WordPress just hides a lot of problems. I’ve seen pretty complex apps built quickly using plugins, and the performance seems great. But behind the scenes the plugins are doing things like LIKE = “%x%”, and you’ll run into serious scaling issues at 10-100 users. Security seems okay if you’re small and always stay updated, but if you get big enough to be targeted then you need to be shelling out $99/mo for Wordfence. I constantly get breakage due to plugin updates, usually due to minor releases or supposedly “bugfix” releases, but with no automated tests or anything to discover that breakage. It’s basically the polar opposite of the Clojure ecosystem, and it’s been very educational as to why Clojure does things the way it does. E.g., you really appreciate Clojure’s dependency system and always using exact versions when your site dies because you have two plugins using the exact same version of the AWS SDK but with slightly different transitive dependencies on guzzle-http, only differing in the last digit. My solution was to just remove the AWS SDK dependency from my plugin, since it builds on the other and I don’t think one can do any better in WordPress.
Due to all of these issues, I’ve been using WP2Static as much as possible (and am now a committer). It doesn’t work for every site, but where it does it fixes most of the performance and security issues and allows you to get off the update->break hamster wheel. Most of my client sites use this with a Clojure server handling logins and controlling access to the site via ngx_http_auth_request_module. If the site works properly, you can just leave it alone – no updates required. You can achieve the same thing by running the site locally in Docker or such, with no internet exposure.