With over 16k plugins (currently) in the WordPress plugin repository, we only (at this time) forbid a few dozen. Those are pretty good odds that if you want to use a plugin on our infrastructure, you should feel free to use it! It’s your blog after all.
But what about these disallowed plugins (AKA blacklisted)? Most of them, honestly, fall into a couple “classes” of plugins and we ban them because they collide with our necessary solutions that we put in place as part of our service offerings.
Most caching plugins do not cooperate with our own caching solutions (which include W3 Total Cache). As a result, we can’t have them running in parallel to our “stuff”. Whenever we see these on the filesystem, we automatically remove them. It’s okay, we’re already covering you and you shouldn’t have to worry about the speed of your site… that’s our job and why you’ve chosen us as your provider!
We haven’t banned Batcache and others but they simply won’t work in our environment. We’re already handling Memcached anyways, so there’s no need for it.
We already provide you with backups (complete filesystem and database), done in an efficient and automated manner, and available for you to rollback or even leave our service whenever you’d like.
In general we discourage the use of all backup plugins, not only because it needlessly duplicates functionality, but because they occupy a ton of disk space, run at inopportune times, can tie up your database, fail on large installations, and in some cases are insecure, allowing non-authenticated people to access your private data.
Because of this, we disallow most database backup plugins at WP Engine. However, we do recommend and allow VaultPress. For people looking for non-premium solutions, simply asking for a backup from us will get you one – at no charge to you!
- WP DB Backup – though to the author’s credit, he highly recommends not saving to the local file system.
- WP DB Manager – Local storage is the only way, .htaccess protection recommended, but disk space is a concern.
- BackupWordPress – not insecure, but duplicates files on disk which we already have for you in our backups
CPU/MySQL Thrashing Plugins
There’s another class of plugins we disallow simply because they thrash our servers CPU or create unnatural number of MySQL queries.
- Broken Link Checker – Overwhelms the server with HTTP requests.
- Dynamic Related Posts – Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing, and search making most very database intensive.
- WP Smushit – Relies on Yahoo services and memory mapping… When Yahoo fails or memory mapping is exceeded, the plugin fails and brings down sites with it.
- MyReviewPlugin (MyRP) – SLAMS the database with writes at orders of magnitude.
- LinkMan – Related to MyRP.
- Google XML Sitemaps – More info here.
- SEO Auto Links & Related Posts – Creates large and inefficient queries which load down the database
- Fuzzy Seo Booster – Thrashes MySQL
- WP PostViews – inefficiently writes to the database on every pageload. Try something like Automattic’s stats or Google Analytics to track traffic in a scalable manner.
- Tweet Blender
- Pippity – Hammers the server with repeated calls to
- Yet Another Related Post Plugin – Does FULLTEXT indexes on MySQL which does not scale. alternate plugins: nrelate, shareaholic
- Similar Posts - Does FULLTEXT indexes on MySQL which does not scale. alternate plugin: nrelate
- Contextual Related Posts - Does FULLTEXT indexes on MySQL which does not scale. alternate plugin: nrelate
Duplicate Behavior Plugins
These plugins do some behavior that we already do for you in a more efficient, scalable, and configurable manner.
- WordPress HTTPS – when we serve HTTPS for you, this plugin cannot detect which connections are secure, and therefore doesn’t work. We can do all the redirecting and other special casing for you.
- No Revisions – We already do this!
- Missed Schedule and WP Missed Schedule – Interferes with cron at scale, and we already have automated processes that run wp-cron regularly and check for missed posts and publish them.
- Limit Login Attempts – This is a must use plugin on our platform. Please disable this plugin before migration.
Just because you can send emails with WordPress, that doesn’t always mean you should. In a best practice environment, there are specialized services like MailChimp, Constant Contact and others. They are a complete email solution for your business and will provide you with the optimal results. If your email service provides its own SMTP server, then things will work out just fine. When our customers want to send emails, we want them to have the same best-in-class service for that as well, and we recommend using 3rd party services like MailChimp or Constant Contact. To that end, we’ve also disallowed plugins that allow you to send email blasts with WordPress. We wrote a blog post about emailing with WordPress for more information.
Alternatives to the broken link checker
We recommend that you use the following tool to check for your broken links. It’s not a plugin, and won’t make the server unhappy: http://www.
- Windows: xenu link sleuth – http://xenus-link-sleuth.en.softonic.com/
- MAC: integrity – http://peacockmedia.co.uk/integrity/
Other plugins that we’ve decided to proactively remove include:
- Hello Dolly! (Sorry, Matt)
- A competitor’s management plugin
- WP phpMyAdmin – SECURITY ISSUE!
- WDS Custom Search – Breaks the post indexes in the WP Admin.
Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and the ones with an available update will be patched.
- TimThumb – Older versions of the TimThumb scripts are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically updates the script and then notifies you by email.
- Uploadify.php – Access to this script is blocked due to known security threats. You can read more at this Sucuri blog post.
These are the files and folders that we’re explicitly searching for when we scan for disallowed plugins. Compare this against your “wp-content/plugins/” directory to see if anything you have installed may conflict.
A Window into our World
By no means are we suggesting all (or even most) of these plugins are bad plugins. Some of them, like related posts plugins, are very good for most sites. However, we deal with scaling customers and so they aren’t good for us. When we find insecure plugins, we try to work with the plugin developer to find a fix and may temporarily remove access to a plugin and restore that access once the issue is addressed. In other cases, for stability and scaleability, we just have to wash our hands and move on.
In all cases, when asked, we try to provide reasonable alternatives. If you have any questions about these plugins or help finding an alternative, contact us at help.wpengine.com.