This document contains our WordPress plugin policy which is designed to keep your site secure and running well.
With nearly 500,000 plugins out there, as long as you choose plugins that are actively developed and approved for the current WordPress version, chances are they will work just fine and not cause any issues.
There are, however, certain plugins that we need to remove due to how they interact with our infrastructure or services, or because they have been found to be problematic or easily hacked.
For your reference, here is the current list of plugins we will actively remove if found:
- Display Widgets
- W3 Total Cache
- WP File Cache
- WP Super Cache
- Yet Another Related Posts Plugin
In addition to the disallowed plugins noted above, there are also certain groups of plugins that we recommend you do not use. These are plugins we either have experienced problems with, or have been found to be problematic or insecure by leading WordPress security services such as Wordfence or Sucuri.
We ask that you not install the following plugins:
Most caching plugins do not cooperate with our custom caching environment and can cause performance loss, outages or break access to your admin. In addition to the caching plugins we disallow, we do not recommend you use the following:
- Autoptimize - minifies all of your scripts into one which often breaks theme functionality - your theme already minifies what it can.
We've got you covered when it comes to caching and performance tuning. If you need additional help or advice on optimizing your site content for speed, or evaluating your site load based on its content/theme, contact one of our WordPress Theme experts using the Get Help button below.
(Some) Backup Plugins
Daily backups are included in your Envato Hosted package to ensure you always have access to a snapshot if something goes wrong. These are kept in a secure location outside of your WordPress install and can be restored or made available to you at your request to Hosted Support. See How to Manage Your Backups or Restore Your Site for more detail.
In general, we discourage the use of backup plugins aside from content-export plugins such as WP Importer, Widget Importer or Customizer Backup.
In short, backup plugins that do not use offsite syncing needlessly duplicate our built-in functionality and may take up unnecessary space on your site. Backup plugins set to automatically backup to your webspace can also slow database connectivity with extra — and sometimes very large — MySQL queries and cause timeouts on larger sites. We ask that you avoid the following:
- WP DB Manager
- WP Rollback
Server & MySQL Thrashing Plugins
The following plugins are not recommended, due to how they interact with our database servers:
- Broken Link Checker
- Fuzzy SEO Booster - Use All In One SEO or Yoast SEO instead
- WP PostViews — Select's themes will require this plugin in Photography and Grand Photography, please ignore the notice to install and activate it.
- Tip: To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work wonderfully.
- Tweet Blender
- Real Time Find and Replace
Core Modifying Plugins
We ask you not to install plugins that attempt to modify the core setup of WordPress or the server, including:
- plugins attempting to modify the .htaccess
- plugins that attempt to bypass server restrictions
Related Posts Plugins
Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing and search. All of these problems make the plugins themselves extremely database intensive. Most themes offer a light solution within the theme options for displaying related content which we recommend taking advantage of.
Specific related posts plugins we ask you to avoid are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Similar Posts
- Contextual Related Posts
Security /Maintenance Plugins
It is important you keep your WordPress install secure and hardened against malware attacks, as we can only provide and ensure security at the server level. However, not all security plugins are created equal, and some can actually disable your own access to WordPress or break our ability to maintain your site or provide support. We ask that you avoid the following:
- Bad Behavior
- WordPress Multisite (not supported)
- Any plugin attempting to perform .htaccess changes
- WP Malware Checker
- WP Virus Scan
Additionally, we ask you not install WP phpMyAdmin and WP File Manager, due to a fairly major security issue
When our customers want to send emails, we want them to have the same best-in-class service. Email plugins found to be using WordPress to send large numbers of outgoing email, such as WP Mailing List, may be removed. Please consider using 3rd party services like Mailchimp, Active Campaign or Sumo if you need to manage a large subscriber list or send mass-emails to customers.
Note that normal use of email in contact forms or plugins for things like notification, order status and so on are fine.
Aggregators and Content plugins
Plugins that attempt to import content from another site or allow visitor uploads or which enable any blackhat SEO tactic are problematic in that they walk a gray line legally, may expose your site to security issues, or cause a large amount of database load. We ask that you avoid the following:
- WP Social Importer
- RSS Post Importer
We do not recommend any plugins that use your webspace or database to house or run chat rooms, including WP Live Chat Support. To add chat to your site, please use a 3rd party service that specializes in chat such as Intercom, Groove, Olark, Zopim or SnapEngage to name a few.
Are these Bad Plugins?
Not all of these plugins are bad plugins. Some of them, like related posts plugins, can be very good for SEO on most sites. However, our main focus is on making sure our customer's sites all perform well and are secure, so some plugins just aren't good for us.
As for insecure plugins, we try to work with the plugin developer to find a fix. While we work with the developer we may temporarily add a plugin to our disallowed list but will happily allow it again once the issue has been addressed.
In all cases, when asked, we try to provide reasonable alternatives. If you have any questions about these plugins or help finding an alternative, click Get Help below to send us your request.