Wordpress's greatest feature is also its Achilles heal

WordPress is a wonderful platform for publishing to the web. I've been using it since nearly the beginning (circa 2007+/-) both personally and professionally.

In fact, I went on to build a successful business around it that was acquired a few years back.

Thankfully, we only had a handful of major security incidents over nearly a decade of helping folks in real estate, legal, and financial services with their websites.

However, I can tell you with great certainty that there was one issue with WordPress that was the culprit of 85-90% of our issues: Plugins

The Main Benefits of WordPress Plugins

1. Enhanced functionality
WordPress plugins enhance the functionality of your website. This was revolutionary in the early 2000s because you didn't need to know how to code or Dreamweaver to launch a website. This trend continues to be a popular method of customizing WP sites today even with AI (we'll talk more about this later).

2. Created an ecosystem
The fact that WordPress was extendable invited developers to participate and create new sub-ecosystems such as Gravity Forms (for web forms) or Yoast (for SEO), to name a couple of popular ones.

This attracted even more users, which strengthened the WordPress market share - which still hosts about 40% of the internet.

The issues with WordPress Plugins:

However, it is not all sunshine and rainbows with plugins. WordPress greatest feature is also its achilles heal.

1. Bloat & Page Speed
Most plugins load assets (JS, CSS, database queries) site-wide, even when the feature is only used on one page. This creates unnecessary bloat, slows down page load times, hurts Core Web Vitals scores, and negatively impacts SEO and user experience.

2. Difficult Updates
Plugin updates frequently introduce breaking changes, conflicts with other plugins or the WordPress core, or require manual intervention. Many site owners delay updates out of fear, leaving known vulnerabilities exposed for months or years.

3. Security
Plugins remain the #1 source of WordPress security breaches. Outdated, abandoned, or poorly coded plugins account for the vast majority of exploited sites—often through simple injection points, missing input sanitization, or privilege escalation bugs.

Why plugins create security issues

1. Unexperienced developers
The extremely low barrier to entry on wordpress.org means thousands of plugins are written by developers with limited security knowledge. Common mistakes include failing to use nonces, improper escaping/sanitization, and direct database queries without preparation.

Side note: This is actually one area I think code quality will improve with AI but that is besides the point...

2. Not security-first / requirements
Unlike the WordPress core team, which enforces strict coding standards and security reviews, plugin authors face no mandatory security requirements. Speed to market and feature requests usually win over hardening code against real-world attacks.

3. Unmaintained Plugins still available
Tens of thousands of plugins become abandoned yet remain downloadable and installable. When a vulnerability is discovered in an unmaintained plugin, it often stays exploitable forever unless the site owner manually removes or replaces it.

How to solve the WordPress Security issue

While there are certainly more technical aspects to ensuring your WordPress installation is secure such as ensuring folders have proper read, write, and execute access and permissions, and ensuring you have a firewall such as WordFence or Cloudflare (to name two of my favorites). These are some rules to live by to ensure your WP stays secure:

1. Limit the number and which plugins clients can install
Keep total plugin count under 10–15 whenever possible. Create an approved shortlist and restrict admin access so clients cannot install random plugins themselves.

2. Do a code review before installing new plugins
Before activating any plugin, check:

• Last update date
• Number of active installs
• Support forum activity
• Known vulnerabilities (via WPScan, Patchstack, or Wordfence scanner)
• For critical sites, do a quick manual code scan or use automated tools to flag common issues.

3. Build WordPress sites with native tools like Gutenberg (over Elementor) when possible
Gutenberg is now mature, lightweight, performant, and receives constant security updates from the core team. Relying on core blocks instead of heavy page builders dramatically reduces plugin count and attack surface.

4. Generate WordPress themes with AI instead to avoid building with plugins altogether
With AI coding (Claude Code and Google Gemini) becoming commonplace in most businesses, there are dedicated AI software tools emerging to help people build software for specific tasks or on platforms that the general tools can't do well.

For instance, in the WordPress ecosystem, the worlds two most popular WordPress website builders, Elementor & Divi, have both released new versions that have an AI focus.

And AI WordPress website builders like PressMeGPT.com with agnostic theme exports including Gutenberg and Elementor, are emerging. So are solutions that can migrate vibe coded or old client sites on Wix, Squarespace, etc. to WordPress.

By leaning into native features and AI-driven theme generation, you can dramatically cut plugin count, boost performance, and slash security risks—while still delivering professional, modern WordPress sites.

The future of WordPress isn't more plugins—it's smarter, leaner builds. If you've managed high-stakes client sites like I have, you'll appreciate how much peace of mind that brings.