Beware of geeks bearing gifts.

The majority of the internet is written in code that is shared in one way or another. It is an acceptable approach for many businesses, as the cost of writing something from scratch is significantly higher than reusing tried and tested (and publically shared) code. However, there is a hidden risk that is often obscured in the production of a website, which can pose a considerable risk for companies running their businesses online.

WP Engine is a popular hosting and plug-in service for Wordpress. Not only hosting websites but also developing and supplying plug-ins which are distributed to thousands of Wordpress sites, many of which use their plug-ins to run business critical services such as shops and membership areas.

Look the gift horse in the mouth

Unfortunately, WP Engine and Wordpress.org had a major falling-out which resulted in Wordpress.org blocking WP Engine users from updating their sites. For some business owners, this would be an incovenience at worst, but for many it would put their entire business at risk. With no security updates to installed plug-ins, websites may be exposed to malicious attacks, or have their operations grind to a halt.

Many developers will open their websites up to third-party plug-ins and build businesses around code they cannot control. If the risk is small e.g. "my sitemap xml is broken", then it may be acceptable. If the risk is "my business will stop running", then due diligence should be taken before tying a client's website and business to an unknown third-party developer. Plugin-in developers may be large corporate entities (like WPEngine), with support and service level agreements in place, but sometimes this may be a hobbyist, and that hobbyist might not even be in the same timezone.

Furthermore, there can be a tendency with developers to bundle multiple plug-ins into a single website. At this point, the website is exposed to many points of failure, with many, disconnected developers all contibuting to the success (or failure) of the website. 

The short support chain

The supply of support when building, hosting and maintaining a website is key to its longevity. The fewer people who have access to your website (by virtue of third-party plugins), the fewer points of failure you will have. Fewer points of failure, is ostensibly linked with security and reliability, given that even a single bad plug-in can reduce a website to a mess. 

We have seen many sites running business critical services, polluted with 3rd party code that the original developers have little or no control over. At jfd, our content-managed sites are built with CraftCMS using a very specific and limited set of plugins from developers who are Craft Partners. For anything else, and especially projects that are business-critical, your website is only touched by the jfd team.