- Wouldn't his firm be better served by website builders like WordPress, Squarespace, Wix, etc.? These services have enabled millions of less technical people to create and publish websites for decades now. Most of them support a large ecosystem of plugins and 3rd-party tools that make adding interactivity such as forms and CRMs a breeze.
I mean, it's great that your friend is enjoying getting into web development, and that LLMs are helping him, but I reckon he would be much more productive and deliver more value to his customers by using one of the established services on the market. Unless the projects require some bespoke solutions, or mobile apps, but it doesn't sound like it.
- What happens when one of his customers asks for authentication, session management, a comment system, payments, or something non-trivial or sensitive like that? If all requirements are trivial as you say, then a web site builder could handle it, but if they stop being trivial, then he is bound to run into issues.
LLMs will happily generate non-trivial code, but there are high chances that it will contain security issues or bugs that someone inexperienced won't be able to spot and fix.
So what happens then? He will deliver a seemingly working site to his customers with security issues and bugs, and it will only be a matter of time for them to be exploited. It doesn't matter that his customers don't know or care about "best practices". They surely care about a functioning product that doesn't leak or mishandle their customer data. These issues could be mitigated or avoided by hiring an experienced developer.
So I hope that he has the wisdom and humility to determine when a developer is still required and pay for them, instead of relying on the false confidence provided by LLMs. Or he could take the time to actually learn to program and adopt best practices instead of vibe coding, which sounds like he would be interested in doing anyway.
> Wouldn't his firm be better served by website builders like WordPress, Squarespace, Wix, etc
My understanding is the majority of his work is on WordPress. It's worth noting this is a partnership with 100+ clients, 5+ full time employees. They do television commercials, websites, banner ads, social media campaigns, etc. He is a partner at the firm and while he calls himself "non-technical" he does have experience with website design (HTML/CSS) and the administration of WordPress and databases.
To be clear: he was already delivering these kind of custom solutions to clients using contract programmers. He is well aware of requirements like authentication (in fact, our last conversation he mentioned a project he was working on that did just that). But previously, the cost of custom work was too high in some cases, since bringing on a contract programmer for certain kinds of projects pushed the budget out of range for the client. Vibe coding is opening up a new avenue for custom built functionality that was previously too expensive.
> I hope that he has the wisdom and humility
I notice this kind of thing frequently. I mean, who is lacking humility here? Someone thinking they have all of the facts, offering advice and "Why don't you just ..." kind of thinking based on assumptions. If you really think you can diagnose issues and offer advice based on the quick comment I made, you should reassess your own humility before recommending it to others.
> Vibe coding is opening up a new avenue for custom built functionality that was previously too expensive.
I'm not debating that. What I am arguing for is for using these new tools smartly and conservatively, because they have and will continue to produce low quality software in hands of inexperienced developers. It's easy to be misled by their confident tone and the overhyped marketing around them into thinking that they're able to do things they realistically cannot. Those best practices you say that customers don't care about are precisely what help prevent quality issues from impacting them, regardless of the software complexity. Vibe coding throws all of that out the window. It's tempting to cut corners to keep the cost of projects down, but ignoring well established software development practices is not a safe way to do it.
> If you really think you can diagnose issues and offer advice based on the quick comment I made, you should reassess your own humility before recommending it to others.
I'm not offering advice. I'm going by what you said, and voicing a concern that the apparent utility of LLMs has some important caveats. I don't particularly care about your friend's firm nor their customers. What I do care about is that the widespread adoption of vibe coding is doing more harm than good to the software industry and society at large, which will have destructive consequences in the near future.
Instead of engaging with this argument and filling in any details I might be missing, you chose to attack me personally, which says more about you than me.
What argument? You are expressing vague feelings of concern and stating incorrect assumptions. I can't change how you feel and those feelings are valid. They are certainly motivating your reasoning and leading you to the incorrect assumptions.
You are stating conclusions (e.g. "He will deliver a seemingly working site to his customers with security issues and bugs, and it will only be a matter of time for them to be exploited.") as if you have a crystal ball and then demanding that I defend this figment of your imagination.
> What I am arguing for is for using these new tools smartly and conservatively
You've moved the goalpost here. You said "These issues could be mitigated or avoided by hiring an experienced developer." Now you are back peddling, suggesting you actually meant to say we should use the tools "smartly and conservatively".
So how about you state yourself clearly: Can non-programmers use these tools "smartly and conservatively". And if so, why do you assume the friend I mentioned in question, someone who has been in the business for decades hiring for and delivering software, is incapable of doing so. And if not, provide an actual argument to that effect.
not to be rude, but WordPress is already a well known target for a lot of malicious behavior; assuming someone non technical is safely extending it with LLM generated authentication code is something that causes me, an industry professional, a certain amount of alarm
Your comment isn't rude, but it is a bit close to concern trolling. (as in, "the action or practice of disingenuously expressing concern about an issue in order to undermine or derail genuine discussion.") "Won't somebody think of the local plumbers website!"
There is an assumption being made here that isn't being made explicit: the only way that malicious behavior can be avoided is by paying a programmer. Is that a valid assumption? Or the less strong: a plugin is less secure if developed by a coding agent when compared to any possible programmer. Is that a valid assumption? Aren't all of the well-known issues in WordPress plugins the fault of programmers?
What I feel in these comments isn't a genuine attempt to engage but rather Fear, Uncertainty and Doubt (FUD) writ large.
Also, for what it is worth, the most recent project he developed was using React, Tailwind and Postgres (which he called "Post ... something?"). It was very work-flowy (user uploads a doc, it goes into a queue for manual review, once approved it is converted and uploaded to Google Docs, an email is sent, etc). I asked him if he had investigated any workflow builders and he said no, he just vibe coded it. It's also worth noting that he is paying for QA, I think that existed already in house for his other projects. Well, actually what he said was "it is currently in testing", so I can't confirm if it is professional QA.
> There is an assumption being made here that isn't being made explicit: the only way that malicious behavior can be avoided is by paying a programmer. Is that a valid assumption?
As far as anyone knows: yes. Why would that surprise you? The "only way" architecture can be certified hurricane-proof is by "paying" an engineering agency. That's why such professions were developed.
I see you chose to respond to my weaker argument and ignore the second: "A plugin is less secure if developed by a coding agent when compared to any possible programmer. Is that a valid assumption? Aren't all of the well-known issues in WordPress plugins the fault of programmers?"
You are also conflating professional engineering, a licensed profession requiring insurance, etc. with software "engineering". You don't want to admit that the quality of "engineering" that is available on Upwork or in the average contract software developer is likely as bad, in fact, probably worse than the latest crop of LLMs.
I officially logged into Wordpress for the last time six weeks ago.
I’m currently migrating a bunch of my sites over to Next.JS.
Claude has vibed the best SEO, E.E.A.T., CRO (CXL best practice), WCAG 2.0, and schema.org compared to any site I’ve ever built in Wordpress.
The audits OPUS was creating for each of these areas are astonishing.
I’m simply migrating them across to Next.JS and hosting them on Netlify.
I haven’t paid for any premium plugins to get these sites up and running; I just used Claude Max 100.
I won’t be renewing the AUD$3500 in Wordpress ecosystem subscriptions after they run out this year.
For my gardening business (I’m now a professional gardener), I’ve integrated a job route scheduling tool with Claude Code. This tool calculates travel times between my gardening jobs and provides basic CRM functionality for my clients. It uses the Google Distance Matrix API, and my week is laid out like a Kanban board.
For my new gardening website, I’ve created dozens of new service pages over the last ten days. I’ve also created a local admin dashboard that ingests my 1200 or so before and after pictures. This dashboard provides a neat interface to match before and after “pairs,” extracts the EXIF data, calculates the suburb, and allows me to tag by job type. It then moves the photos (stripped of EXIF) into the Next.JS public folder with AVIF and WebP versions and a JSON file that specifies their content.
Claude then uses the JSON to build custom gallery components for each service page.
None of this was conceivable for me two months ago.
I’m primarily building static JamStack sites that are secure.
Is Wordpress secure? I don’t think so.
I’ve done many months of work in the last twenty-one days.
Have I saved myself $50k by doing all this with Claude Code? No, because that was never an option previously.
I understand your concerns about false confidence, and I genuinely respect that perspective. I backed out of Firebase Studio a while ago because I lacked confidence in Gemini’s ability to create safe and functional Firebase rules.
However, the landscape is changing, and the new interface for CMS systems will no longer be the traditional wp-admin. Instead, it will be a user-friendly chat agent with a robust system prompt for building websites, forms, basic workflow rules, business logic, and authentication.
Although I’m not a programmer, I have experience as a digital producer, which has given me a good understanding of toolchains.
If I were a startup envisioning the next generation of CMS, I would be actively working on it and developing it as quickly as possible.
I've built a CMS with Claude Code aswell and its working incredibly to create JSON proposals that my sveltekit website reads and turns into beautiful proposal pages. When a customer creates a booking for my mini-golf hire company they get emailed and they get their own booking hub where they can update their booking details, see the proposal when it comes through see any invoices ect.
The best part is and what i'm so excited about is we have created a daily business script 'npm run daily' that Claude Code runs and the script uses the business logic to move bookings along in the cycle by telling Claude Code what bookings have tasks. It will return, you have 3 bookings that need attention, run 'npm run get-booking [booking shortcode] THEN that script returns ALL data for that booking row from the db and it knows what task is needed to be done so Claude Code has all the context for that booking and it's prompted at the end saying NEXT STEP Claude code run 'npm run generate-proposal [shortcode] JSON output. (there was an example json output in there for claude to know the syntax ) Everything goes to an out tray in the admin web ui that i have to manually approve. I'm still in testing but I'm starting to realise that Claude Code can be an agentic platform for apps run from the CLI, like my automated crm assistant we've built.
Just fantastic! You know you can setup GitHub Actions to move things along? I have made a few. I also installed Claude Code agent in the git hub repository. Then if I want to make changes to the site when I’m out and about I just raise an issue and ask @claude to do something. Also, I have been using Netlify functions to do quite a few different things as well, like sending SMS messages when a form is completed. Also the paid version of Netlify allows background functions that can run too.
Just two things:
- Wouldn't his firm be better served by website builders like WordPress, Squarespace, Wix, etc.? These services have enabled millions of less technical people to create and publish websites for decades now. Most of them support a large ecosystem of plugins and 3rd-party tools that make adding interactivity such as forms and CRMs a breeze.
I mean, it's great that your friend is enjoying getting into web development, and that LLMs are helping him, but I reckon he would be much more productive and deliver more value to his customers by using one of the established services on the market. Unless the projects require some bespoke solutions, or mobile apps, but it doesn't sound like it.
- What happens when one of his customers asks for authentication, session management, a comment system, payments, or something non-trivial or sensitive like that? If all requirements are trivial as you say, then a web site builder could handle it, but if they stop being trivial, then he is bound to run into issues.
LLMs will happily generate non-trivial code, but there are high chances that it will contain security issues or bugs that someone inexperienced won't be able to spot and fix.
So what happens then? He will deliver a seemingly working site to his customers with security issues and bugs, and it will only be a matter of time for them to be exploited. It doesn't matter that his customers don't know or care about "best practices". They surely care about a functioning product that doesn't leak or mishandle their customer data. These issues could be mitigated or avoided by hiring an experienced developer.
So I hope that he has the wisdom and humility to determine when a developer is still required and pay for them, instead of relying on the false confidence provided by LLMs. Or he could take the time to actually learn to program and adopt best practices instead of vibe coding, which sounds like he would be interested in doing anyway.