To ensure that your sites on the WordPress hosting platform run as well and as securely as possible, we occasionally have to disallow certain plugins. This is not to say these plugins are “bad” but that they cause or have in the past caused issues with the platform, or duplicate functionality that is already present in the platform.
Currently the following plugins are disallowed:
- Very Simple Splash Page
- WP Staging
We do also recommend some plugins should be avoided where possible.
Should I install a security plugin?
Plugins like iThemes security, Simple Firewall and WordFence provide a way to protect your site at the cost of performance. With our managed WordPress hosting, most of the functionality of these plugins is already implemented within the platform, so the plugins will not deliver any benefit.
Web Application Firewall plugins such as WordFence which protect and block threats by inspecting query strings and forms do so by analysing every request made to WordPress. Our managed WordPress hosting already does this using software called mod_security. As this takes place before the request is passed to WordPress itself, your site remains fast and protected against threats before they have had a chance to cause any harm or impact your site’s performance. If you are using a security plugin to protect against these types of attacks, you should turn the plugin off.
Brute force protection plugins protect against people attempting to log in to a user account repeatedly, in the hopes of guessing the password. Plugins like Jetpack Brute Force Protect and similar check the number of times a login fails from a particular IP address. Each time they do this, they are using system resources. Our WordPress Managed hosting already makes this check by monitoring log files which is less resource intensive and also means the attacker is blocked before they even reach WordPress.
A lot of articles recommend switching off XML-RPC. Popular plugins like Jetpack will not function correctly without XML-RPC enabled. Our WordPress hosting provides protection against XML-RPC attacks, though you can still disable XML-RPC if appropriate.
Should I install a caching plugin?
Our WordPress hosting platform already provides object and transient caching, along with full page caching for non logged in users. Plugins which provide full or partial caching such as Supercache or w3totalcache make use of the object-cache.php and advanced-cache.php files. Whilst they are able to use the advanced-cache.php, we do not permit them access to write to the object-cache.php file. Such plugins are duplicating the caching system that we have put in place for you but do not have access to the full stack so cannot do so as efficiently.
Some caching plugins may still provide benefit, for example plugins with database caching, or those which provide concatenation (grouping css and JS files into a single file) if you are not using HTTP/2. With SSL enabled on your hosting, it is fully HTTP/2 compliant so these plugins will not deliver any benefit.
Plugins which make heavy use of wp-admin/admin-ajax.php on the front end of your site to make AJAX requests can cause issues, particularly on sites experiencing heavy load. This endpoint is not cached, so multiple calls to it may result in significant performance problems for your site.
Plugins that set PHPSESSION on every page load also prevent pages from caching and will cause significant performance problems for your site.