AI in WordPress: opportunity or risk for agencies?

The tools are getting smarter, the promises bigger. But what specifically does AI mean for a WordPress agency like 2manydots? We share our honest take: where we embrace AI, where we deliberately put the brakes on it, when we find it exciting, and why human work is making a difference right now.

The hype is fairly over, now the practice

Let’s face it: you can’t avoid it anymore. AI tools like Cursor, Claude Code and GitHub Copilot have become everyday tools in just a few years. And in the WordPress world, things are moving fast. Automattic bought the team behind CodeWP in late 2024 and built Telex: a tool that generates Gutenberg blocks based on a simple description. Elementor, Divi and Rank Math all have AI features built in. In addition, with WordPress 7.0 on the horizon, native AI links are coming into the core.

For us as a full-service agency, this raises a question: how do we relate to this shift? Do we go along with the promise of faster, cheaper and easier? Or do we bet on what AI cannot (yet) do?

The answer is: both. But with a clear distinction.

Where AI makes our work better

At 2manydots, we use AI on a daily basis. Not as a replacement for our developers, but as an accelerator of their work. Think about:

• Prototyping and boilerplate. A simple plugin structure or a first draft for a custom block? What used to take half a day, now stands in half an hour. The AI provides the skeleton, our developers take care of the quality.
• Code review and debugging. AI tools are excellent at detecting patterns and suggesting solutions. For example, every pull request with us is checked by Claude. Especially with complex WooCommerce integrations or migrated themes and plug-ins, this saves search time.
• Content and copywriting. For first drafts of SEO texts, meta-descriptions or email campaigns, AI is a good sparring partner. The end result always passes through our own fingers.
• Data analysis and reporting. Interpreting GA4 data, inventing Looker Studio dashboards and recognizing patterns in large data sets: AI helps us arrive at insights faster.

In the aggregate, then, this means: AI as assistant, not author. As first concept, not final product.

Where it goes wrong: the rise of “vibe coding”

There’s a term you hear more and more often: vibe coding. The idea is simple: you describe what you want in plain language, the AI builds it, and you adjust with new prompts instead of code. It sounds magical, and for a quick landing page or a simple pricing table, it works just fine.

But once it becomes more serious, larger and more business-critical, the risks quickly mount.

WebDevStudios, another agency, recently shared a telling case. They reviewed a plug-in that a client had entirely generated by an AI model. At first glance, everything worked. An in-depth audit revealed more than a hundred security issues, including critical vulnerabilities.

This is no accident. The 2026 Patchstack Security Report shows that over 11,000 new WordPress vulnerabilities were recorded in 2025, a 42% increase over the previous year. In fact, the number of severely exploitable vulnerabilities increased by 113%. AI-generated code that is not reviewed by an experienced developer most likely contributes to that problem.

Joost de Valk, founder of Yoast and one of the most influential voices in the WordPress community, recently warned that vibe-coded blocks are “disposable code”: isolated islands of logic and styling with no cohesion. When an AI generates twenty different blocks based on twenty separate prompts, you haven’t built a website. You’ve stuck a few pretty band-aids that fall apart at the first major change.

What AI can’t do (and probably won’t be able to do for now)

The core of our work is not about code knocking. It’s about solving the right problem. And that requires things where AI is structurally deficient:

• Strategic thinking. An AI can build a checkout flow, but cannot determine whether that flow fits your target audience’s purchasing behavior.
• Understanding context. Each client has its own tech stack, its own integrations, its own business logic and pain points in the business. AI doesn’t know that context and makes assumptions that an experienced agency would be more likely to predict. Ask an AI to build a WooCommerce integration and you’ll get something that makes technical sense, but makes no sense commercially. Like asking a chef to make a dish without telling you that the guest is allergic to nuts.
• Taking responsibility. If something goes wrong after an update, who fixes it? AI-generated code without human ownership is a risk you pass on to the future.
• Long-term quality. WordPress releases new updates several times a year. Plug-ins update weekly. PHP versions change. Code that works today may quietly break after the next update. Maintenance requires understanding, not just output. Someone with knowledge must take ownership of this.

Brad Vincent, CEO of FooPlugins, articulated:

“Some people have the opinion that you can just vibe code a plugin from scratch. And this might be true for a lot of simple plugins. But there are 2 things you do not get from vibe coded plugins: support when things go wrong and an author who cares about the things you have not even considered (standards, WP core updates, security, etc).”

Brad Vincent (CEO of FooPlugins) – Source: Blocksy

Our approach: AI as a tool, people as the foundation

At 2manydots, we deliberately take a hybrid approach:

• Automate low-risk tasks. Prototypes, boilerplate, initial concepts, data analysis. Wherever the cost of error is low and the time savings are high.
• Protecting high-risk tasks. Checkout flows, customer data, payment integrations, security configurations. Here, human expertise is not optional, but essential. Not for nothing are we ISO 27001 and ISO 9001 certified: information security and quality assurance are in every process with us.
• Always review. No line of AI-generated code goes live without review by a developer who knows WordPress inside out. This is not a distrust toward the technology. It’s the best thing to do.

AI makes it easier to produce something working quickly. But the difference is in knowing why something works and when it will break. You build that knowledge with experience, not prompts.

What does this mean for you as a customer?

If you are considering using AI for your WordPress website or webshop, these are the questions you should ask yourself:

How great is the risk if things go wrong? A generated FAQ page? Fine. A generated payment module? Think twice.

Who takes responsibility? If an AI-generated plug-in contains a security vulnerability, who fixes it? And who monitors the security?

Are you thinking in cost or in value? AI makes it cheaper to produce code. But the value of a well-built Web site is not in the code alone. It’s in the strategy, the reliability, the follow-through and the assurance that it’s right.

Hours are our revenue model

We also want to be honest here about something you don’t often read in agency blog posts: AI is exciting for us, too. And we don’t mean “exciting” as in enthusiastic, but as in uncomfortable.

Our revenue model, like most agencies, is based on hours. We sell time from smart people. And if an AI tool allows a developer to do something in two hours that previously took eight hours, that’s great for the client. But it also means that as a company we have to think about what we are actually selling then.

That tension is real, and we think it’s important to be open about it. It forces us to continually ask ourselves the question: where is our value really?

The answer we find again and again: not in typing lines of code. The value is in knowing what lines of code are needed. In understanding a customer’s context, in foreseeing problems before they arise, and in taking responsibility for the end result. Those are things that don’t get faster through AI. Those get better through experience.

At the same time, we also see it as an opportunity. If we can deliver faster, we can provide more value within the same budget. We can dive deeper into strategy, pay more attention to quality control and focus on the kind of work that will benefit a client the most. But it requires that we dare to adjust our model and remain honest about what an hour of ours is worth and why.

Don’t get me wrong

This is not a trash post about AI. Far from it.

AI is fantastic. I still marvel at it every day. The speed at which you go from idea to working prototype, the way it helps you think, the possibilities that were impossible just a year ago. It’s truly amazing and I wouldn’t want to be without it.

But enthusiasm should not be a reason to turn off your common sense. You don’t just install an open AI tool(OpenClaw) and give it access to everything. You don’t let an AI write unchecked code that runs on an online store where customers leave their credit card information. You don’t blindly trust output that looks good but no one has really looked at.

Because AI can also start working on its own if you don’t shield it properly. It does not distinguish between a smart solution and a dangerous one. Making that distinction, that is and always will be human work.

The agencies that are going to make a difference are not the ones shouting the loudest about AI. Nor the ones who ignore it. They are the agencies that know when to “step on the gas” and when to apply the brakes for a moment.

At 2manydots we do both, of course. 😉