critic Logo
  • Articles
  • Products
  • Critics
  • Programs
Login Person Icon

Can we heal the ‘open sores’ in open source? For WordPress, Karim Marucchi has a prescription

Home
Articles
Products
Likes

Can we heal the ‘open sores’ in open source? For WordPress, Karim Marucchi has a prescription

matt-garrepy Profile
Matthew Garrepy
14 mins
Karim Marucchi headshot and the WordPress logo icon

The ecosystem is aching for answers, and it starts with securing the software supply chain. On the latest episode of “The Critic’s Corner” podcast, we talk about what’s at stake in the wake of the WordPress drama – and where we go from here.


 

“First, do no harm.”

It’s a fundamental principle in medicine, ethics, and other fields, advocating for the avoidance of injury. The phrase is often credited to the ancient Greek physician Hippocrates, although this exact language isn’t used in his eponymous “Hippocratic Oath.”

Of course, in certain cases, the weight of said “harm” can be subjective. One could argue that breaking customer websites to force someone’s hand isn’t a threat to life and limb, but it could have a profound impact on business performance and people’s livelihoods. For the inflictor, do the ends justify the means? 

In the end, harm is harm, and a lot of people were hurt, frustrated, and caught in limbo during the recent (and very public) battle betwixt Automattic – the company behind WordPress – and WP Engine, a popular managed hosting platform for WordPress. 

Since last September, there have been a lot of great articles written about this debacle that cover the nuance and minutia. I’m not here to rehash any of it. I'm interested in where we go from here, particularly as it relates to enterprises that are leveraging open source and concerned about its future stability. 

So what’s at stake for the CMS industry? And how can enterprises navigate the uncertainty with confidence? 

If anyone has a pulse on what might happen, it’s Karim Marucchi. 

As CEO of Crowd Favorite, an enterprise digital strategy and engineering firm with a strong WordPress focus (they build experiences for brands like Disney), Karim is an open source luminary and an outspoken leadership figure within the WordPress community. He’s also a founding member of the Scale Consortium, an organization dedicated to advancing the value of WordPress for enterprise-level solutions. 

For me, Karim is inspiring on every conceivable level. He has a brain for business, but the heart of an engineer. In fact, he has a Master’s Degree in Architecture from La Sapienza University in Rome, so he likes building things with strong foundations. Stuff that’s designed to last.

Karim has been at the center of this drama, working both inside and outside the ecosystem to find a path forward. He and Yoast CEO Joost de Valk were early voices for evangelizing a federated approach to WordPress.org, so there’s no central control – and he’s been a source of calm in these rough seas.

I recently had Karim on “The Critic’s Corner” podcast, and we talked not about the drama, but that crucial path forward. He provided a frank assessment of what’s really at stake for the world’s largest open source CMS project – and why securing the software supply chain is, in his words, “absolutely mandatory.” 

In our conversation, we covered both the technology and business dynamics, and how the WordPress community is at the heart of everything. Despite the continuing legal and social challenges, Karim doubled down on the benefits of open source and how it’s the true bedrock of composability. 

We also touched on the modern relevance of WordPress, particularly for new talent entering the software field. And we even hit everyone’s favorite subject of AI and its open source implications, particularly as developers focus more on architecture over code and where he sees the real advantages of automation.

Here's a quick snippet from the show, but you can listen to the full podcast here.

 

The open road to open source

For most of us, there’s seldom a straight line to the backwaters of CMS. We arrive by different modes, and for Karim, his background in architecture was a translation point for building technology systems that were designed to scale.  

Karim was pulled into the internet in the early '90s, when it was being commercialized, and started working with large enterprise content management systems. As he said to me, many of these names no longer exist, but along the way, he managed to engage with every large CMS out there. Around 2006, he found his calling in open source, seeing multiple platforms emerge as really powerful solutions. 

“I was amazed at how well thought out and versatile they were at the time,” he said. 

And so began a journey to translate these tools for enterprise standards. He talked to Disney about an opportunity to take it to open source, and for the last 15 years, his team at Crowd Favorite has been working with leading brands and major financial institutions to bring open source to the enterprise with confidence. 

 


 

"I’m so incredibly lucky to be part of one of the largest open source projects in the world that affects, quite literally, global content. And I’ve just been amazed and humbled at being able to go around the world to talk to people who are using WordPress in different ways.” 

 


 

Of course, there’s also a downstream effect. As Karim pointed out, nearly half of all websites on the internet that are powered by WordPress have directly benefited from enterprise innovation, where the chief investment exists. 90% of the density is small consumer sites, and that’s where the ecosystem has grown over the last twenty years. To his point, improving things for Disney ripples down to Main Street businesses in a big way.

“In our world, we’re focused on that very top percentile, but we try to use [WordPress] in a way where we’re giving back to the larger ecosystem, so everyone can move forward,” he said. “In a perfect world, you can use it for a personal site, or Disney’s D23 event. If you do it right, you can create software that can be used by anyone globally.”

I asked Karim why open source means so much to him. As he said, there’s real joy in helping to evolve the WordPress project, because it means so many things to so many different people.

"I’m so incredibly lucky to be part of one of the largest open source projects in the world that affects, quite literally, global content,” he sparked. “And I’ve just been amazed and humbled at being able to go around the world to talk to people who are using WordPress in different ways.” 

Competing in a dense CMS market of choices

At the enterprise level, WordPress has struggled against the advanced capabilities, SLAs, and service models of proprietary systems, even if it dominates the market. There are pros and cons, but WordPress has long been viewed as less secure or reliable – and for those of us who have used it, we’ve experienced the challenges and limitations firsthand. 

But it’s come a long way, baby. As Karim noted, the technological leaps in the WordPress ecosystem have been breathtaking. We talked specifically about personalization, which was unthinkable a few years ago.

“There are now plugins for WordPress that make personalization possible in WooCommerce for pennies compared to what you could do five years ago,” he said. 

On the other hand, as he observed, the true competition for any CMS these days is that all you need is social media and a shopping cart. That’s sparking more profound philosophical questions about the future of websites. 

But he thinks these are market trends – and there is always going to be a place for content management systems. The real question is whether vendors are ready to compete on modern standards. 

“Systems are also struggling to keep up with change,” he said. “They're still trying to solve problems from five or ten years ago. Many companies are just trying to catch up. So there’s a huge challenge.”

Securing the software supply chain

In the recent WordPress debacle, there were stated issues involving trademark usage and contributions. Both sides had relevant arguments, but for Karim, the fallout has laser-focused the community – and the broader market – on an even bigger issue. 

“Over the evolution of adopting WordPress, security has always been a big question,” he said. “We’ve solved that. Right now, the biggest problem is the supply chain security. You need to be able to trust where your software is coming from. We already had that problem with plugins, but this situation has shined a light on it.”

He went on to suggest that for open source to succeed, we must come together as an ecosystem and move beyond governance of an open source project and actually talk about the source of where our software is coming from. 

 


 

“That supply chain ecosystem is absolutely mandatory. And the idea that one entity can just decide to flip a switch and the code changes is no longer acceptable."

 


 

“That supply chain ecosystem is absolutely mandatory,” he said. “And the idea that one entity can just decide to flip a switch and the code changes is no longer acceptable. On the customer side, no matter what project you’re working with – whether it’s WordPress, Drupal, whatever it is – make sure you have ways of securing your supply chain. On the project side of it, it’s up to us in the ecosystem to create new ways of managing those updates, so they become trusted.”

So how do we do that? That’s the challenge. 

During our conversation, we discussed how the entire market is relying on a solution, as open source is the key to everything. He reminded me that we’re all utilizing open source technologies to get the ball down the field (think Linux, Docker, or Kubernetes). Not everyone can afford advanced enterprise management with secure, containerized capabilities and monitoring – so the hardware store on Main Street needs the ecosystem to be secure for them as well. 

Is WordPress too big to fail?

According to W3Techs, around 43.5% of all websites on the web use WordPress. These include websites that run on a CMS, without a CMS, and custom-coded CMSes. That means over one-third of the entire internet is running on WordPress.

If you do any Googling on these metrics (that means putting down ChatGPT and going “old school”), you’ll see one of the top search phrases: “Is WordPress still relevant?” And while the numbers have slipped a bit, we’re still talking about the biggest percentage of market share by a long shot. So yes, it is. Big time.

Given its size and scope, is it too big to fail? That question also came up, given the recent shakeup. Since the Automattic/WP Engine issues began, things have vacillated from a legal perspective. Still, despite the impact to users and businesses, a lot of positive innovation has come from both sides of the battle line. 

As Karim said, quite diplomatically, WordPress has benefited so much from Automattic and WP Engine. But these companies are also struggling with the realities of business growth, and they’ve come to a natural point in their path where long-term viability is the driving question.

“There’s nothing surprising here for the enterprise,” he explained. “How do we get past this point? How do we make it less dramatic? All sorts of platforms and products have passed this point in the past. How we come out of it is still up for debate. The bottom line is, WordPress is too large to just disappear.”

I agree. The WordPress community has invested too much to pivot or change. Sure, there might be some churn. But even with Drupal launching its new offering, Karim noted that WordPress isn’t going anywhere – the question is how it’s going to evolve.

Why should new developers embrace WordPress?

At the recent Boye & Company CMS Summit in Germany, I opened the conference with a few research slides, one of which detailed the precipitous decline of new software developers entering the field. Since 2019, the dip has been sharp, and it’s clear that evolving business dynamics and the growth AI and automation are having a profound impact.

I’m on the board at a small skill school called Full Sail University, where I help shape the curriculum for the web, application, and cybersecurity programs. It’s worth noting that we still teach WordPress, because CMS is elemental to web development. 

But that doesn’t change the fact that fewer developers are entering the field. And negative publicity surrounding the efficacy of frameworks isn’t good for the cause. I asked Karim how all of this might be impacting the future of WordPress, and he focused on the foundational tenets of accessibility and simplicity. 

“History teaches us everything,” he replied. “Why did WordPress get to where it is today? Because it’s accessible. And when I say accessible, you could know a minimum of PHP, but it’s written in a way where you could start tweaking things in plugins within minutes. If you combine that with the fact that it’s open source – and very cost-effective for a small business – it’s a great entry level.”

As we discussed, there’s still a strong case for WordPress as a marketable skill. It’s so ubiquitous that developers with knowledge and experience find employment much easier compared to other niche frameworks. When combined with full stack capabilities, it’s an asset. 

Open source: The foundation for composability

Back in 2013, Dries Buytaert talked about the modular tenets of “The Assembled Web,” pursuing the ideals of openness, transparency, and democratized solutions. 

Today, we’re obsessed with similar pursuits within the composable movement, and Karim sees the idea of composability as a catalyst for building on open source. In his mind, it’s foundational to the very concept – and in a market dominated by enterprise DXPs, this is a cornerstone of his perspective on the WordPress opportunity.

“If you want to be truly composable, start with an open-source core and then use any product in the martech stack as a best-of-breed, but keep the core open source so you own the data. You own the experience. It’s the true meaning of the word composable. That’s why the enterprise wants to use it.”

Relying on partners to maintain trust

The digital world is filled with bad actors. We all have plugin horror stories, some involving X-rated content that unexpectedly materializes after pushing an update. Website forms are flooded with bots, DDoS attacks are on the rise, and teams are busy defending against this blend of challenges.

As Karim pointed out, this is the opportunity for both enterprises and practitioners to grow. These problems are all solvable, but they require smart people and organizations that are focused on the right layer of concerns. As such, he made a strong case for finding resources that can keep a watchful eye on what’s coming while enterprise teams manage their experience creation and content operations. They’re also helping to guide customers through the murky waters of WordPress.

“If you find the right partner, you’ve solved the problem,” he said. “Even organizations that have full-time technical teams, the job description is to maintain what they have and look for opportunities within a limited set of time and resources. At companies like Crowd Favorite, our full-time job is to stay on the cutting edge, to be completely informed, to help the architecture remain composable – staying ahead of the next curve and understanding how the technology is going to affect our customer.”

What about AI and WordPress?

In our last podcast with Greg Dunlap, where we discussed his new book, he confessed that he’s not as keen on AI. I get it – the hype is exhausting, and we’re still struggling with a lot of issues. He instead focused on practical ways to improve the content authoring experience, which was refreshing.

Still, AI is an unavoidable topic in CMS, and I wanted to know how Karim sees it evolving WordPress and the broader open source landscape. At Crowd Favorite, he and his team use AI every day to improve their work and constantly try new things, so he's close to the edge.

“I was lucky enough not to have to write code anymore about 15 years ago, but I did,” he mused, reminiscing. “Today, I can approach one of these AI systems and have a plain English conversation about what I’m trying to accomplish, and it will write me an entire WordPress plugin, and that plugin will work. Is it optimized? Is it performant? Is it enterprise-ready or secure? Different conversation for a different day. The bottom line is, you don’t need to know code. So my first reaction is, anyone who’s getting into development or engineering today, you no longer have to worry about syntax or the perfect formatting of the code.”

This observation rolls into his broader perspective on the topic. As Karim noted, the new mandate for technologists is to be an engineer or an architect – and to stop focusing on the code and think more about the business needs. I see this with AWS and how the focus on service architecture has become the norm, making it much easier for non-coders to build application delivery solutions in the cloud.

“We are so early in this AI moment, and it’s changing daily and weekly,” he said. “How it’s going to look in two years won’t be anything we imagine. We’re in that moment of change. Don’t ignore it. Play around with all these new platforms, but don’t start making plans just yet.”

Where do we go from here?

Between social media, community Slack channels, and U.S. courtrooms, it’s hard to know what’s next. But the challenges don’t just rest with WordPress. Open source is experiencing a global evolution, with Europe’s Cyber Resilience and Artificial Intelligence Acts set to reshape the market dynamics. 

But Karim is optimistic. As he expressed, WordPress has done so much to democratize the open source landscape, and that will continue – one way or another. 

“The need to manage content on the web isn’t going away,” he said. “It’s not going anywhere. The question is what’s it going to look like. I think it’s going to lead to more options than ever. For distributed platforms, for enterprises, for the hardware store on Main Street.”

Higher tides raise all ships. As Karim shared multiple times in our conversation, solving the problems at an enterprise level will drive solutions downstream. 

“But in the enterprise, we need options,” he punctuated. “And those options need to evolve, and have this flourishing ecosystem that can’t be manipulated by one company or one set of companies.”

So they can do no harm. That’s as close to a Hippocratic Oath as you can get. 

Listen to “The Critic’s Corner” podcast

 

Listen to the full episode 

Subscribe on Apple Podcasts

 

 


 

Upcoming Events

 

Contentstack ContentCon 25

June 3-5, 2025 – Chicago, USA

The future of digital is waiting for you! Contentstack presents ContentCon, the premier event for digital teams and industry leaders who are reimagining the future of digital experiences. Join us for two days of transformative presentations and workshops designed to help you put personalization and AI strategies into action. Register today! 

 

CMS Connect 25

August 5-6, 2025 – Montreal, Canada

We are delighted to present the second annual summer edition of our signature global conference dedicated to the content management community! CMS Connect will be held again in beautiful Montreal, Canada, and feature a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. Join vendors, agencies, and customers from across our industry as we engage and collaborate around the future of content management – and hear from the top thought leaders at the only vendor-neutral, in-person conference exclusively focused on CMS. Space is limited for this event, so book your seats today.

Open Source
AI
Industry
OPEN SOURCE
Wordpress
WP Engine

WordPress product logo

Want to learn more about WordPress?

View Product
CMS Critic Logo
  • Programs
  • Critics
  • About
  • Contact Us
  • Privacy
  • Disclaimer

©2025 CMS Critic. All rights reserved.