From Plugins To Performance: What CMOs Need To Ask About Their WordPress Stack via @sejournal, @alexmoss
WordPress is still the most popular open-source content management system (CMS) – by far – powering 43.5 % of all websites on the web, and still in my opinion the most adaptable CMS to work with.
However, WordPress isn’t just a plug-and-play CMS. If you’re in the marketing team or the CMO, you may find yourself inheriting and using a WordPress site that will most likely have a less-than-ideal stack setup.
Don’t accept that this is just the setup you have. If your tech stack isn’t aligned correctly, it could directly hinder some of your own goals.
While it may seem that you should delegate all technical decisions to the development/IT team, these decisions may overrule wider business goals.
As such, it may be time to audit your installation and setup in order to break free of these stack limitations.
If you’re a CMO, this post will cover the different considerations when thinking of the optimal WordPress tech stack that also aligns with your own goals.
What A Tech Stack Includes
From a top-level, the WordPress tech stack involves the following:
- Server infrastructure.
- Hosting infrastructure.
- Performance & caching.
- Security.
- Dev tools.
- WordPress layer.
- Monitoring and analytics.
- Backup and recovery.
This can be seen in more detail in this diagram:
Image created by author, August 2025There’s a lot to consider. With that, let’s delve into what you, as a CMO, should be asking yourself and others to ensure this stack is at its best.
The Invisible Cost Of Cheap Hosting
Shared hosting might seem cost-effective, but in my experience, it’s often the most expensive choice in the long term.
When your site shares resources with hundreds of others, performance becomes unpredictable. This can affect many things, from general speed and performance, but also how search engines and large language models (LLMs) crawl/discover your site, as well as how a human may experience the site itself.
Dedicated servers or managed WordPress hosting may be a larger investment, but in turn reduces technical overheads while providing the infrastructure needed for growth and scale.
For the level up from this, WordPress-based Cloud hosting is the most robust solution, but would require more technical expertise to manage.
What CMOs Should Ask:
- Are we on shared hosting or dedicated infrastructure? If the former, why?
- Are all server resources, such as PHP, up to date?
- What happens to site performance during traffic spikes?
- Who is responsible for server-level maintenance, optimizations, and security?
- For potential traffic spikes, are there solutions and safeguards in place, such as load balancers?
- Can we grow and scale with our current solution?
Performance: The Business Metric Disguised As A Tech Metric
Developers and technical SEOs alike will obsess over PageSpeed/Lighthouse scores, but things such as Core Web Vitals aren’t just technical benchmarks but also conversion metrics in disguise.
A one-second delay in mobile load times can impact mobile conversions by up to 20%. If Largest Content Paint (LCP) exceeds 2.5 seconds, then your next sale is at high risk before there’s a chance to convert them.
Performance optimization in WordPress isn’t straightforward when looking forensically. Many “solutions” can create new problems. Even well-intentioned optimizations and fixes over the longer term can cause conflicts or other knock-on effects. Over time, this becomes a “Frankenstein” site of many elements patched together in an attempt to keep it ‘alive’ that becomes expensive to unravel and can cause the site to be a “write-off”. This practice is more common than you think.
What CMOs Should Ask:
- How does our site perform on PageSpeed Insights, GTmetrix, and YSlow? What can be improved? How do we perform against competitors?
- Is caching properly set up? Are we considering all levels (server, object, page, CDN, etc.)?
- Do we have all minification tools set up correctly?
- Is our database architecture the best it can be? How can this be improved?
- What and how often is our database cleaned? Does this include revisions?
- How are our images performing? Have they been optimized? Are we using more modern formats such as WebP?
- Who owns the performance metric?
This isn’t about chasing perfect scores; it’s about ensuring your technical foundation supports rather than potentially sabotaging your marketing objectives.
Deciding On A Theme Should Be Long-Term
There are thousands of WordPress themes out there.
In a perfect scenario, the theme itself would be custom-built, incorporating WordPress’ own Gutenberg block editor, as it’s part of the core. As well as this, full site editing functionality makes this process even easier.
If your budget can’t stretch to custom-built theme development, it’s then extremely important to choose the right theme.
Ensure that you research the theme properly, making an informed choice that is performance-led to complement the stack, not convenience-led for editors.
But remember, your choice of theme is more long-term than installing a plugin you find you don’t need a month/year later. Because of this, themes should have a more considered and informed approach.
Bonus Consideration: Page Builders
Generally, the people who end up using WordPress on a day-to-day basis are not the same people who developed it or set it up.
Because of this, there can sometimes be clashes when it comes to what someone in your marketing team wants versus what should be implemented with technical best practice.
Page builders such as Elementor and Divi do offer a lot more freedom and flexibility for page creation and design, but come with the downside of potential code bloat and resource allocation.
Ensure that your decisions are not influenced too much by this request, because that is what it is, a request.
What CMOs Should Ask:
- How does our current theme/builder choice impact site performance?
- Is our current theme built for purpose? Is it a theme that caters to the masses, or is it developed specifically for me or my niche?
- Are we locked into a specific page builder? What does the builder offer that Gutenberg and FSE don’t? What are the migration implications?
- Are our choices forming a good balance between design flexibility with technical performance?
- Do we have the development resources to support our chosen approach?
- Are there conflicts between the page builder and other resources/assets?
Plugin-ception
“There’s a plugin for that.”
This is a phrase we’ve all heard or said before – myself included. There will be a plugin for that, yes – but it shouldn’t be the answer every time you want to extend functionality.
While I do have a select number of “core” plugins that I confidently choose to use on any site, this does not mean that I would choose to install a plugin because it solved one problem that may not be enough to substantiate installing if it warrants the technical debt the plugin will add.
Estimates suggest, the average WordPress site runs 20-30 plugins, with many serving overlapping functions or creating conflicts.
Bonus: Some Plugins Require Attention Post-Installation
There are some plugins that have a simple “plug and play” approach. But whenever I install anything, I always delve further into its setup, configuration, and how this can impact the performance of a site.
One thing to know is that, in general, you should not approach any plugin with an “install and ignore” mindset.
Check the settings. Go through the first-time configuration (FTC). Audit the configuration.
Furthermore, plugins not only provide valuable under-the-hood optimizations and enhancements, but also present an opportunity for the site to evolve alongside your business and marketing activities.
Actively using these plugins means your stack continues to benefit from the latest features, innovations, and improvements.
What CMOs Should Ask:
- How many plugins are currently active on our site?
- When was our last plugin audit?
- What plugins are we dependent on for our core business functions?
- Have all plugins been configured correctly?
- Are the plugins that require ongoing work being used?
- Are there conflicts with other plugins?
- Are there any incumbent plugins stopping the development of the site as a whole?
- (More aggressive) What will happen to the wider business goals if [Plugin X] is no longer used?
The more plugins that are installed, the higher the risk of incompatibility, conflicts, and security vulnerabilities.
Security: Be Proactive, Not Reactive
One would think that security is always the top priority to ensure the safe operation of any website. Incorrect.
Breaches can devastate not just the site, but in turn, your brand reputation, while also incurring large immediate costs and most likely some loss of earnings in the future as a result.
While on the more extreme end of the scale, earlier this year, some hackers breached a number of large UK retailers, including Marks and Spencer, causing £300 million in lost profits, with no real measurement on how this has affected them since.
It doesn’t take long or cost much (in some cases, the solutions are free) to add some layers of security to your stack.
Whether it’s adding rules within Cloudflare or installing Sucuri or Wordfence, don’t just leave your site unprotected while you “sit tight and assess” – take proactive steps to secure your stack.
What CMOs Should Ask:
- What security measures do we currently have for the site?
- Are any and all vulnerabilities monitored?
- Is everything up to date? This includes not just WordPress core, themes, and plugins, but also on a server level, such as PHP.
Maintenance: Forgotten Until Required
WordPress maintenance often gets treated as a technical afterthought, but I consider this to be a critical marketing function.
Outdated plugins not only create conflicts that have knock-on effects on both the frontend and backend of the site but also expose you to security vulnerabilities that I just covered above.
The choice between manual and automatic updates reflects deeper strategic priorities.
Manual updates provide more control but require dedicated resources and staging environments for testing prior to deployment. Automatic updates may reduce maintenance overhead, but there is always a risk of conflicts during critical business periods.
What CMOs Should Ask:
- Who is responsible for WordPress core, plugin, and theme updates? Do they have all the required access in case of disaster scenarios?
- Who is responsible for legal, compliance, and privacy on the site?
- Is everything up to date? If not, is there a reason for this?
- Do we have staging environments for testing changes before anything is deployed to a production environment?
- What’s our rollback plan if an update breaks critical functionality?
- How do we balance security needs with stability requirements?
“Frankenstein” Sites Only Get You So Far For So Long…
If you have a theme that is now years old, perhaps five or more, it’s likely that over time the theme (unless extremely well maintained) will eventually cause issues and conflicts, more so when you want to grow and scale.
Optimizing the site over time is obviously suggested, but after a prolonged amount of time, this becomes more challenging and less possible without conflicts arising.
What CMOs Should Ask:
- When was the last time a theme was chosen?
- When was it last audited? Is the theme still fit for purpose today?
- Is a theme update causing conflicts with other resources and plugins?
- Are there legacy plugins or other functionality that prevent essential updates to WordPress or PHP, forcing the site to remain on outdated versions (therefore limiting access to new features, improved security, or better performance)?
- Are ad hoc maintenance costs and “patchwork” over two to three years costing more than a potential rebuild (i.e., Is it a “write-off”)?
Key Takeaways
Below is a high-priority checklist that you can act on now:
| Priority | Action Item | Stakeholder(s) |
|---|---|---|
| Critical | Audit the current hosting environment and audit invisible costs. | CMO, Tech Lead, Finance |
| Critical | Review plugin presence and usage: configuration, conflicts, necessity. | Tech, SEO, Product, Marketing |
| Critical | Implement and verify up-to-date security layers (e.g., Sucuri, WAF). | CTO, IT |
| High | Define clear responsibilities for updates, rollbacks, and compliance. | Product, Legal, Marketing |
| High | Schedule routine theme and plugin audits. | Dev/Project Manager |
| High | Set up or review staging/testing environments for changes. | Tech Lead/DevOps |
| Medium | Plan for a long-term theme or potential rebuild if “Frankenstein.” | CMO, CTO |
| Medium | Calculate ongoing maintenance costs vs possible site overhaul. | Finance, CMO, CTO |
Your WordPress stack should never be considered “set and forget.”
Don’t wait for something to break, because when something does, it will most likely cause more loss than any proactive investment to ensure there isn’t one.
More Resources:
Featured Image: Ashan Randika/Shutterstock
