Security & Plugin Conflicts. Exciting Stuff.

Wife and I took the new RV out over the weekend for our first evening. It was a bit of a “shake down cruise”, with testing things and making lists of things to do and buy.

Definitely takes a little getting used to since this rig is smaller than our last. 10 feet shorter and you can definitely notice!

But, enough about RVs. Let’s hop right into the deep end with WordPress.

First up, I want to address the topic of security. Is WordPress inherently insecure? And do you even need to run security plugins?

And then, ever noticed things just…. break in your WordPress site? It definitely happens. The most common culprit is a “plugin conflict”, but what the heck is that? What does it actually mean?

So, yeah, we’re getting all nerdy up in here this week! But, I’ll do my best to keep it simple. After all, we’re here to use WordPress as a tool for business… not to “nerd out” just for giggles. 🤪

OK, let’s do this….

Securing Your WordPress Site (Without Security Plugins)

The other day, I was discussing a site with it’s owner on a call. And the subject of WordFence came up. And she asked me….

Do you even need Wordfence?

Wordfence is the most popular security plugin for WordPress. However, there are others like All-In-One Security and Solid Security… plus hosted services such as Sucuri.

If you read their websites, they’ll make you think WordPress is just inherently “swiss cheese” when it comes to security. They make it seem as if WordPress needs to be defended because, without their defense, you’re just risking everything.

Of course, they want to sell you stuff. So, it is in their interest to do that. 🤪

The Yoast founder, Joost de Valk, even said it is time to “fix the image” when it comes to WordPress and security. And, I agree.

The truth is that these security plugins can sometimes cause more problems than they’re worth. They get in the way, make the site harder to use for the end user, can cause performance issues… and sometimes outright break things.

But, even more core to that is that question…. do you even need security plugins?

I’m here to argue that, if you’re doing things right…. you don’t need a security plugin.

WordPress is NOT inherently insecure. Not even close, actually. According to the 2024 Patchstack State of WordPress security, only 0.2% of vulnerabilities found were in WordPress core. And all of them were low threat levels. A whopping 96% of problems were due to the plugins. And about 4% were from the themes.

So, if 96% of WordPress vulnerabilities come from plugins and 4% from themes, the real question isn’t whether WordPress is secure—it’s whether you’re choosing the right plugins and themes. The WordPress core is rock-solid, with only 0.2% of vulnerabilities in 2024, all low-risk, according to Patchstack. Compare that to disasters like the Really Simple Security plugin, which left 4 million sites exposed to admin takeovers until patched in November 2024. That’s the kind of mess we’re talking about.

Here’s the kicker: you don’t need a security plugin to stay safe. Instead, focus on these three dead-simple habits that keep your site locked down without slowing it to a crawl or breaking your checkout page:

1. Vet Your Plugins Like a Pro: Only install plugins from reputable developers with active updates. Check the WordPress repository for install counts and avoid anything abandoned for over six months. Look for signs that the plugin is used by a lot of people reliably.
2. Update Everything Weekly: Outdated plugins are hackers’ favorite entry point. You can enable auto-updates, although I have seen this lead to problems on more complex sites. Better yet, just manually update things weekly and verify everything is working. I do this for my Concierge clients each week. Usually on Mondays.
3. Use a Secure Host: Hosting like Rocket.net includes firewalls and malware scanning, reducing the need for plugins like Wordfence. While plugins are the most common attack vector, I’ve definitely seen insecure hosting environments lead to hacks. Usually on cheaper hosts like Bluehost or Hostgator.

Want to know if your site’s safe right now? Here’s a 5-step self-audit checklist you can run in 30 minutes:

• Check Plugin Updates: Go to Dashboard > Updates. Update all plugins/themes/core. It is also best practice to keep the number of inactive plugins to a minimum. If a plugin has been sitting there inactive for awhile, delete it. In some cases, even inactive plugins can open up an attack vector for hackers.
• Scan for Vulnerabilities: There are various scanner services you can use, but the best idea is just to use a host or a service which does this for you automatically.
• Review Admin Access: Ensure you don’t have more administrator accounts than you need. I’ve seen people create accounts for support and then leave them there when no longer needed. You can use the Temporary Login Without Password plugin for quick, expiring access for support teams. Delete old, unused admin profiles or just downgrade them to lesser user roles. I’ve seen some people enable two-factor authentication, but this can be annoying. What I’d recommend is to limit login attempts (many hosts do this automatically), use a good firewall (Rocket uses Cloudflare) as well as use a honeypot like WP Armour.
• Test Backups: Ensure you have daily backups of your site. If something were to happen, you know you can always restore. I always recommend having backups separated from your web hosting. You can use a local plugin like Updraft, but be sure to store those backups off-site. For all of my Concierge clients, I use BlogVault.
• Check Hosting Security: Ask your host about firewalls, DDoS protection, or malware scans and ensure you get answers you like. And, no, don’t pay extra for these things. Any good webhost would not upsell you into something that is supposed to be part of good hosting to begin with.

Run this audit and you’re ahead of 90% of WordPress users.

This Week In Concierge

Concierge services is way more than hosting, plugins and updates. A huge part of it is being the “wing man” for my clients when it comes to executing on their ideas and making site changes. From that perspective, I end up with a ton of variety of the kinds of things I’m doing.

Some of the things I was doing last week are:

• Debugging email delivery issues
• Converting between two SEO plugins
• Debugging sub-par scores on site performance
• Wrapping up the build-out of a credit system for a client (more or less modeled after my Anytime Credits)
• Researching an integration between ScoreApp and FluentCRM (Hint: It is much easier to just build your quizzes with Fluent Forms. 😜 )
• Work on customization of Learndash course design using Kadence
• Re-building and modernizing a website for a business owner in the carpentry business.
• Recording numerous “over the shoulder” videos privately for clients to show them how to do something
• Helping a client close down an annual window for business and put up a waiting list for the following year

Things are always so varied every week. With Concierge, I don’t usually do a lot of design work. In fact, I always tell clients I’m not a designer. My work is on the “plumbing”. I help with the stuff that actually makes the site work and function and make money.

WordPress Quick Bits

WooCommerce 9.8.5. The “Dot Release” was put out for WooCommerce. Some misc fixes and small changes implemented, which you can read about here.

WooCommerce 9.9. Version 9.9 is coming out soon, with the final release due on June 2nd. This upcoming version will include “Blueprints”, allowing store settings to be exported and imported. This will be a time saver, to be sure. Looks like they’re also going to automate database updates on upgrades, meaning potentially no more of those nag notices about WooCommerce database updates needed. That’ll be nice. 9.9 is also bringing in some changes promised to deliver faster page load times across critical admin screens. Up to a 95% improvement! That’ll sure be nice.

ChatGPT In The Lead. According to this X post from SimilarWeb, ChatGPT is by far in the lead of the AI market share pack… with a dominating 80% traffic market share. Traditional search engines like Google are struggling to grow in this space. Quite interesting.

WooCommerce Stripe Plugin Issues. If you’re using the WooCommerce Stipe Payment Gateway plugin (and a large chunk of my clients are), version 9.5 was quite problematic when it comes to API calls to Stripe. The result was that it drastically slowed down the entire WordPress admin panel. I posted about it on X and it definitely got noticed. Looks like 9.5.1 has been released and hopefully that solves the issue.

Rapyd Cloud 2.0.. Rapyd is the host born primarily to solve the performance issues of beefy BuddyBoss sites. They started off strong, but were missing some core functions that have all since been fixed. They’ve just announced version 2.0 of their platform, introducing multi-site plans and an improved dashboard experience.

Human In The Loop. Ottokit (formerly SureTriggers) has launched a new feature for automations called “Human in the Loop“. This is designed to add human approvals to an automated workflow. This is s super smart idea. It can be added as an automation step and the rest of the automation won’t execute until human review takes place.

ThemeSwitcher Pro Officially Launches. WebDevStudios has officially launched ThemeSwitcher Pro, which enables you to run multiple themes at the same time on your WordPress site, configurable to certain conditions. This would be very useful in instances when you want to convert to a different theme or remove a page builder, but want to do so gradually and with control.

WordPress + AI. PootlePress has published something called the Feature API that is designed to make WordPress features discoverable and consumable by AI. This API is built from the ground up to make WordPress something that AI agents can “talk” to. This is super important in order for WordPress to stay relevant in a world of AI.

FluentCommunity 1.6.0. The new version supports post scheduling as well as structured data SEO schema for enabling better SEO in your community. FluentCommunity continues to evolve quickly. Check out the full release notes.

What Exactly Is A “Plugin Conflict”?

Ever had a plugin just not work like it is supposed to? Or, you upgrade a plugin to a new version and suddenly something breaks?

Yeah. In my line of work, this can be the bane of my existence. 🤪

The issue usually comes down to a “plugin conflict”. This is a term you hear tossed around all the time in WordPress. But, what the heck is it? What does that actually mean?

A plugin conflict happens when two or more plugins (or a plugin and your theme) try to do the same thing in different ways, causing errors. Think of it like two chefs fighting over the same stove: the kitchen (your site) gets messy fast.

Conflicts often stem from plugins running overlapping scripts—like jQuery or CSS—that clash. For example, a page builder like Elementor might fight with a form plugin like WPForms over how to load animations, breaking your layout or causing Elementor to fail to load. Outdated plugins or poorly coded ones are common culprits. Your theme can also spark conflicts if it’s not coded to play nice.

The usual symoptoms of a plugin conflict are things like:

• White screen of death (where nothing loads)
• Broken features (like forms not submitting)
• Slow page loads and noticeably poor performance
• Admin glitches (like editors failing to load, or failed post saves)

Plugins that are big and do a lot of things are often the ones more likely to be subject to conflicts. In some cases, you also just find clumsy programming from a plugin developer causes the conflict. They didn’t use best practices and most definitely didn’t do very much testing.

Plugin conflicts are why so many support teams for plugins will make it common practice to ask you if you’ve deactivated all of the plugins except for their’s. They do that because they want to see if the problem was a conflict with another plugin.

So, what can you do if you suspect a plugin conflict?

It happens from time to time with my Concierge clients. So, here’s what I usually do about it:

• If I can clearly see it happened after a particular plugin was updated, I’ll usually downgrade the plugin back to how it was and see if it resolves. If it does, then we spot it really quickly.
• I’ll put the site into staging and then begin deactivating plugins until the situation resolves. This is basically a process of elimination. Eventually, I’ll find ONE plugin (usually) that when deactivated, the site works… and when active, it breaks again.

More often than not, the culprit plugin is some outdated plugin not being maintained well anymore. In some cases, I ask the client if they actually care about that plugin and if not, we just remove it and never deal with it. In some cases, I can replace that functionality with a better developed plugin to alleviate the conflict.

Often, the situation can be temporarily resolved by downgrading the plugin to the earlier version. And then I usually report it to the developers to get an actual fix.

Sites that run the most plugins are the ones most subject to occasional plugin conflicts. It is the same as the security issue discussed above…. the more plugins you run, the more problems you can have.

If you stick with reputable plugins instead of just willy-nilly installing things from the repository, you’re less likely to have issues. But, sometimes, even the reputable plugins see issues. And you just have to run through the debug process to figure out where the issue is coming from.

If you’re in Concierge, you can just tell me what the problem is and I’ll go find the plugin conflict for you and flog whoever is responsible. 🤪