> blog
What 1,500 WordPress sites taught us about plugins
WordPress plugins are the reason WordPress wins (everything is possible) and the reason WordPress loses (so much breaks).
The plugin lifecycle problem
Most plugins start as a developer’s side project. They get popular. Either they get acquired (and the new owner monetises aggressively) or the developer loses interest (and updates stop). Either way, the plugin you’re using today won’t be the same plugin in three years.
Common patterns we see: (1) acquired plugins suddenly require paid “pro” versions for previously-free features, (2) abandoned plugins develop security holes that don’t get patched, (3) plugin compatibility breaks when WordPress core updates.
What we look for in a plugin
Updated within the last 90 days. Plugins not updated in 6+ months are red flags: either abandoned or unmaintained.
Active developer / business behind it. Not a single hobbyist who might disappear. A real company with paid customers who’ll keep them honest.
Reasonable resource use. Some plugins add 100ms to every page load. We benchmark before and after install.
Clean uninstall. Plugins that leave database tables and cron jobs behind when removed are rude.
Honest pricing. Plugins that double their price annually after you’re committed get blocklisted.
Why we built our own
After watching too many plugin acquisitions, abandonments, and price hikes, we started writing our own. JezPress is now 48 plugins covering most of the operations work native WordPress doesn’t do well.
Why this works for us: one codebase across the fleet means we patch once, deploy everywhere. No per-site licences. No surprise price increases. Plugins designed to work with each other instead of fighting.
Why this works for clients: their plugins keep working when ours go through corporate consolidation. The login security, fleet monitoring, and ticketing all stay free with hosting.
Plugins we trust enough to install
Elementor Pro. Visual page builder. Used carefully (not for every page), it’s great. Used for everything, it bloats sites.
Gravity Forms. Form builder that’s endured for over a decade. The integrations and reliability are worth the licence.
WooCommerce. The defacto e-commerce engine. Use the core plugin and avoid the “official” extensions where free alternatives exist.
Yoast SEO Premium. SEO basics done well. We turn off the “readability score” feature because it suggests obvious junk.
Advanced Custom Fields Pro. Custom field management. Essential for any non-trivial site. Now owned by WP Engine which raises eyebrows but the plugin is still solid.
Plugins we’d never install
“All-in-one” security plugins. They overlap with what Cloudflare WAF does, slow down every request, and create false confidence. We use a thin custom plugin for the WordPress-specific bits and let Cloudflare handle the perimeter.
Backup plugins that backup to the same server. Useless when the server is the problem. Use off-site backups.
“Speed booster” plugins that promise magic. Most of them just enable Cloudflare features you should configure directly.
Tracking plugins that load 12 third-party scripts. Slows the site, creates GDPR/Privacy Act issues, often unnecessary.
Plugin auditing rhythm
Every quarter, we audit every site’s plugins. Questions: is each one still actively maintained? Is each one still actively used? Any new vulnerabilities published? Any ownership changes?
Half the time the audit just confirms everything’s fine. The other half, we find a plugin that’s been abandoned, replaced its terms, or developed a security issue. Fixing it before it becomes a problem is much cheaper than after.