Disallowed Plugins
With over 16k plugins (currently) in the WordPress plugin repository, we only (at this time) forbid a few dozen. Those are pretty good odds that if you want to use a plugin on our infrastructure, you should feel free to use it! It’s your blog after all.
But what about these disallowed plugins (AKA blacklisted)? Most of them, honestly, fall into a couple “classes” of plugins and we ban them because they collide with our necessary solutions that we put in place as part of our service offerings.
Caching Plugins
Most caching plugins do not cooperate with our own caching solutions (which include W3 Total Cache). As a result, we can’t have them running in parallel to our “stuff”. Whenever we see these on the filesystem, we automatically remove them. It’s okay, we’re already covering you and you shouldn’t have to worry about the speed of your site… that’s our job and why you’ve chosen us as your provider!
We haven’t banned Batcache and others but they simply won’t work in our environment. We’re already handling Memcached anyways, so there’s no need for it.
Database Backups
We already provide you with backups (complete filesystem and database), done in an efficient and automated manner, and available for you to rollback or even leave our service whenever you’d like.
In general we discourage the use of all backup plugins, not only because it needlessly duplicates functionality, but because they occupy a ton of disk space, run at inopportune times, can tie up your database, fail on large installations, and in some cases are insecure, allowing non-authenticated people to access your private data.
Because of this, we disallow most database backup plugins at WP Engine. However, we do recommend and allow VaultPress. For people looking for non-premium solutions, simply asking for a backup from us will get you one – at no charge to you!
- WP DB Backup – though to the author’s credit, he highly recommends not saving to the local file system.
- WP DB Manager – Local storage is the only way, .htaccess protection recommended, but disk space is a concern.
- BackupWordPress – not insecure, but duplicates files on disk which we already have for you in our backups
CPU/MySQL Thrashing Plugins
There’s another class of plugins we disallow simply because they thrash our servers CPU or create unnatural number of MySQL queries.
- Broken Link Checker – Overwhelms the server with HTTP requests.
- Dynamic Related Posts – Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing, and search making most very database intensive.
- WP Smushit – Relies on Yahoo services and memory mapping… When Yahoo fails or memory mapping is exceeded, the plugin fails and brings down sites with it.
- MyReviewPlugin (MyRP) – SLAMS the database with writes at orders of magnitude.
- LinkMan – Related to MyRP.
- Google XML Sitemaps – More info here.
- SEO Auto Links & Related Posts – Creates large and inefficient queries which load down the database
- Fuzzy Seo Booster – Thrashes MySQL
- WP PostViews – inefficiently writes to the database on every pageload. Try something like Automattic’s stats or Google Analytics to track traffic in a scalable manner.
- Tweet Blender
- Pippity – Hammers the server with repeated calls to
admin-ajax.php. - Yet Another Related Post Plugin – Does FULLTEXT indexes on MySQL which does not scale. alternate plugins: nrelate, shareaholic
- Similar Posts - Does FULLTEXT indexes on MySQL which does not scale. alternate plugin: nrelate
- Contextual Related Posts - Does FULLTEXT indexes on MySQL which does not scale. alternate plugin: nrelate
Duplicate Behavior Plugins
These plugins do some behavior that we already do for you in a more efficient, scalable, and configurable manner.
- WordPress HTTPS – when we serve HTTPS for you, this plugin cannot detect which connections are secure, and therefore doesn’t work. We can do all the redirecting and other special casing for you.
- No Revisions – We already do this!
- Missed Schedule and WP Missed Schedule – Interferes with cron at scale, and we already have automated processes that run wp-cron regularly and check for missed posts and publish them.
- Limit Login Attempts – This is a must use plugin on our platform. Please disable this plugin before migration.
E-mail Plugins
Just because you can send emails with WordPress, that doesn’t always mean you should. In a best practice environment, there are specialized services like MailChimp, Constant Contact and others. They are a complete email solution for your business and will provide you with the optimal results. If your email service provides its own SMTP server, then things will work out just fine. When our customers want to send emails, we want them to have the same best-in-class service for that as well, and we recommend using 3rd party services like MailChimp or Constant Contact. To that end, we’ve also disallowed plugins that allow you to send email blasts with WordPress. We wrote a blog post about emailing with WordPress for more information.
- wp-mailinglist
Alternatives to the broken link checker
We recommend that you use the following tool to check for your broken links. It’s not a plugin, and won’t make the server unhappy: http://www.
- Windows: xenu link sleuth – http://xenus-link-sleuth.en.softonic.com/
- MAC: integrity – http://peacockmedia.co.uk/integrity/
Miscellaneous Plugins
Other plugins that we’ve decided to proactively remove include:
- Hello Dolly! (Sorry, Matt)
- A competitor’s management plugin
- WP phpMyAdmin – SECURITY ISSUE!
- WDS Custom Search – Breaks the post indexes in the WP Admin.
Plugin Scripts
Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and the ones with an available update will be patched.
- TimThumb – Older versions of the TimThumb scripts are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically updates the script and then notifies you by email.
- Uploadify.php – Access to this script is blocked due to known security threats. You can read more at this Sucuri blog post.
Complete List
These are the files and folders that we’re explicitly searching for when we scan for disallowed plugins. Compare this against your “wp-content/plugins/” directory to see if anything you have installed may conflict.
adminer
async-google-analytics
backupwordpress
backwpup
broken-link-checker
contextual-related-posts
dynamic-related-posts
ezpz-one-click-backup
file-commander
fuzzy-seo-booster
google-sitemap-generator
google-xml-sitemaps-with-multisite-support
hcs.php
hello.php
jr-referrer
missed-schedule
no-revisions
ozh-who-sees-ads
pippity
portable-phpmyadmin
quick-cache
seo-alrp
similar-posts
superslider
text-passwords
the-codetree-backup
toolspack
tweet-blender
w3-total-cache
wordpress-gzip-compression
wp-cache
wp-database-optimizer
wp-db-backup
wp-dbmanager
wp-engine-snapshot
wp-file-cache
wp-mailinglist
wp-missed-schedule
wp-phpmyadmin
wp-postviews
wp-slimstat
wp-smushit
wp-super-cache
wp-symposium-alerts
wponlinebackup
yet-another-featured-posts-plugin
yet-another-related-posts-plugin
A Window into our World
By no means are we suggesting all (or even most) of these plugins are bad plugins. Some of them, like related posts plugins, are very good for most sites. However, we deal with scaling customers and so they aren’t good for us. When we find insecure plugins, we try to work with the plugin developer to find a fix and may temporarily remove access to a plugin and restore that access once the issue is addressed. In other cases, for stability and scaleability, we just have to wash our hands and move on.
In all cases, when asked, we try to provide reasonable alternatives. If you have any questions about these plugins or help finding an alternative, contact us at help.wpengine.com.
