The biggest “black eye” in WordPress will be its downfall if things don't change.

Let's get the obvious out of the way: I'm not a developer. So, if you're looking for technical solutions in this post, then my apologies in advance.

Okay, cool, we're on the same page.

I've been out of the WordPress product space for coming up on five years. There are parts of it that I miss, but one thing that I don't miss is the security issues caused by plugins. No plugin is immune to them, either. When I ran LearnDash, we had some security scares. It sucks for everyone.

The good news, for years, is that plugin providers have always handled these issues with reasonable speed and minimal negative outcomes. Not all, but most. The community was really proactive about staying on top of such things.

I'm not sure if this is as feasible in the AI era of today.

WordPress 7.0 Highlights New Dangers

Roger Montti from Search Engine Journal wrote a thought-provoking article (and inspiration for this post) related to WordPress 7.0's AI API keys and the rush it will cause for attacks on vulnerable sites. I agree with the threats outlined. It's a very real possibility.

At this point it looks like the WordPress space is just treating it as “business as usual”. It's this approach that will ultimately lead to WordPress losing even more market share.

AI is fundamentally changing the speed, scale, and sophistication of attacks against WordPress sites. Instead of automated scripts, AI can adapt, optimize, and move forward with attacks in ways that we haven't seen before. By way of example, Patchstack (cited from the SEJ article) suggested that exploitation from high-impact WordPress vulnerabilities is just five hours now.

WordPress already suffers from the “insecure site” reputation. If things continue as they are, it'll only get worse. A lot worse.

What Should We Do?

Remember how I said I'm not a developer? Okay, this is where that matters. I'm not good at providing technical paths forward, but I'm pretty good at recognizing business threats and opportunities.

This threat has always existed in WordPress, sure, but not like this. It's going to get worse if nothing is done to improve it. What I want to know is what is being done currently? Because from my perspective, it looks like the issue still gets punted to hosts and plugin devs.

I'd love to see real leadership in this area. Not just information sharing or “best practices”, but actual think tanks resulting in coded solutions that drastically help mitigate this increasingly embarrassing issue. We could start by assessing the criteria for being listed on the repo. Could we implement AI security hardening to monitor and verify the code of any plugin submitted and hosted there?

Yeah, I get it, that's likely not feasible given how expensive it would be, but these are the types of conversations that I'd like to see happening. Maybe they are already, and if so, great! WordPress can't drag its feet here.

Learning from Others

Say what you want about Emdash, but at least they are attempting to tackle the issue because they know how real it is. Their way forward isn't really the “WordPress way”, I get that. Though I think we do WordPress a disservice by just flippantly dismissing their technical approach and moving on with our heads in the sand.

Something I found interesting was reading the comments on their social media when they came after WordPress. The sentiments were largely the same, and leading the way was the growing downside of the plugin ecosystem. What is often cited as WordPress' greatest strength is being seen as its most glaring weakness.

The Inflection Point

The WordPress project is at an inflection point. Over the next year, it is critical that it move deep into AI adoption and enablement, and that includes bolstering things from a security standpoint.

For me, I won't host another WordPress site in the traditional sense. Why? Because I'm not trying to be a security pro with my simple websites. No time for that nonsense. I like the static options like SimplyStatic Studio (I transitioned a website to it and love it). Aside from that though, I actually see more benefit in just using something like Loveable and hosting everything there for the added AI features.

Progress is Being Made

The good news is that WordPress is making strides with AI. It's not yet widely known or advertised, but things like Jamie mentioned below are precisely what the project needs.

Let's hope that things keep going in this direction, and that more emphasis on security starts to emerge. To date, it's not very user friendly, at least not compared to tools like Loveable. I anticipate that this will change over time.

Cautiously Optimistic

Overall, I'm optimistic about WordPress evolving in the ways that matter. The community voices are loud and clear. It's up to Matt to set the priorities. Hopefully, he's not too distracted with his WPEngine lawsuit to do what is right (and needed) for WordPress as a whole.

I'll revisit this in a year to see where things have landed. By that time, I think there will be some clear market signals one way or another.

#WordPress

Justin Ferriman

Amateur blogger for over 20 years. I write about life, happiness, entrepreneurship, and politics. Full bio.

My Posts, Your Inbox

Subscribe to receive the latest posts by email.

RSS feed