Forem: Eliot Dill

Wordpress's greatest feature is also its Achilles heal

Eliot Dill — Tue, 17 Mar 2026 13:07:51 +0000

WordPress is a wonderful platform for publishing to the web. I've been using it since nearly the beginning (circa 2007+/-) both personally and professionally.

In fact, I went on to build a successful business around it that was acquired a few years back.

Thankfully, we only had a handful of major security incidents over nearly a decade of helping folks in real estate, legal, and financial services with their websites.

However, I can tell you with great certainty that there was one issue with WordPress that was the culprit of 85-90% of our issues: Plugins

The Main Benefits of WordPress Plugins

1. Enhanced functionality
WordPress plugins enhance the functionality of your website. This was revolutionary in the early 2000s because you didn't need to know how to code or Dreamweaver to launch a website. This trend continues to be a popular method of customizing WP sites today even with AI (we'll talk more about this later).

2. Created an ecosystem
The fact that WordPress was extendable invited developers to participate and create new sub-ecosystems such as Gravity Forms (for web forms) or Yoast (for SEO), to name a couple of popular ones.

This attracted even more users, which strengthened the WordPress market share - which still hosts about 40% of the internet.

The issues with WordPress Plugins:

However, it is not all sunshine and rainbows with plugins. WordPress greatest feature is also its achilles heal.

1. Bloat & Page Speed
Most plugins load assets (JS, CSS, database queries) site-wide, even when the feature is only used on one page. This creates unnecessary bloat, slows down page load times, hurts Core Web Vitals scores, and negatively impacts SEO and user experience.

2. Difficult Updates
Plugin updates frequently introduce breaking changes, conflicts with other plugins or the WordPress core, or require manual intervention. Many site owners delay updates out of fear, leaving known vulnerabilities exposed for months or years.

3. Security
Plugins remain the #1 source of WordPress security breaches. Outdated, abandoned, or poorly coded plugins account for the vast majority of exploited sites—often through simple injection points, missing input sanitization, or privilege escalation bugs.

Why plugins create security issues

1. Unexperienced developers
The extremely low barrier to entry on wordpress.org means thousands of plugins are written by developers with limited security knowledge. Common mistakes include failing to use nonces, improper escaping/sanitization, and direct database queries without preparation.

Side note: This is actually one area I think code quality will improve with AI but that is besides the point...

2. Not security-first / requirements
Unlike the WordPress core team, which enforces strict coding standards and security reviews, plugin authors face no mandatory security requirements. Speed to market and feature requests usually win over hardening code against real-world attacks.

3. Unmaintained Plugins still available
Tens of thousands of plugins become abandoned yet remain downloadable and installable. When a vulnerability is discovered in an unmaintained plugin, it often stays exploitable forever unless the site owner manually removes or replaces it.

How to solve the WordPress Security issue

While there are certainly more technical aspects to ensuring your WordPress installation is secure such as ensuring folders have proper read, write, and execute access and permissions, and ensuring you have a firewall such as WordFence or Cloudflare (to name two of my favorites). These are some rules to live by to ensure your WP stays secure:

1. Limit the number and which plugins clients can install
Keep total plugin count under 10–15 whenever possible. Create an approved shortlist and restrict admin access so clients cannot install random plugins themselves.

2. Do a code review before installing new plugins
Before activating any plugin, check:

Last update date
Number of active installs
Support forum activity
Known vulnerabilities (via WPScan, Patchstack, or Wordfence scanner)
For critical sites, do a quick manual code scan or use automated tools to flag common issues.

3. Build WordPress sites with native tools like Gutenberg (over Elementor) when possible
Gutenberg is now mature, lightweight, performant, and receives constant security updates from the core team. Relying on core blocks instead of heavy page builders dramatically reduces plugin count and attack surface.

4. Generate WordPress themes with AI instead to avoid building with plugins altogether
With AI coding (Claude Code and Google Gemini) becoming commonplace in most businesses, there are dedicated AI software tools emerging to help people build software for specific tasks or on platforms that the general tools can't do well.

For instance, in the WordPress ecosystem, the worlds two most popular WordPress website builders, Elementor & Divi, have both released new versions that have an AI focus.

And AI WordPress website builders like PressMeGPT.com with agnostic theme exports including Gutenberg and Elementor, are emerging. So are solutions that can migrate vibe coded or old client sites on Wix, Squarespace, etc. to WordPress.

By leaning into native features and AI-driven theme generation, you can dramatically cut plugin count, boost performance, and slash security risks—while still delivering professional, modern WordPress sites.

The future of WordPress isn't more plugins—it's smarter, leaner builds. If you've managed high-stakes client sites like I have, you'll appreciate how much peace of mind that brings.

How to convert a any vibe coded website to WordPress (without banging your head against the wall)

Eliot Dill — Mon, 16 Mar 2026 17:13:27 +0000

After developing websites for clients for over 20 years, I'm seeing a couple of new trends emerge with the popularity of AI.

Trend 1: Tech-Savvy, DIYers using AI

First, I'm seeing "tech-savvy" clients come with a website design they generated with Claude Code, Base44, Bolt.new, Lovable or some other AI website builders.

The only problem is that they want us to host it like we do WordPress, give it a CMS backend, and make it rank on search engines - none of which is a simple task or part of our workflow.

It is kinda like what Realtor.com and Zillow did to real estate - now homebuyers bring listings to their agent whereas, once upon a time, one had to go to an agent to find all of the listings.

Trend 2: AI Website != SEO-Friendly, CMS

Second, I'm seeing rookie web developers come to market who are selling vibe coded websites to small local businesses. This is a bad idea because even though the vibe coded website might look nice, it is a single-page application and typically isn't SEO friendly. Therefore, it isn't going to help them bring in business anyway.

The worst part is watching these folks think they've got a "future-proof" site when really it's a dead end for actual growth.

I've been the guy on the receiving end too many times—staring at a beautiful React mess at 2 a.m., trying to rip out the SPA stuff, wire up WordPress functions, slap on Yoast, and pray the design survives.

Spoiler: it never does the first try (nor the second or third).

Hours turn into days, the client gets frustrated, and that cool "vibe" they paid for starts looking like a half-baked Frankenstein.

I got so fed up I finally helped built something that actually fixes it instead of fighting it.

It's called PressMeGPT.com.

You drop in any vibe-coded site (Lovable, Bolt.new, Blink.new, Claude, Base44, whatever the flavor of the month is), and the AI turns it into a clean, native WordPress theme in minutes.

No manual rewriting. No extra plugins or page builders required.

It spits out proper Gutenberg blocks compatible with Gutenberg plugins (or Elementor-compatible if that's your jam), keeps the exact look and feel you started with, and hands you a fully working CMS backend that clients can actually update themselves.

The process is stupidly simple:

Paste the URL or upload the export from your AI tool
Let the AI read the vibe and rebuild it as real WP code:

Download the theme
Drop it on any WordPress install
and you're done!

I tested it on a recent Base44 project a client dumped on me (and several other projects including Claude Code, to Lovable (video), to one built with Gemini on Replit (video).

Each time it took under ten minutes from start to WordPress theme.

WordPress still runs 40%+ of the entire web for a reason—it's stable, searchable, and every small business already kinda knows it (or can learn it in an afternoon).

These fancy AI one-pagers look flashy in a demo, but they don't pay the bills when Google can't find them and the owner can't edit a single paragraph without a developer (or more AI credits).

If you're a dev who's been handed one of these vibe sites and you're dreading the migration, or if you're the business owner stuck with a pretty but useless AI build, just go to PressMeGPT.com and try it. There are free credits to kick the tires and test it on your next website migration project.

It saved my sanity and think it can save yours.

Anyone else running into this AI trend lately?

What's been your workaround—manual pain or something else?

Drop it in the comments.