In a nutshell, there's been a lot of drama surrounding the WordPress ecosystem that's exacerbated some of the long-standing issues with the reliability of the platform — and it's brought into sharp focus why the decision to build & maintain websites on WordPress might be something that's worth reconsidering.
If you haven't been keeping up, here's a high level summary:
WordPress' founder and the parent company Automattic are on one side of the dispute, and one of the largest webhosts in the WP ecosystem, WP Engine, is on the other side.
Both sides have allegedly been engaged in a spirited argument behind closed doors that has escalated to a very public series of legal threats that reveals deep cracks in the WordPress ecosystem. WP Engine has accused Automattic (WordPress' parent company) of threatening a "scorched earth" approach unless WP Engine licensed the WordPress trademark. The resulting bans imposed by WordPress.org on WP Engine left many users without critical updates to plugins and themes, temporarily exposing websites to potential security risks.
But that hasn't been the end of the controversy.
The most recent dispute that's been making headlines is WordPress' decision to "fork" WP Engine's popular Advanced Custom Fields (ACF) plugin (a plugin that we’ve used on dozens, if not hundreds, of client websites at Salted Stone), rebranding it as Secure Custom Fields to address what they called "security vulnerabilities."
These move has set a troubling precedent — a major webhost is seeing their customers leave in droves (Automattic even setup a cute little tracker website showing how many have left), and a popular plugin that's critical to a lot of business’s marketing operations have been taken over by WordPress without the original developer's consent, even though the ACF team had actively been maintaining it.
For businesses relying on WordPress plugins to run customized websites, this demonstrates the fragility of relying on “third party” tools that could be disrupted without notice. Because WordPress' native functionality simply doesn't cut it for most business sites without using third-party plugins, that's a pretty big deal.
All of this drama underscores the broader issue: WordPress' platform is centrally controlled, leaving businesses exposed to unanticipated changes when they make unilateral intrusions into the open-source ecosystem — and the fact that WP's parent company feels compelled to make these moves in the first place highlights just how much they don't trust that same ecosystem of partners they've cultivated over the years.
These shake-ups can be costly, both financially and operationally.
For many companies, WordPress’s plugins offer a quick way to bolt on essential features—SEO optimization, CRM integration, user experience tools—without custom development. But with each plugin you add, you also add a risk point.
At Salted Stone, we’ve built a lot of sites on WordPress and we've seen our fair share of WordPress-related incidents caused by the fact that hackers around the world have targeted the open-source platform. In fact, over the years, we’ve handled more than a dozen serious malware infections, domain blacklisting, and downtime incidents tied to WordPress plugin vulnerabilities. And those are just the major cases.
Managing your website should be a low-effort part of running your business — but the very thing that made WordPress great back in its hey-day is now the thing that's making it a liability for serious businesses.
Here’s a quick rundown of why relying on WordPress plugins can be a risky game for any business aiming for growth, stability, and scalability:
Each plugin you add comes with its own code, update schedule, and compatibility quirks. While that might not sound like a big deal at first, maintaining dozens of plugins—often by different 3rd party developers with different quality standards—can turn into a nightmare. One update can disrupt another, creating downtime or broken features that need urgent fixes. We’ve seen these patchwork systems get so fragile, one small update knocks out half the functionality on a site.
Security vulnerabilities in WordPress plugins have consistently been an entry point for hackers. With each additional plugin, your security risk multiplies. Small development teams, often responsible for widely-used plugins, may not have the resources to regularly update their code. Recently, two Salted Stone clients experienced severe malware attacks that led to temporary blacklisting of their domains, causing a disruption in services across unrelated subdomains. This kind of risk compounds with each third-party tool added.
When a WordPress plugin fails, support can be a frustrating, decentralized experience, requiring businesses to engage with multiple developers. Diagnosing site issues or downtime often means reaching out to several support teams, leading to longer response times and inconsistent solutions. Unlike integrated platforms with dedicated support, WordPress relies on the availability of independent plugin developers, who may not be responsive when you need them most.
You wouldn’t entrust other critical business systems to unreliable third party vendors in any normal circumstance, so why would you trust a bunch of random dev teams spread across the world to maintain critical functionality for your website? It’s convenient, sure, but how much is your website and the reputation of your domain worth?
It's not uncommon for plugin developers to cease maintenance, turning essential tools into potential liabilities. Without timely updates, plugins can become outdated or even break as WordPress itself evolves. When this happens, companies are forced to scramble for alternatives or consider costly custom development.
Plugins add code, which can lead to slow load times and bloated sites. For businesses that rely on quick, responsive websites to drive conversions and engagement, slowdowns translate directly to lost revenue and higher bounce rates.
For many serious, growth-driven businesses, the plugin-reliant structure of WordPress introduces risk factors that are best avoided; Not only does it really feel like it's becoming an increasingly precarious ecosystem, there are better options now — options that lots of other businesses have migrated to and they're happier and more efficient as a result.
Salted Stone recommends platforms like HubSpot’s Content Hub for a cohesive, scalable, and highly secure CMS solution.
Even if you aren't using it for it's more popular marketing and CRM features, HubSpot provides businesses with centralized support and integration capabilities without the hassle that comes with an open source ecosystem, allowing you to focus on growth instead of technical debt. Built-in tools streamline CRM integration, data security, and customer experience, minimizing the need for risky third-party plugins.
HubSpot’s Content Hub offers a unified, fully supported platform that mitigates these risks, empowering teams to focus on growth rather than maintenance.
Need help migrating from WordPress to HubSpot's Content Hub or want to learn more about what Content Hub can do for your business? Drop us a line.