Disallowed Plugins by WPEngine
- WP Super Cache
- WP File Cache
- W3 Total Cache
(Some) Backup Plugins
WPEngine already take multiple, nightly backups of your site. These are done in an efficient, automated manner and the data is kept securely outside of your WordPress install. We make these backups available for you to rollback to (or download) whenever you’d like.
If you feel more secure with a secondary, off-site backup we permit and recommend VaultPress on our servers.
In general, however, we discourage the use of backup plugins. They needlessly duplicate WPEngine built-in functionality, rely on a large amount of local storage and can store files in an insecure manner. Not only that, many of these plugins run their backup jobs at inopportune times. This can slow database connectivity with extra — and sometimes very large — MySQL queries and cause timeouts on larger sites.
- WP DB Backup — Though, to the author’s credit, he recommends not saving backups to the local file system.
- WP DB Manager — Local storage is the only option here, and
.htaccessprotection is recommended, but disk space usage is a definite concern.
- BackupWordPress — While the plugin is not insecure, it duplicates a number of files on disk that are already in our backups.
- VersionPress — In order to function properly, this plugin needs access to server level functions that we disallow for security purposes.
Server & MySQL Thrashing Plugins
There’s another class of plugins (plugin site) that WPEngine disallow simply because they cause a high load on WPEngine servers or create an unnatural number of MySQL queries.
- Broken Link Checker — Overwhelms even our robust caching layer with an inordinate amount of HTTP requests.
- MyReviewPlugin — Slams the database with a fairly significant amount of writes.
- LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
- Fuzzy SEO Booster — Causes MySQL issues as a site becomes more popular.
- WP PostViews — Inefficiently writes to the database on every page load.
- To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work wonderfully.
- Tweet Blender — Does not play nicely with our caching layer and can cause increased server load.
Related Posts Plugins
Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing and search. All of these problems make the plugins themselves extremely database intensive. The ones that we’ve banned outright are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Yet Another Related Posts Plugin
- Similar Posts
- Contextual Related Posts
There are dedicated services allow you to offload related post functionality to their servers.
If you’re interested in providing related posts on your site, it is advised that you look into one of the services listed above instead.
Broken Link Checker Alternatives
If you used the Broken Link Checker plugin and wish we hadn’t banned it, we recommend that you use one of the following tools to check your site for broken links:
It’s not a plugin, and won’t make the server unhappy: http://www.brokenlinkcheck.com/. An even better solution to using a website to scan for broken links would be an application that you install on your computer:
- Broken Link Check — Online, limited to 3000 pages.
- LinkChecker — Windows, Macintosh & Linux
- Integrity — Macintosh only.
Duplicate Behavior Plugins
Like the caching & backup plugins, these all duplicate things that we can already do for you in a more efficient, scalable, and configurable manner.
- No Revisions — We disable revisions for all customers by default. For further information on why please click here.
- Force Strong Passwords — We already install & activate this plugin for you.
- WordFence — This duplicates many security as well as caching functions that exist natively in our environment and can cause issues for them.
- Bad Behavior — This plugin attempts to block a number of hosts that we already disallow.
Just because you are able to send emails with WordPress, that doesn’t always mean that you should. Especially when there are specialized services like MailChimp, Constant Contact, AWeber and countless others. Each one offers complete email solutions for your business and will provide you with the optimal results.
If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. But you should check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing that.
Basically, when WPEngine customers want to send emails, they want them to have the same best-in-class service for that as well. So WPEngine recommend using 3rd party services like the ones listed above. To that end, WPEngine disallowed the following plugin as it allows you to send email blasts with WordPress.
- WP Mailing List
We’ve also written a blog post about emailing with WordPress you’re looking for a bit more information.
Other plugins that WPEngine decided to proactively remove include:
- Hello Dolly! — Sorry, Matt.
- WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin.
- Sweet Captcha — After our partners at Sucuri revealed that the Sweet Captcha service was used to distribute adware, we have decided to follow the WordPress Plugin Repo’s lead and ban the plugin outright.
- EWWW Image Optimizer – While the original version can cause stress on the server to the point of negative impact, the Cloud version of the plugin located here is a great alternative that offloads the computing to the Cloud.
Some frequently used scripts are known to contain vulnerabilities. WPEngine system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and ones with an available update will be automatically patched.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When WPEngine system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
- Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from WPEngine partners at Sucuri.
These are the files and folders that we are explicitly searching for when we scan for disallowed plugins. Compare this against your “wp-content/plugins/” directory to see if anything you have installed that may conflict.
adminer async-google-analytics backup backup-scheduler backupwordpress backwpup bad-behavior broken-link-checker content-molecules contextual-related-posts duplicator dynamic-related-posts ewww-image-optimizer ezpz-one-click-backup file-commander fuzzy-seo-booster gd-system-plugin gd-system-plugin.php google-xml-sitemaps-with-multisite-support hc-custom-wp-admin-url hcs.php hello.php jr-referrer jumpple missed-schedule no-revisions ozh-who-sees-ads portable-phpmyadmin quick-cache quick-cache-pro recommend-a-friend seo-alrp si-captcha-for-wordpress similar-posts spamreferrerblock ssclassic sspro super-post superslider sweetcaptcha-revolutionary-free-captcha-service text-passwords the-codetree-backup toolspack ToolsPack tweet-blender versionpress w3-total-cache wordfence wordpress-gzip-compression wp-cache wp-database-optimizer wp-db-backup wp-dbmanager wp-engine-snapshot wp-file-cache wp-mailinglist wp-phpmyadmin wp-postviews wp-slimstat wp-super-cache wp-symposium-alerts wpengine-migrate wpengine-migrate.tar.gz wpengine-migrate.zip wpengine-snapshot wpengine-snapshot.tar.gz wponlinebackup yet-another-featured-posts-plugin yet-another-related-posts-plugin Source:WP Engine Support