Abandoned plugins and theme lock-in as operational risk
Short answer: Every plugin and theme is ongoing liability: abandoned code becomes incompatible first, exploitable second. Lock-in happens when your content is trapped in a vendor’s shortcodes or page builder.
For NZ SMEs, the cheapest website is sometimes the most expensive—when only one contractor understands the stack.
Warning signs a plugin is “abandoned”
- No updates for a long time while WordPress core moved several major versions.
- Support forums full of unresolved security questions.
- Replacement functionality now exists in core (carousels, blocks) but old plugins remain.
Theme lock-in: how it feels
Switching themes breaks layouts because content lives in proprietary meta fields. Mitigate by favouring block patterns, reusable components, and exportable content models when you can.
Portfolio hygiene project
Quarterly, list active plugins with purpose, owner, and last update. Remove duplicates (two SEO plugins, three sliders). Document the one true backup and restore path.
Frequently asked questions
Are premium plugins safer?
Not automatically—evaluate update cadence and vendor reputation, not price alone.
Can I audit code myself?
Rarely worth it; prefer mainstream plugins with many installs and transparent changelogs.