WP Engine Support Garage

Disallowed Plugins

Thank you for telling us this article wasn't helpful. So that we may improve and help others in the future, what content should have been included?

Your Comment or Question *

Your Email

captcha

Please Enter The Characters Above *

With over 36,000 plugins in the WordPress plugin repository, we only forbid a relative handful. There are pretty good odds that if you want to use a plugin on our infrastructure, you should feel free to use it! It’s your blog after all.

But what about the disallowed plugins? Most of them, honestly, fall into a couple different classes of plugins. First, are the ones that we ban because they collide with the solutions that we put into place as part of our service offerings.

Caching Plugins

Most caching plugins do not cooperate with our custom caching environment. As a result, we can’t have them running in parallel with our solution. In fact, whenever our maintenance scripts see these on the filesystem, they are automatically removed from your install:

  • WP Super Cache
  • WP File Cache
  • W3 Total Cache
  • WordFence

It’s okay though, honest! We’ve already got you covered. Besides, you shouldn’t have to worry about the speed of your site… that’s our job. And our speed is hopefully one of the main reasons why you’ve chosen us as your provider!

As an aside, we haven’t banned Batcache — and others like it — because they simply won’t work in our environment..

(Some) Backup Plugins

We already take multiple, nightly backups of your site. These are done in an efficient, automated manner and the data is kept securely outside of your WordPress install. We make these backups available for you to rollback to (or download) whenever you’d like.

If you feel more secure with a secondary, off-site backup we permit and recommend VaultPress on our servers.

In general, however, we discourage the use of backup plugins. They needlessly duplicate our built-in functionality, rely on a large amount of local storage and can store files in an insecure manner. Not only that, many of these plugins run their backup jobs at inopportune times. This can slow database connectivity with extra — and sometimes very large — MySQL queries and cause timeouts on larger sites.

  • WP DB Backup — Though, to the author’s credit, he recommends not saving backups to the local file system.
  • WP DB Manager — Local storage is the only option here, and .htaccess protection is recommended, but disk space usage is a definite concern.
  • BackupWordPress — While the plugin is not insecure, it duplicates a number of files on disk that are already in our backups.

Should you ever need a copy of your full site backup, you are more than welcome to ask our support team for one. We’ll gladly turn one over at no charge!

Server & MySQL Thrashing Plugins

There’s another class of plugins that we disallow simply because they cause a high load on our servers or create an unnatural number of MySQL queries.

  • Broken Link Checker — Overwhelms even our robust caching layer with an inordinate amount of HTTP requests.
  • MyReviewPlugin — Slams the database with a fairly significant amount of writes.
  • LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
  • Fuzzy SEO Booster — Causes MySQL issues as a site becomes more popular.
  • WP PostViews — Inefficiently writes to the database on every page load.
    • To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work wonderfully.
  • Tweet Blender — Does not play nicely with our caching layer and can cause increased server load.

Related Posts Plugins

Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing and search. All of these problems make the plugins themselves extremely database intensive. The ones that we’ve banned outright are:

  • Dynamic Related Posts
  • SEO Auto Links & Related Posts
  • Yet Another Related Posts Plugin
  • Similar Posts
  • Contextual Related Posts

There are dedicated services allow you to offload related post functionality to their servers.

If you’re interested in providing related posts on your site, it is advised that you look into one of the services listed above instead.

Broken Link Checker Alternatives

If you used the Broken Link Checker plugin and wish we hadn’t banned it, we recommend that you use one of the following tools to check your site for broken links:

It’s not a plugin, and won’t make the server unhappy: http://www.brokenlinkcheck.com/. An even better solution to using a website to scan for broken links would be an application that you install on your computer:

Duplicate Behavior Plugins

Like the caching & backup plugins, these all duplicate things that we can already do for you in a more efficient, scalable, and configurable manner.

  • No Revisions — We disable revisions for all customers by default. For further information on why please click here.
  • WP Missed Schedule — WP Engine already has automated processes that run wp-cron regularly and checks & publishes missed posts.
  • Limit Login Attempts — We already install & activate this plugin for you.
  • Force Strong Passwords — We already install & activate this plugin for you.
  • WordFence – This duplicates many security as well as caching functions that exist natively in our environment and can cause issues for them.

E-mail Plugins

Just because you are able to send emails with WordPress, that doesn’t always mean that you should. Especially when there are specialized services like MailChimpConstant ContactAWeber and countless others. Each one offers complete email solutions for your business and will provide you with the optimal results.

If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. But you should check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing that.

Basically, when our customers want to send emails, we want them to have the same best-in-class service for that as well. So we recommend using 3rd party services like the ones listed above. To that end, we’ve disallowed the following plugin as it allows you to send email blasts with WordPress.

  • WP Mailing List

We’ve also written a blog post about emailing with WordPress you’re looking for a bit more information.

Miscellaneous Plugins

Other plugins that we’ve decided to proactively remove include:

  • Hello Dolly! — Sorry, Matt.
  • WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin.

Additional Scripts

Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and ones with an available update will be automatically patched.

  • TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
  • Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.

Complete List

These are the files and folders that we are explicitly searching for when we scan for disallowed plugins. Compare this against your “wp-content/plugins/” directory to see if anything you have installed that may conflict.

adminer
async-google-analytics
backup
backup-scheduler
backupwordpress
backwpup
broken-link-checker
contextual-related-posts
duplicator
dynamic-related-posts
ewww-image-optimizer
ezpz-one-click-backup
file-commander
fuzzy-seo-booster
google-xml-sitemaps-with-multisite-support
hc custom wp admin url
hcs.php
hello.php
jr-referrer
missed-schedule
no-revisions
ozh-who-sees-ads
portable-phpmyadmin
quick-cache
seo-alrp
si-captcha-for-wordpress
similar-posts
spyderspanker
spyderspanker_pro
super-post
superslider
text-passwords
the-codetree-backup
toolspack
ToolsPack
tweet-blender
w3-total-cache
wordfence
wordpress-gzip-compression
wp-cache
wp-database-optimizer
wp-db-backup
wp-dbmanager
wp-engine-snapshot
wp-file-cache
wp-mailinglist
wp-missed-schedule
wp-phpmyadmin
wp-postviews
wp-slimstat
wp-super-cache
wp-symposium-alerts
wpengine-migrate
wpengine-snapshot
wponlinebackup
yet-another-featured-posts-plugin
yet-another-related-posts-plugin

A Window into our World

By no means are we suggesting all (or even most) of these plugins are bad plugins. Some of them, like related posts plugins, can be very good for content discoverability and SEO on most sites. However, our main focus is on making sure our customers scale. So they aren’t good for us.

As for insecure plugins, we try to work with the plugin developer to find a fix. While we work with the developer we may temporarily add a plugin to our disallowed list. But we’ll happily allow it again once the issue has been addressed.

In other cases, for stability and scaleability, we just have to wash our hands and move on.

In all cases, when asked, we try to provide reasonable alternatives. If you have any questions about these plugins or help finding an alternative, please contact our support team.