Building WP Applications

Just because you can cobble together 20 plugins to make a functional web app, doesn’t mean you should (long-term at least). Here are some common pitfalls and how to avoid them.

Building WP applications is fun and rewarding. Thanks to the open-source community (and the WordPress community in particular) it’s entirely possible to do it yourself.

WP has an active community developing and maintaining the core, creating new plugins, themes, documentation, and tutorials. There are also regular meet-ups and WordCamp to help inspire devs to contribute and keep the community alive.

The community is huge and because it’s so huge, there are a lot of plugins and themes to choose from. There’s also a huge difference in code quality and how well plugin developers handle data security.

Recently, a few customers have been excited and telling me about all the WP applications they’ve been building. I’m happy they’re getting nerdy joy from WP (always to be encouraged!) but I also have to be a Negative Nelly. It’s my job to make sure their sites are bulletproof.

Just because you can cobble together 20 plugins to make a functional app, doesn’t mean you should (long-term at least).

Here are a few common pitfalls and suggestions for avoiding them when creating your sites, e-commerce stores, and web applications in WordPress.

#1 – She’s gonna blow!

Certain combinations of plugins just don’t go well together. Usually, it’s because the plugins deeply change the way WordPress works (for example translating content into multiple languages, adding store-fronts and custom post types) and other widespread changes.

Example: Multilingual WooCommerce

For example, WooCommerce and multilingual plugins don’t play well together long-term. The plugins on their own are awesome, but they add a lot of functionality which is then built upon by the next plugin.

Some of the technical issues you may run into when trying to set up a multilingual store are:

  • Multicurrency and multilingual stores can be difficult to set up and get the plugins to bend together the way you want them to.
  • Different postal and payment methods depending on country and language can be tricky to localise and get working together.
  • Plugin incompatibilities, permalinks breaking, Yoast, and SEO issues…
  • Setting up tax tables correctly and how to get the right reporting info to your bookkeeper.
  • Making sure that GDPR regulations in the EU and CCPA in the U.S.A. are complied with at a code level and not just in documents.
  • Being responsible with marketing permissions and knowing where your customer data is being stored and sent.
  • Being aware of what data is being saved in WordPress and how often it’s being cleaned.

Usually, when planning this kind of store, small companies turn to freelancers or specialist WP companies. Unfortunately, many freelancers and devs are inexperienced about how the site will function long-term and many of them will not be actively maintaining it themselves.

Long-Term Planning

I keep repeating the phrase long-term because it’s an important distinction. It’s entirely possible to build a multilingual WooCommerce website also using a ready-made theme and it’ll work for a while, maybe even a year or two if it’s well-maintained and the plugins and themes are also updated regularly by their developers.

For building a prototype or testing proof of concept, a year might be all you need to test whether your idea is sound before investing more heavily in a more solid solution. But it’s a good idea to plan for rebuilding the site in the future (more on that later).


Be prepared to invest more in the future. Create a minimum viable product with a minimum of features to test out your concept. Make sure that whoever is building the site, will be around for the long haul and has a long track record of building similar sites. You can build it yourself if you really really want to, but consider having a professional audit the site to save some headaches in the future.

#2 – More Plugins = More Trust

Plugins need maintenance and regular updates especially if they deal with sensitive information such as customer data, payment details, and orders.

WooCommerce especially requires a lot of extra plugins for payment methods, delivery methods, tailoring the store-front to the brand or cultural norms, and marketing integrations to track what customers are doing.

Security Concerns

First, you need to be paranoid and assess whether the plugins you want to use are trustworthy.

  • How long have they been maintained?
  • How often are they updated?
  • Are they from a reputable source?
  • Who is the company behind the plugin and do they have a lot of plugins to maintain?
  • Would it be worth getting the plugin code audited?

Maintenance and Longevity Concerns

Can you trust that each plugin and its developers will maintain their code?

  • Again, how often are they updated?
  • How do they respond to support requests publicly?
  • How much documentation is available for the plugin?
  • Is it on a marketplace, or the WordPress Plugin Directory?
  • Is it a free or paid version? Buying licenses for plugins is the best way to support plugin developers and help keep the plugin alive.


You can avoid most of these issues by doing due diligence installing a minimum of plugins and themes and being paranoid about what you install. Make sure your site is well maintained and plugins updated as soon as possible. Learn about potential issues and vulnerabilities so you can solve them before they cause headaches. That’s what we do for our customers.

#3 – Abandoned Themes

Themes also suffer from the same issues as plugins, you have to be able to trust the theme dev to handle security issues but also maintain their code.

Theme marketplaces have thousands of themes to pick from with almost no guarantee that the themes will be supported six months from now.

Ready-made themes have to appeal to as many users as possible so they often have loads of extra functionality which causes bloat in the code which slows down sites and gives more surface area to bots and attackers.

Third-Party Components

Ready-made themes also depend on a lot of third-party components such as page builders, sliders, and frameworks. Each of these third-party components adds more risk to our site security and longevity.

We have to be able to trust that every dev who has ever worked on those is also taking care of their plugins. It’s a lot of ground to cover.


Pick a ready-made theme that has a huge user base (look at comments and ratings in marketplaces). Find out how long the theme has been around (you can usually see version history) and pick one with a longer history. Do a Google search on the developer or company that has created the theme. See if they are a real company and what their history is. Try to find out what third-party integrations or libraries they are using. Try to stay clear of free themes. When trying new themes and plugins use a testing site that can easily be destroyed. Only install plugins and themes on your main staging site, once you have tested their functionality.

#4 – Secure Your Site

It’s probably not a shock to you (since you’re on this site), our main focus is on securing your site. We have a complete platform to help you do that. We also offer a completely free course to teach you how to do it yourself.

Here’s a quick primer:

  • Make sure your DNS hosting is capable.
  • Check that your actual hosting/server space is as fast and secure as possible.
  • There are plugins for WordPress itself such as Wordfence that can help you harden your site and scan for issues.
  • Keep your site core, plugins, and themes up to date.
  • Keep your licenses up to date for pro plugins.
  • Monitor your site for downtime and unusual activity.
  • Keep your user table at a minimum.
  • Be sure to let us know when you’d like us to do all that and more for you 🙂

Author Info: Lisa Karvonen

Lissu is a full-stack developer who started working in WordPress in 2003. Since then she has coded plugins, themes and applications for companies and organizations in both WordPress and Multisite as well as other PHP/MySQL applications.

She started developing the WP-Ensure platform in 2017 as a response to customer site attacks and has been steadily improving and growing the company and platform since then.

She's originally from Scotland but lives in Finland with her husband, son, two dogs, two cats and a reef tank.

Services We Love