At WP Engine we aim to offer the fastest and most secure WordPress hosting environment for your website. There are a handful of plugins that we’ve noted can cause various security or performance issues on your site. Our goal is to keep your site running smoothly, so for this reason we’ve made certain plugins disallowed. If you have one of these plugins, you’ll be notified and the plugin will eventually be removed from your site. We’ve broken these plugins down into groups to provide some context as to why they cannot be used.
About Disallowed Items
By no means are we suggesting any of these disallowed plugins are “bad” plugins. Some of them, like related posts plugins, can be great for content discoverability. As your managed WordPress host however, our primary concern is to provide the fastest and most secure WordPress hosting experience we can. These plugins have proven that they will negatively impact performance or security on our platform and we’ve made the decision to prevent their use.
As for insecure plugins, we try to work with the plugin developer to have them corrected. During that time the plugin may temporarily be added to our disallowed list and we’ll happily allow it again once the issue has been addressed.
If you have any questions about these disallowed plugins, or feel a recent update to a plugin has been put forth to correct the issue we’ve banned it for, please contact our Support team.
Caching plugins can conflict with our platform’s built-in caching structure. These plugins are known to cause direct conflicts and would ultimately impact your site’s ability to load if used:
- WP Super Cache
- WP File Cache
- W3 Total Cache
Many of the caching features these plugins offer we have built-in to our servers by default as part of your managed WordPress hosting experience. We have your back- don’t worry!
We discourage the use of backup plugins as they needlessly bloat your site and can store files in an insecure way. Many of these plugins also run their backup jobs at inopportune times, slowing down MySQL queries and even causing timeouts on your site.
The following backup solutions are disallowed plugins:
- WP DB Backup — Needlessly bloats your site’s local storage.
- WP DB Manager — .htaccess protection is recommended, but local storage usage is the major concern as it only offers a local storage option.
- BackupWordPress — Duplicates a large number of files on local storage that are already in our backups.
- VersionPress — In order to function this plugin needs access to server level functions that we disallow for security reasons.
We take nightly backups of all WordPress websites hosted with us. These are done in an efficient, automated manner and the data is kept securely on a separate server from your WordPress install. Our automated backups do not count towards any plan local storage limits and we make these backups available for you to restore, copy or download as-needed.
If you feel more secure with a secondary, off-site backup, we permit VaultPress on our servers.
Server & MySQL Thrashing Plugins
These plugins we disallow because they either cause a high load on the server or create an excessive number of database queries. They will directly impact server load and ultimately hinder your site’s performance.
- MyReviewPlugin — Slams the database with a significant amount of writes.
- LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
- Fuzzy SEO Booster — Causes MySQL issues as a site scales up.
- WP PostViews — Inefficiently writes to the database on every page load.
- Tweet Blender — Does not interact well with caching and can cause increased server load.
We recommend that you use one of the following tools to check your site for broken links. As they are not plugins these will not have a negative effect on your site’s performance.
- Broken Link Check — Online, limited to 3000 pages.
- LinkChecker — Windows, Mac & Linux
- Integrity — Mac only
Related Posts Plugins
Almost all “Related Posts” plugins suffer from the same MySQL, indexing, and search issues. These problems make the plugins extremely database intensive.
The ones that we’ve banned outright are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Similar Posts
- Contextual Related Posts
There are dedicated services which allow you to offload related post functionality to their servers. We advise that you look into one of the related post services instead:
Duplicate Behavior Plugins
Like the caching and backup plugins, the following plugins also duplicate things that we already do for you in a more efficient, scalable, and configurable manner.
- No Revisions — We disable revisions for all customers by default. See our Platform Settings article for more information.
- Force Strong Passwords — We already install & activate this plugin for you.
- Bad Behavior — This plugin attempts to block a number of hosts that we already disallow.
Just because you are able to send emails with WordPress, that doesn’t always mean you should. We want our customers to experience the same best-in-class experience with email as we provide with web hosting, so we recommend using a 3rd party service. Specialized services like MailChimp, Constant Contact, AWeber and countless others offer complete email solutions for your business and will provide you with optimal results.
If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. Be sure to check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing so.
We’ve also written a blog post about sending email blasts with WordPress if you would like more information.
Other plugins that we’ve decided to proactively remove include:
- Hello Dolly!
- WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin from your User Portal.
- Sweet Captcha — After our partners at Sucuri revealed that the Sweet Captcha service was used to distribute adware, we have decided to follow the WordPress Plugin Repo’s lead and ban the plugin outright.
- Digital Access Pass (DAP) — While we do not actively remove this from sites, please be aware that it will not work properly on our platform due to its use of PHP Sessions and System-level crons. Instead, we recommend using one of the other highly-rated Membership plugins like Paid Memberships Pro, Restrict Content, or S2Member.
Some frequently used scripts are known to contain security vulnerabilities. Our platform scans the files system periodically to identify and either patch or remove these scripts.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
- Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.
Complete List of Disallowed Plugins
These are the files and folders that we explicitly searching for when we scan for disallowed plugins. You can compare this against your wp-content/plugins/ directory to check for conflicts.
adminer async-google-analytics backup backup-scheduler backupwordpress backwpup bad-behavior content-molecules contextual-related-posts db-cache-reloaded duplicator dynamic-related-posts ezpz-one-click-backup file-commander fuzzy-seo-booster gd-system-plugin gd-system-plugin.php google-xml-sitemaps-with-multisite-support hc-custom-wp-admin-url hcs.php hello.php hyper-cache jr-referrer jumpple missed-schedule nginx-champuru no-revisions ozh-who-sees-ads p3 pluginsamonsters pluginsmonsters portable-phpmyadmin quick-cache quick-cache-pro recommend-a-friend seo-alrp si-captcha-for-wordpress similar-posts spamreferrerblock ssclassic sspro super-post superslider sweetcaptcha-revolutionary-free-captcha-service text-passwords the-codetree-backup toolspack ToolsPack tweet-blender versionpress w3-total-cache wordpress-database-abstraction wordpress-gzip-compression wp-cache wp-database-optimizer wp-db-backup wp-dbmanager wp-engine-snapshot wp-file-cache wp-phpmyadmin wp-postviews wp-slimstat wp-super-cache wp-symposium-alerts wpengine-migrate wpengine-migrate.tar.gz wpengine-migrate.zip wpengine-snapshot wpengine-snapshot.tar.gz wponlinebackup wpsmilepack
WP Engine systems are specifically looking for the plugin directories and files listed above, however the following list of common names may be beneficial. Please bear in mind, the common names of plugins can similar and can be changed by the author. The file list above should be referred to as the only source of truth when it comes to disallowed plugins.
Adminer Asynchronous Google Analytics for WordPress JetBackup Backup Scheduler BackUpWordPress BackWPup Bad Behavior Content Molecules Contextual Related Posts DB Cache Reloaded Duplicator Dynamic Related Posts EZPZ One Click Backup File Commander Fuzzy SEO Booster GD Rating System Google XML Sitemaps with Multisite support HC Custom WP-Admin URL Hyper Cache JR Referrer Sweet Captcha Missed Scheduled Nginx Cache Controller No Revisions Ozh' Who Sees Ads Pipdig Power Pack Portable phpMyAdmin Quick Cache Recommend to a friend SEO Auto Links & Related Posts SI CAPTCHA Anti-Spam Similar Posts SpamReferrerBlock Super Post SuperSlider Sweet Captcha CodeTree Backup Tweet Blender VersionPress W3 Total Cache WP Db Abstraction WordPress Gzip Compression WP-Cache WP Database Optimizer Database Backup for WordPress WP-DBManager WPEngine Snapshot WP File Cache WP-phpMyAdmin WP-PostViews SlimStat Analytics WP Super Cache WP Symposium Online Backup for WordPress
Disabled Modules and Functions
There’s the possibility of using a plugin that is technically allowed, but will not function due to disabled server modules or functions. These modules/functions can impact performance or security if enabled and are therefore turned off on all WP Engine servers.
We do not disallow plugins utilizing these because developers will often release updates that no longer rely on poorly performing modules or functions. This is particularly relevant to plugins utilizing ionCube Loader, which is disabled across WP Engine.