Disallowed Plugins

At WP Engine we aim to offer the fastest and most secure WordPress hosting environment for your website. There are a handful of plugins that we’ve noted can cause various security or performance issues on your site. Our goal is to keep your site running smoothly, so for this reason we’ve made certain plugins disallowed. If you have one of these plugins, you’ll be notified and the plugin will eventually be removed from your site. We’ve broken these plugins down into groups to provide some context as to why they cannot be used.


About Disallowed Items

By no means are we suggesting any of these disallowed plugins are “bad” plugins. Some of them, like related posts plugins, can be great for content discoverability. As your managed WordPress host however, our primary concern is to provide the fastest and most secure WordPress hosting experience we can. These plugins have proven that they will negatively impact performance or security on our platform and we’ve made the decision to prevent their use.

As for insecure plugins, we try to work with the plugin developer to have them corrected. During that time the plugin may temporarily be added to our disallowed list and we’ll happily allow it again once the issue has been addressed.

If you have any questions about these disallowed plugins, or feel a recent update to a plugin has been put forth to correct the issue we’ve banned it for, please contact our Support team.


Caching Plugins

Caching plugins can conflict with our platform’s built-in caching structure. These plugins are known to cause direct conflicts and would ultimately impact your site’s ability to load if used:

  • WP Super Cache
  • WP File Cache
  • W3 Total Cache

Many of the caching features these plugins offer we have built-in to our servers by default as part of your managed WordPress hosting experience. We have your back- don’t worry!


Backup Plugins

We discourage the use of backup plugins as they needlessly bloat your site and can store files in an insecure way. Many of these plugins also run their backup jobs at inopportune times, slowing down MySQL queries and even causing timeouts on your site.

The following backup solutions are disallowed plugins:

  • WP DB Backup — Needlessly bloats your site’s local storage.
  • WP DB Manager — .htaccess protection is recommended, but local storage usage is the major concern as it only offers a local storage option.
  • BackupWordPress — Duplicates a large number of files on local storage that are already in our backups.
  • VersionPress — In order to function this plugin needs access to server level functions that we disallow for security reasons.

We take nightly backups of all WordPress websites hosted with us. These are done in an efficient, automated manner and the data is kept securely on a separate server from your WordPress install. Our automated backups do not count towards any plan local storage limits and we make these backups available for you to restore, copy or download as-needed.

If you feel more secure with a secondary, off-site backup, we permit VaultPress on our servers.


Server & MySQL Thrashing Plugins

These plugins we disallow because they either cause a high load on the server or create an excessive number of database queries. They will directly impact server load and ultimately hinder your site’s performance.

  • MyReviewPlugin — Slams the database with a significant amount of writes.
  • LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.
  • Fuzzy SEO Booster — Causes MySQL issues as a site scales up.
  • WP PostViews — Inefficiently writes to the database on every page load.
  • Tweet Blender — Does not interact well with caching and can cause increased server load.

To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work great.

We recommend that you use one of the following tools to check your site for broken links. As they are not plugins these will not have a negative effect on your site’s performance.


Related Posts Plugins

Almost all “Related Posts” plugins suffer from the same MySQL, indexing, and search issues. These problems make the plugins extremely database intensive.

The ones that we’ve banned outright are:

  • Dynamic Related Posts
  • SEO Auto Links & Related Posts
  • Similar Posts
  • Contextual Related Posts

There are dedicated services which allow you to offload related post functionality to their servers. We advise that you look into one of the related post services instead:


Duplicate Behavior Plugins

Like the caching and backup plugins, the following plugins also duplicate things that we already do for you in a more efficient, scalable, and configurable manner.

  • No Revisions — We disable revisions for all customers by default. See our Platform Settings article for more information.
  • Force Strong Passwords — We already install & activate this plugin for you.
  • Bad Behavior — This plugin attempts to block a number of hosts that we already disallow.

Email Plugins

Just because you are able to send emails with WordPress, that doesn’t always mean you should. We want our customers to experience the same best-in-class experience with email as we provide with web hosting, so we recommend using a 3rd party service. Specialized services like MailChimpConstant ContactAWeber and countless others offer complete email solutions for your business and will provide you with optimal results.

If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. Be sure to check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing so.

We’ve also written a blog post about sending email blasts with WordPress if you would like more information.

Further information on configuring third party email hosting can be found in this guide.


Miscellaneous Plugins

Other plugins that we’ve decided to proactively remove include:

  • Hello Dolly!
  • WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin from your User Portal.
  • Sweet Captcha — After our partners at Sucuri revealed that the Sweet Captcha service was used to distribute adware, we have decided to follow the WordPress Plugin Repo’s lead and ban the plugin outright.
  • Digital Access Pass (DAP) — While we do not actively remove this from sites, please be aware that it will not work properly on our platform due to its use of PHP Sessions and System-level crons. Instead, we recommend using one of the other highly-rated Membership plugins like Paid Memberships Pro, Restrict Content, or S2Member.

Additional Scripts

Some frequently used scripts are known to contain security vulnerabilities. Our platform scans the files system periodically to identify and either patch or remove these scripts.

  • TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
  • Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.

Complete List of Disallowed Plugins

These are the files and folders that we explicitly searching for when we scan for disallowed plugins. You can compare this against your wp-content/plugins/ directory to check for conflicts.

adminer
async-google-analytics
backup
backup-scheduler
backupwordpress
backwpup
bad-behavior
content-molecules
contextual-related-posts
db-cache-reloaded
duplicator
dynamic-related-posts
ezpz-one-click-backup
file-commander
fuzzy-seo-booster
gd-system-plugin
gd-system-plugin.php
google-xml-sitemaps-with-multisite-support
hc-custom-wp-admin-url
hcs.php
hello.php
hyper-cache
jr-referrer
jumpple
missed-schedule
nginx-champuru
no-revisions
ozh-who-sees-ads
p3
pluginsamonsters
pluginsmonsters
portable-phpmyadmin
quick-cache
quick-cache-pro
recommend-a-friend
seo-alrp
si-captcha-for-wordpress
similar-posts
spamreferrerblock
ssclassic
sspro
super-post
superslider
sweetcaptcha-revolutionary-free-captcha-service
text-passwords
the-codetree-backup
toolspack
ToolsPack
tweet-blender
versionpress
w3-total-cache
wordpress-database-abstraction
wordpress-gzip-compression
wp-cache
wp-database-optimizer
wp-db-backup
wp-dbmanager
wp-engine-snapshot
wp-file-cache
wp-phpmyadmin
wp-postviews
wp-slimstat
wp-super-cache
wp-symposium-alerts
wpengine-migrate
wpengine-migrate.tar.gz
wpengine-migrate.zip
wpengine-snapshot
wpengine-snapshot.tar.gz
wponlinebackup
wpsmilepack

Common Names

WP Engine systems are specifically looking for the plugin directories and files listed above, however the following list of common names may be beneficial. Please bear in mind, the common names of plugins can similar and can be changed by the author. The file list above should be referred to as the only source of truth when it comes to disallowed plugins.

Adminer
Asynchronous Google Analytics for WordPress
JetBackup
Backup Scheduler
BackUpWordPress
BackWPup
Bad Behavior
Content Molecules
Contextual Related Posts
DB Cache Reloaded
Duplicator
Dynamic Related Posts
EZPZ One Click Backup
File Commander
Fuzzy SEO Booster
GD Rating System
Google XML Sitemaps with Multisite support
HC Custom WP-Admin URL
Hyper Cache
JR Referrer
Sweet Captcha
Missed Scheduled
Nginx Cache Controller
No Revisions
Ozh' Who Sees Ads
Pipdig Power Pack
Portable phpMyAdmin
Quick Cache
Recommend to a friend
SEO Auto Links & Related Posts
SI CAPTCHA Anti-Spam
Similar Posts
SpamReferrerBlock
Super Post
SuperSlider
Sweet Captcha
CodeTree Backup
Tweet Blender
VersionPress
W3 Total Cache
WP Db Abstraction
WordPress Gzip Compression
WP-Cache
WP Database Optimizer
Database Backup for WordPress
WP-DBManager
WPEngine Snapshot
WP File Cache
WP-phpMyAdmin
WP-PostViews
SlimStat Analytics
WP Super Cache
WP Symposium
Online Backup for WordPress

Has a plugin been modified and needs to be removed from the disallowed plugins directory? Submit a Product Feedback request to our team.


Disabled Modules and Functions

There’s the possibility of using a plugin that is technically allowed, but will not function due to disabled server modules or functions. These modules/functions can impact performance or security if enabled and are therefore turned off on all WP Engine servers.

We do not disallow plugins utilizing these because developers will often release updates that no longer rely on poorly performing modules or functions. This is particularly relevant to plugins utilizing ionCube Loader, which is disabled across WP Engine.

For a full list of disabled modules and functions, see the Server Modules and Functions section of our Platform Settings guide.


NEXT STEP: Check out our Solution Center for partners and plugins of choice.

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.