The Four Machines
In 2024, the web was a place where humans built things for other humans to visit. In 2026, every layer of that stack has been replaced by machines.
Machine Builds
AI coding agents — Cursor, Claude Code, GitHub Copilot, Google's Antigravity IDE — are now the primary authors of new web code. Stack Overflow's 2026 survey shows AI coding tools used by 76% of professional developers. These agents don't just autocomplete — they architect, debug, deploy, and iterate. They choose frameworks. They write components. They generate APIs.
What do AI coding agents build with? Not WordPress. Not PHP. They generate React, Next.js, FastAPI, Astro, SvelteKit. The code they produce is the code they were trained on — modern, structured, API-first. The migration away from legacy frameworks isn't being driven by human decision anymore. It's being driven by the tools humans use to write code. The agents chose. But those same agents are vulnerable: TrustFall — disclosed June 2026 — demonstrated one-click RCE in Claude Code, Cursor, Gemini CLI, and GitHub Copilot through malicious MCP servers in cloned repositories. The machines building the web are themselves an attack surface.
Machine Browses
57.4% of all web traffic is now automated. In North America, 68.6%. AI agents — GPTBot, ClaudeBot, Google-Extended, Perplexity, shopping bots, research agents — visit 1,000x more pages per task than a human. They don't scroll. They parse. They extract structured data. They compare across thousands of sites in seconds.
When an AI shopping agent compares prices across 5,000 retailers, it's generating traffic on all 5,000 sites. A human would visit 4-5. The multiplicative effect means a single AI agent workflow generates more server load than hundreds of human sessions. Your framework's output weight — 2-4MB WordPress vs 30-100KB Astro — isn't a performance metric anymore. It's an infrastructure cost multiplied by machine-scale traffic.
Machine Attacks
In H1 2026, the npm ecosystem saw 20+ supply chain attacks. IronWorm trojanized 50+ packages with an eBPF kernel rootkit. Miasma self-replicated through stolen developer credentials. North Korean group UNC1069 socially engineered the Axios maintainer. Post-login account compromise attempts increased 4x year-over-year. Scraping attacks approach 20% of global traffic.
The attackers are automated too. The attacks that hit WordPress plugins — Modular DS CVSS 10.0, Funnel Builder skimming 40,000 stores — were mass-exploitation campaigns run by automated tooling. The attacks on npm — IronWorm's self-replicating worm — were literally programs writing malicious code into other programs. Machine attacks machine.
Machine Defends
The defense is automated too. Guardian agents supervise other AI agents. AI-powered WAFs detect bot traffic patterns. Automated vulnerability scanners check npm packages on every install. Security Operations Centers deploy AI that — according to June 2026 survey data — delivers 'excellent value' to only 10% of them. The defense side of the machine-to-machine web is the least mature.
The Framework Implication
When machines build, browse, attack, and defend the web — the framework choice isn't a developer preference. It's an infrastructure decision that determines participation in a machine-to-machine ecosystem. WordPress was built for humans authoring content in a browser-based admin panel. The web it was built for is now 42.6% of traffic and shrinking.
The frameworks that win in the machine-to-machine web are the ones that produce clean, structured, machine-parseable output (AI-Readiness), have minimal supply chain attack surface (Security), and serve responses efficiently at machine-scale traffic volumes (Performance). WebPulse's scoring has been measuring readiness for exactly this world.
