At WP Engine we aim to offer the fastest and most secure WordPress hosting environment for your website. There are a handful of plugins that we’ve noted can cause various security or performance issues on your site. Our goal is to keep your site running smoothly, so for this reason we’ve made certain plugins disallowed. If you have one of these plugins, you’ll be notified and the plugin will eventually be removed from your site. We’ve broken these plugins down into groups to provide some context as to why they cannot be used.
CACHING PLUGINS
Caching plugins can conflict with our platform’s built-in caching structure. These plugins are known to cause direct conflicts and would ultimately impact your site’s ability to load if used:
- WP Super Cache
- WP File Cache
- W3 Total Cache
Many of the caching features these plugins offer we have built-in to our servers by default as part of your managed WordPress hosting experience. We have your back- don’t worry!
BACKUP PLUGINS
We discourage the use of backup plugins as they needlessly bloat your site and can store files in an insecure way. Many of these plugins also run their backup jobs at inopportune times, slowing down MySQL queries and even causing timeouts on your site.
The following backup solutions are disallowed plugins:
- WP DB Backup — Needlessly bloats your site’s local storage.
- WP DB Manager — .htaccess protection is recommended, but disk space usage is the major concern as it only offers a local storage option.
- BackupWordPress — Duplicates a large number of files on local disk that are already in our backups.
- VersionPress — In order to function this plugin needs access to server level functions that we disallow for security reasons.
We take nightly backups of all WordPress websites hosted with us. These are done in an efficient, automated manner and the data is kept securely on a separate server from your WordPress install. Our automated backups do not count towards any plan disk limits and we make these backups available for you to restore, copy or download as-needed.
If you feel more secure with a secondary, off-site backup, we permit VaultPress on our servers.
SERVER & MYSQL THRASHING PLUGINS
These plugins we disallow because they either cause a high load on the server or create an excessive number of database queries. They will directly impact server load and ultimately hinder your site’s performance.
- Broken Link Checker — Overwhelms the server with a very large amount of HTTP requests
- MyReviewPlugin — Slams the database with a significant amount of writes.
- LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
- Fuzzy SEO Booster — Causes MySQL issues as a site scales up.
- WP PostViews — Inefficiently writes to the database on every page load.
- Tweet Blender — Does not interact well with caching and can cause increased server load.
To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work great.
We recommend that you use one of the following tools to check your site for broken links. As they are not plugins these will not have a negative effect on your site’s performance.
- Broken Link Check — Online, limited to 3000 pages.
- LinkChecker — Windows, Mac & Linux
- Integrity — Mac only
RELATED POSTS PLUGINS
Almost all “Related Posts” plugins suffer from the same MySQL, indexing, and search issues. These problems make the plugins extremely database intensive.
The ones that we’ve banned outright are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Yet Another Related Posts Plugin
- Similar Posts
- Contextual Related Posts
There are dedicated services which allow you to offload related post functionality to their servers. We advise that you look into one of the related post services instead:
- Bibblio Related Posts — Featured on the WP Engine Solution Center!
- Jetpack Related Posts
- Related Posts for WordPress
- Outbrain
- Contextly
DUPLICATE BEHAVIOR PLUGINS
Like the caching and backup plugins, the following plugins also duplicate things that we already do for you in a more efficient, scalable, and configurable manner.
- No Revisions — We disable revisions for all customers by default. See our Revisions article for further information.
- Force Strong Passwords — We already install & activate this plugin for you.
- Bad Behavior — This plugin attempts to block a number of hosts that we already disallow.
EMAIL PLUGINS
Just because you are able to send emails with WordPress, that doesn’t always mean you should. We want our customers to experience the same best-in-class experience with email as we provide with web hosting, so we recommend using a 3rd party service. Specialized services like MailChimp, Constant Contact, AWeber and countless others offer complete email solutions for your business and will provide you with optimal results.
If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. Be sure to check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing so.
We have disallowed the following email plugin, as it allows you to send email blasts with WordPress.
- WP Mailing List
We’ve also written a blog post about sending email blasts with WordPress if you would like more information.
Further information on configuring third party email hosting can be found in this guide.
MISCELLANEOUS PLUGINS
Other plugins that we’ve decided to proactively remove include:
- Hello Dolly!
- WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin from your User Portal.
- Sweet Captcha — After our partners at Sucuri revealed that the Sweet Captcha service was used to distribute adware, we have decided to follow the WordPress Plugin Repo’s lead and ban the plugin outright.
- EWWW Image Optimizer – While the original version can cause stress on the server to the point of negative impact, the Cloud version of the plugin located here is a great alternative that offloads the computing to the Cloud.
ADDITIONAL SCRIPTS
Some frequently used scripts are known to contain security vulnerabilities. Our platform scans the files system periodically to identify and either patch or remove these scripts.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
- Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.
COMPLETE LIST OF DISALLOWED PLUGINS
These are the files and folders that we explicitly searching for when we scan for disallowed plugins. You can compare this against your wp-content/plugins/ directory to check for conflicts.
adminer async-google-analytics backup backup-scheduler backupwordpress backwpup bad-behavior broken-link-checker content-molecules contextual-related-posts duplicator dynamic-related-posts ewww-image-optimizer ezpz-one-click-backup file-commander fuzzy-seo-booster gd-system-plugin gd-system-plugin.php google-xml-sitemaps-with-multisite-support hc-custom-wp-admin-url hcs.php hello.php jr-referrer jumpple missed-schedule no-revisions ozh-who-sees-ads pipdig-power-pack portable-phpmyadmin quick-cache quick-cache-pro recommend-a-friend seo-alrp si-captcha-for-wordpress similar-posts spamreferrerblock ssclassic sspro super-post superslider sweetcaptcha-revolutionary-free-captcha-service text-passwords the-codetree-backup toolspack ToolsPack tweet-blender versionpress w3-total-cache wordpress-gzip-compression wp-cache wp-database-optimizer wp-db-backup wp-dbmanager wp-engine-snapshot wp-file-cache wp-mailinglist wp-phpmyadmin wp-postviews wp-slimstat wp-super-cache wp-symposium-alerts wpengine-migrate wpengine-migrate.tar.gz wpengine-migrate.zip wpengine-snapshot wpengine-snapshot.tar.gz wponlinebackup yet-another-featured-posts-plugin yet-another-related-posts-plugin
A WINDOW INTO OUR WORLD
By no means are we suggesting any of these disallowed plugins are “bad” plugins. Some of them, like related posts plugins, can be great for content discoverability. As your managed WordPress host however, our primary concern is to provide the fastest and most secure WordPress hosting experience we can. These plugins have proven that they will negatively impact performance or security on our platform and we’ve made the decision to prevent their use.
As for insecure plugins, we try to work with the plugin developer to have them corrected. During that time the plugin may temporarily be added to our disallowed list and we’ll happily allow it again once the issue has been addressed.
