One of the truisms I learned early in my career is that every line of code you write is a liability as much as it is an asset. Every line of code you (or your team) writes is a line of code that must be maintained, a line of code that potentially exposes a security flaw, a line of code that later developers potentially misunderstand.

What happens when we unleash the code generation machines on the internet in the hands of people who did not have the capability to generate the code in the first place, or the ability to review what the generative framework created? Aren’t we just asking for problems?

There’s a Plugin For That

There’s an irony that at many WordCamps, for example, you’ll find a number of presentations by non-technical users about how wonderful it is that there are so many plugins, and at the same time in another room someone presenting from a security and scalability point of view that you should be very careful about installing any plugin you did not write yourself.

They’re both right, of course. It is a great feature of the WordPress community, like many large open source communities, that the minute you think of a feature you’d like to explore, there’s probably already two or three plugins that do that thing. At the same time, many plugins do a lot of things, and installing code written by an author you don’t know that does something you don’t fully understand and can’t review is a dangerous path.

Just Vibe Code It

In the AI era, the problem is not just the random plugins from the community ecosystem (which have at least some level of active peer review and security scanning happening) but code generated via AI coding assistants which those deploying don’t understand.

Are you running code in production that you have not reviewed and do not understand?

There’s always a security risk to deploying code to production, of course—though that might be mitigated by whatever the app is capable of. Anyone who has ever stood up a public web server or reviewed web server logs has seen how quickly the scanning starts for known exploits. But code you don’t understand generated by a process you can’t inspect?

Who Needs Maintenance?

Websites have never been “set it and forget it.” They’ve always needed maintenance. Content management systems, as they’ve matured, make it easier for non-technical users to get content on the web in a way their audiences can consume, but they also bring their own maintenance needs: new templates and content types, evolutions of information architecture to reflect changes in organizational priorities, new integrations with partners and data providers, and the like.

Who is going to maintain all the software the generative AIs are generating?

When it comes time to redesign the web app your AI generated, will you just throw away the existing one and ask the AI to migrate your content?