Plugins You Should Never Install
WPEngine won’t allow you to install 10 certain plugins.
Whaaa?! What kinda Stasi Host is this?
Actually, they have very good reasons for each. Let’s take a look.
Most caching plugins do not cooperate with our custom caching environment. As a result, we can’t have them running in parallel with our solution. In fact, whenever our maintenance scripts see these on the filesystem, they are automatically removed from your install:
- WP Super Cache
- WP File Cache
- W3 Total Cache
We already take multiple, nightly backups of your site — done in an efficient and automated manner — which are available for you to rollback to (or download) whenever you’d like.
In general, we discourage the use of all backup plugins. Not only because it needlessly duplicates our inbuilt functionality, but because the backups occupy a ton of disk space, run at inopportune times, can tie up your database, fail on larger installations and, in some cases, are ridiculously insecure.
- WP DB Backup — Though, to the author’s credit, he recommends not saving backups to the local file system.
- WP DB Manager — Local storage is the only option here, and .htaccess protection is recommended, but disk space usage is a definite concern.
- BackupWordPress — While the plugin is not insecure, it duplicates a number of files on disk that are already in our backups.
Despite disallowing the plugins above, we do recommend and permit VaultPress on our servers. Also, for people looking for less expensive (see: non-premium) solutions, you are more than welcome to ask our support team for a copy of any backup. We’ll gladly turn one over at no charge!
Server & MySQL Thrashing Plugins
There’s another class of plugins that we disallow simply because they cause a high load on our servers or create an unnatural number of MySQL queries.
- Broken Link Checker — Overwhelms even our robust caching layer with an inordinate amount of HTTP requests.
- WP Smush.it — Relies on Yahoo services and memory mapping… When Yahoo fails or memory mapping is exceeded, the plugin fails and brings down sites with it.
- MyReviewPlugin — Slams the database with a fairly significant amount of writes.
- LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
- Google XML Sitemaps — We’ve gone into a great bit of detail on why we disallowed this plugin here.
- Fuzzy SEO Booster — Causes MySQL issues as a site becomes more popular.
- WP PostViews — Inefficiently writes to the database on every page load.
- To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work wonderfully.
- Tweet Blender — Does not play nicely with our caching layer and can cause increased server load.
Related Posts Plugins
Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing and search. All of these problems make the plugins themselves extremely database intensive. The ones that we’ve banned outright are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Yet Another Related Posts Plugin
- Similar Posts
- Contextual Related Posts
There are dedicated services allow you to offload related post functionality to their servers.
If you’re interested in providing related posts on your site, it is advised that you look into one of the services listed above instead.
Broken Link Checker Alternatives
If you used the Broken Link Checker plugin and wish we hadn’t banned it, we recommend that you use one of the following tools to check your site for broken links:
It’s not a plugin, and won’t make the server unhappy: http://www.brokenlinkcheck.com/. An even better solution to using a website to scan for broken links would be an application that you install on your computer:
- Broken Link Check — Online, limited to 3000 pages.
- Xenu Link Sleuth — Windows only.
- Integrity — Macintosh only.
Duplicate Behavior Plugins
Like the caching & backup plugins, these all duplicate things that we can already do for you in a more efficient, scalable, and configurable manner.
- WordPress HTTPS — This plugin is unable to detect which connections are secure when we are handling your HTTPS traffic. We can handle all the redirecting and other special casing for you.
- No Revisions — We disable revisions for all customers by default.
- WP Missed Schedule — WP Engine already has automated processes that run wp-cron regularly and checks & publishes missed posts.
- Limit Login Attempts — We already install & activate this plugin for you.
- Force Strong Passwords — We already install & activate this plugin for you.
- WP Mailing List
We’ve also written a blog post about emailing with WordPress you’re looking for a bit more information.
Other plugins that we’ve decided to proactively remove include:
- Hello Dolly! — Sorry, Matt.
- WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin.
Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and ones with an available update will be automatically patched.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
- Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.
A Window into our World
By no means are we suggesting all (or even most) of these plugins are bad plugins. Some of them, like related posts plugins, can be very good for content discoverability and SEO on most sites. However, our main focus is on making sure our customers scale. So they aren’t good for us.