Proceed with caution. A fair amount of wordpress's reputation for bad security comes from 3rd party plugins. There aren't many (any?) restrictions on what they can do.
That's right indeed but we're a curated directory where people discover or share their experiences on the resources. We're not encourage the peoples to use what we've curated.
Well, is exactly the same for any npm package or any python package as do many other languages, a lot -if not all- bad security comes from 3rd party plugins.
Though we don't recommend it due to bad pricing policy, bad reputation on TrustPilot and from other testers, and personal experiences. There are way better hosting alternatives that is currently listed and marked with yellow background on our platform.
WordPress does not support PHP autoloading, and every plugin's main PHP file is included and run on every page load.
If you have a 100 plugins, that is WordPress core files + at least 100 files to run.
You will likely run into functions name collisions before you can run it. PHP also caches the opcode to the memory. So it's likely that you will hit memory or disk IO issues before you can do it.
WordPress has wp-cli that you can download plugins from CLI. Give it a try yourself, although I don't see the point of it.
- WordPress does not come with proper password hashing, and uses the phpass library. https://wordpress.org/plugins/password-hash/ will change this to use bcrypt/Argon2ID
- Comment forms do not have CSRF tokens, and hackerone/tickets for them have been neglected as trivial. https://wordpress.org/plugins/comment-form-csrf-protection/ This plugin adds a CSRF token to comment forms.