The 2024–26 reshuffle of the modern web: the monolith split into a structured-content CMS layer (Sanity, Payload, Directus, Strapi), an islands-first framework layer (Astro, Next, SvelteKit), and edge-rendered hosting (Cloudflare Pages, Vercel, Netlify). MCP became the integration surface every credible CMS now ships natively. WordPress logged 11,334 new CVEs in 2025 (up 42% YoY, mostly in plugins) and is being replaced for performance, security, and agent-readiness reasons that compound. This leaf maps the new baseline and the top 5 MCP-ready web surfaces.
WordPress still powers a sizeable share of the public web. The 2026 problem is not the core, which is mature and well-maintained — it is the plugin ecosystem that the platform's success was built on. Patchstack's 2026 State of WordPress Security report logged 11,334 new vulnerabilities in 2025, up 42% year-over-year, with the overwhelming majority originating in plugins rather than core. Highly exploitable vulnerabilities climbed 113%. The weighted median time from public disclosure to first exploitation in the wild is now five hours.
The architectural story matches the security story. Traditional WordPress generates HTML on every request from PHP against MySQL; modern web stacks pre-build pages as static HTML or render them at the edge, delivering sub-100ms response times globally. Astro's homepage cites Core Web Vitals pass rates of 66% for Astro sites vs. 48% for WordPress and 30% for Next.js — numbers that should be checked against current Chrome UX Report data, but that direction-of-travel is correct.
The third problem is multi-channel. A WordPress install ships one website. A modern stack assembles content once in a structured CMS and renders it across web, mobile, kiosk, voice, and now agent surfaces — including via Model Context Protocol so an AI agent can read or update the same content store.
Many teams in 2026 sit in headless WordPress — running WP-as-CMS behind an Astro or Next.js front-end. This reduces the public attack surface (the admin is isolated from the rendered site) and recovers most of the performance gap. It does not solve the structured-content or agent-readiness problem — WordPress's post-and-page model and lack of native MCP support remain limits. Headless WP is a sensible migration step; not an endpoint.
The 2024–26 evolution split the WordPress monolith into three clear layers, each with multiple credible options. Each layer can be swapped without touching the others. This is the structural shift — not a single replacement product, but a re-architecture into composable parts.
Schema-as-code, JSON-document store, API-first. Editors get a custom Studio; developers query structured fields, not HTML. Sanity, Payload, Directus, Strapi.
Server-renders HTML, ships minimal JS, hydrates only the interactive bits. Astro is the reference; Next.js / Remix / SvelteKit / Qwik are the alternatives.
Static assets to edge POPs; SSR at the edge for dynamic routes. Cloudflare Pages, Vercel, Netlify. Sub-100ms TTFB globally; auto-scaled per request.
The Model Context Protocol is not a separate layer of the stack — it is the integration surface that every credible CMS now ships natively. Sanity exposes content via an MCP server consumable from Claude Code, Cursor, and v0. Astro ships an official MCP server with context files for AI tools. Directus has native MCP built in. Payload, Strapi, and NomaCMS all have MCP integrations or wrappers. "MCP-ready" is the 2026 baseline for new builds.
Sanity positions itself as "the Content Operating System for the AI era" — not a traditional headless CMS, but a structured-content platform built for programmatic operations at scale. The underlying technical claims:
The 2026 AI / agent positioning is the bigger story. Sanity ships Content Agent (transforms source materials into structured content; audits and edits at scale; supports visual editing via natural language), Agent Actions (schema-aware AI automations triggered by content mutations), and Agent Context (surfaces structured data for agentic reasoning). The Sanity MCP server integrates with Claude Code, Cursor, and v0 — an agent can read or write Sanity content through standard MCP without bespoke integration code.
WordPress's data model is "posts and pages with custom fields bolted on." Sanity's data model is "schemas you define in TypeScript, with arbitrary nested structures, references, and validation, queryable by GROQ." When an agent (or a human) wants the "list of all case studies tagged AgentForce, with their associated services, ordered by published date," Sanity answers that in one query. WordPress answers it after three plugins, two custom hooks, and a partial cache rebuild.
Astro is a JavaScript web framework optimised for fast, content-driven sites. Components render on the server and ship lightweight HTML to the browser with zero unnecessary JavaScript overhead. The defining feature is Islands Architecture — pages are static HTML by default, with hydration applied only to the interactive components ("islands") that need it. The rest of the page never ships its rendering JS to the client.
Key technical traits:
The 2026 MCP story: Astro ships an official MCP server and context files for AI development tools. Cursor / Windsurf / Claude Code agents can introspect an Astro project's routes, content collections, and components through standard MCP. The combination of structured content (in a CMS like Sanity) and structured project metadata (via Astro's MCP) is what makes the modern stack genuinely agent-readable.
Astro's homepage claims 66% of Astro sites pass Core Web Vitals, versus 48% for WordPress and 30% for Next.js. Direction-of-travel matches the architecture: less shipped JS → lower TBT and INP → more sites pass CWV. The specific numbers should be checked against the current Chrome UX Report before being quoted in a sales context — they shift quarterly — but the ranking is consistent: islands frameworks beat full-hydration frameworks on the metrics Google rewards.
Five distinct shapes of web surface, each MCP-ready in 2026. The list mixes CMS and framework deliberately — the right combination depends on whether content workflow or front-end DX is the bottleneck.
The structured-content platform with the strongest agent positioning. Content Agent for natural-language editing, Agent Actions for schema-aware automation, Agent Context for agent-reasoning surfaces. MCP server integrates with Claude Code, Cursor, v0. Pairs naturally with Astro or Next.js on the front end.
Pick when: the editorial workflow matters more than the framework. Marketing / content-heavy / multi-locale.
The reference islands-architecture framework. Zero-JS default, content collections with TypeScript validation, official MCP server with project-introspection context files. Hosting adapters for every major edge / serverless provider. The 2nth default front-end framework for content-driven sites.
Pick when: the site is content-led, performance is a buyer criterion, and the team can author in Markdown / MDX or query a headless CMS.
Code-first headless CMS that runs in the same Next.js app as the front-end. TypeScript config, Postgres / MongoDB backends, full admin UI built in. MCP integration via community wrappers. The top choice for Next.js teams that want the CMS and the app deployed as one unit.
Pick when: the team is Next.js-native and wants a single deployable. Avoids the headless-API-as-network-call latency.
Connects to any existing SQL database (Postgres, MySQL, MS SQL, SQLite) and exposes it as a content API + admin app. Built-in AI Assistant; native MCP server; structured data layer that any agent or model can work with. The "uncompromising data ownership" pitch — the database stays where it lives; Directus wraps it.
Pick when: the data already lives in a SQL warehouse / OLTP store and the requirement is to expose it as a CMS without migrating.
The open-source headless CMS with the broadest plugin ecosystem and the most mature self-hosting story. Node.js runtime; Postgres / MySQL / MongoDB backends; REST and GraphQL out of the box. MCP integration via the Strapi MCP wrapper; deep plugin coverage for auth, i18n, drafts, and more.
Pick when: open-source self-hosting is the hard requirement, and the team can absorb operating the CMS infra themselves.
Storyblok for visual editing of marketing pages; Contentful as the legacy enterprise option (mature but expensive, MCP support via partners); Builder.io for AI-native visual building (Builder Composable + Visual Copilot); Webstudio as the open-source visual builder; NomaCMS as the AI-first newcomer with native Claude Code / Cursor MCP. EmDash — Cloudflare's open-source WordPress challenger — is architecturally aligned but the ecosystem is still empty (early 2026).
| Workload | CMS pick | Front-end pick | Why |
|---|---|---|---|
| Marketing site, multi-locale, content-heavy | Sanity | Astro | Sanity's editorial workflow + Astro's CWV story is the strongest content-site combination available. |
| App with content + interactive features | Payload | Next.js | Single deployable. Payload runs in the Next.js app; no separate CMS service to operate. |
| Internal tool over existing SQL data | Directus | Astro or SvelteKit | Database stays put; Directus wraps it; front-end framework is a style choice. |
| Self-hosted, open-source-only requirement | Strapi | Astro / Nuxt | Both are OSS; both run self-hosted; the operating burden lives with the team. |
| Visual editing for non-technical authors | Storyblok or Builder.io | Next.js / Astro | Marketing teams that need in-place visual editing over a rendered page; not a code-first workflow. |
| Existing WordPress, no time for full rebuild | WordPress (as CMS only) | Astro / Next.js | Headless WP is the bridge pattern. Recovers most of the perf gap; reduces attack surface; doesn't solve agent-readiness. |
The WordPress install base is large — and creaking. Most SA SMB and mid-market websites are on WordPress. Many were built by agencies that no longer exist or no longer maintain them. The plugin-vulnerability surface is the most common single source of incidents the SA cybersecurity community sees. Replacing or hardening these sites is real work — budget the migration as a 4–12 week engagement, not a weekend.
POPIA fits modern stacks better than it fits WordPress. A headless CMS at africa-south1 or eu-west + a static front-end deployed to Cloudflare's African edge means personal data (form submissions, user accounts) lives in one residency-controlled store and the public site never holds it. WordPress's "everything is in one MySQL on one host" model makes Section 19 evidence harder to assemble.
Edge hosting and FX. Cloudflare Pages, Vercel, and Netlify are USD-priced; Cloudflare's free tier covers most small sites end-to-end. Bandwidth-sensitive workloads benefit from Cloudflare's African POPs (Cape Town, Johannesburg, Lagos, Nairobi, Cairo, Casablanca and others — see tech/cloudflare/edge-africa-me) over US-only Vercel routing for SA-resident readers.
Agency landscape shift. SA agencies that used to ship WordPress sites are migrating to "WordPress for editorial + Astro for the front-end" as the path of least client disruption. The Sanity / Payload / Directus conversation is happening with the technical-buyer cohort first; mainstream marketing teams catch up over the following 12–18 months.