Anyone who offers code or support in the WordPress ecosystem knows this paradox: customisability is WordPress’ biggest strength, but it’s also its biggest risk.

It’s a strength because nearly everything someone wants is possible. I’ve been working in support for a decade now, and I rarely needed to say: “that’s not possible.” If the functionality doesn’t exist yet, then someone can create it.

The other side of that coin is the same flexibility adds complexity. It’s not uncommon for us to see websites with 70+ different plugins. We also run about that amount on WooCommerce.com, so that in itself is not the problem. The trouble starts when plugins overlap or conflict, each trying to control the same part of the site.

One of WooCommerce’s ongoing support challenges is supporting customers who install dozens of third-party plugins, many of which who claim compatibility but don’t deliver.

And this is with mostly known marketplaces and custom code written by experienced developers. However, it dawned on me that we’re only just at the start of this whole challenge being entirely disrupted.

Enter vibe coding.

AI-powered coding

Vibe coding is using natural language to let AI tools do most of the coding work for you. I’m not a developer, but I can use ChatGPT to write small plugins to add a certain functionality to my site.

Here’s the thing though: I’m not a developer. So I cannot guarantee that “my” code is safe, secure, and compatible.

This means that my site will be both vulnerable to security breaches and conflicts.

In putting this to the test, I’ve asked ChatGPT to create an extremely simple plugin that will let the store managers know if a new order came in. As you can see below, it works:

I also asked it to insert a — fake — personal identification information leak to the plugin. This also worked. The server logs of my site clearly show the information that should be private.

I have more knowledge of WordPress than many of our customers but we’re not far — if not already there — from people without any knowledge of WordPress and developing to be able to go to their favourite AI tool and vibe code new functionality. And they will likely not know if their tool added a security concern or a conflict.

Both of these can be reinforced further due to there not being a maintenance process in place, but even worse, there’s also no accountability. The extension ChatGPT wrote for me has * Author: Your Name as the plugin author. There’s no indicator in the plugin at all that it was generated by AI.

A marketplace or directory like WordPress.org does have both accountability and maintenance. When a plugin doesn’t receive update a notice is added:

Again, with vibe coding — next to security and compatibility — the sense of maintenance and ownership disappears entirely.

So what does this mean for our ecosystem?

Our current effort with compatibility and plugin quality is focused on third party solutions sold on marketplaces like WooCommerce.com and Envato, or hosting-required caching plugins and server environments.

With vibe coding, we are headed towards a future where anyone can paste a prompt into AI and generate a plugin, but without authorship or support path, update or security lifecycle, or shared context about best practices.

So, how do we build our ecosystem for that?

I’m not sure. But I do have some ideas.

Importance of guarantees. At WooCommerce, we offer vetted plugins, partner hosting solutions, and trusted agencies. I expect this to become even more important. Some people will still go for cheap alternatives, but quality will matter.

Monetisation approaches. I would expect several existing marketplaces to explore mixing AI-generated code and functionality with a vetting process. So a stamp of approval on top of the AI layer. This probably could be monetised in partnerships with AI tools.

Proactive scans. Whenever a plugin or a system with an ecosystem around it — WooCommerce and WordPress respectively are good examples — give an update, we will likely see an increase of proactively scanning for code that will no longer be compatible after the update, so customers can at least see a warning. Systems like Jetpack’s vulnerability scanner will become even more important as they also deal with a growing amount of accidental problems, rather than malicious ones.

How do you as agency, developer, marketplace prepare for this change?