With over 40,000 plugins in the WordPress plugin repository, we only forbid a relative handful. There are pretty good odds that if you want to use a plugin on our infrastructure, you can! It’s your blog after all.
But what about the disallowed plugins? These plugins have been shown to clash with the solutions that are part of our service offerings. Most of them fall into a few different classes of plugins.
Most caching plugins do not cooperate with our custom caching environment. As a result, we can’t have them running in parallel with our solution. In fact, whenever our maintenance scripts see these on the filesystem, they are automatically removed from your install:
- WP Super Cache
- WP File Cache
- W3 Total Cache
It’s okay though, honest! We’ve already got you covered. Besides, you shouldn’t have to worry about the speed of your site… that’s our job. And our speed is hopefully one of the main reasons why you’ve chosen us as your provider!
As an aside, we haven’t banned Batcache — or others like it — because they simply won’t work in our environment.
(SOME) BACKUP PLUGINS
We already take regular nightly backups of your site. These are done in an efficient, automated manner and the data is kept securely outside of your WordPress install. We make these backups available for you to rollback to (or download) whenever you’d like.
If you feel more secure with a secondary, off-site backup, we permit and recommend VaultPress on our servers.
In general, however, we discourage the use of backup plugins. They needlessly duplicate our built-in functionality, rely on a large amount of local storage and can store files in an insecure manner. Additionally, many of these plugins run their backup jobs at inopportune times. This can slow database connectivity with extra — and sometimes very large — MySQL queries, causing timeouts on larger sites. The following backup solutions are disallowed plugins:
- WP DB Backup — Though, to the author’s credit, he recommends not saving backups to the local file system.
- WP DB Manager — Local storage is the only option here, and
.htaccessprotection is recommended, but disk space usage is a definite concern.
- BackupWordPress — While the plugin is not insecure, it duplicates a number of files on disk that are already in our backups.
- VersionPress — In order to function properly, this plugin needs access to server level functions that we disallow for security purposes.
SERVER & MYSQL THRASHING PLUGINS
There’s another class of disallowed plugins that we disallow simply because they either cause a high load on our servers or create an unnatural number of MySQL queries.
- Broken Link Checker — Overwhelms even our robust caching layer with an inordinate amount of HTTP requests.
- MyReviewPlugin — Slams the database with a fairly significant amount of writes.
- LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
- Fuzzy SEO Booster — Causes MySQL issues as a site becomes more popular.
- WP PostViews — Inefficiently writes to the database on every page load.
- Tweet Blender — Does not play nicely with our caching layer and can cause increased server load.
RELATED POSTS PLUGINS
Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing, and search. These problems make the plugins themselves extremely database intensive. The ones that we’ve banned outright are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Yet Another Related Posts Plugin
- Similar Posts
- Contextual Related Posts
There are dedicated services which allow you to offload related post functionality to their servers. If you’re interested in providing related posts on your site, it is advised that you look into one of the services listed below instead.
- Bibblio Related Posts (featured on the WP Engine Solution Center!)
- Jetpack Related Posts
- Related Posts for WordPress
BROKEN LINK CHECKER PLUGINS
If you used the Broken Link Checker plugin and wish we hadn’t banned it, we recommend that you use one of the following tools to check your site for broken links. They are not plugins and will therefore have no effect on your server performance.
- Broken Link Check — Online, limited to 3000 pages.
- LinkChecker — Windows, Macintosh & Linux
- Integrity — Macintosh only.
DUPLICATE BEHAVIOR PLUGINS
Like the caching and backup plugins, the following plugins also duplicate things that we already do for you in a more efficient, scalable, and configurable manner.
- No Revisions — We disable revisions for all customers by default. See our Revisions article for further information.
- Force Strong Passwords — We already install & activate this plugin for you.
- WordFence — This duplicates many security as well as caching functions that exist natively in our environment and can cause issues for them.
- Bad Behavior — This plugin attempts to block a number of hosts that we already disallow.
Just because you are able to send emails with WordPress, that doesn’t always mean you should. We want our customers to experience the same best-in-class experience with email as we provide with web hosting, so we recommend using a 3rd party service. Specialized services like MailChimp, Constant Contact, AWeber and countless others offer complete email solutions for your business and will provide you with optimal results.
If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. Be sure to check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing so.
We have disallowed the following email plugin, as it allows you to send email blasts with WordPress.
- WP Mailing List
We’ve also written a blog post about sending email blasts with WordPress if you would like more information.
Other plugins that we’ve decided to proactively remove include:
- Hello Dolly! — Sorry, Matt.
- WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin.
- Sweet Captcha — After our partners at Sucuri revealed that the Sweet Captcha service was used to distribute adware, we have decided to follow the WordPress Plugin Repo’s lead and ban the plugin outright.
- EWWW Image Optimizer – While the original version can cause stress on the server to the point of negative impact, the Cloud version of the plugin located here is a great alternative that offloads the computing to the Cloud.
Some frequently used scripts are known to contain vulnerabilities. Our platform scans the files system periodically to identify and either patch or remove these scripts.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
- Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.
These are the files and folders that we explicitly searching for when we scan for disallowed plugins. You can compare this against your “wp-content/plugins/” directory to check for conflicts.
A WINDOW INTO OUR WORLD
By no means are we suggesting all (or even most) of these disallowed plugins are bad plugins. Some of them, like related posts plugins, can be very good for content discoverability and SEO on most sites. Our main focus, however, is ensuring our customers’ scalability. These plugins have proven contrary to that goal.
As for insecure plugins, we try to work with the plugin developer to find a fix. While we work with the developer we may temporarily add a plugin to our disallowed list, but we’ll happily allow it again once the issue has been addressed.