This document outlines our WordPress plugin policy which is designed to keep your site secure and running well.
There are a few groups of plugins that we do not allow due to how they interact with our infrastructure or services, or because they have been found to be problematic or easily hacked. We ask that you not install these plugins, and will remove them if found.
There are nearly 500,000 plugins out there, and as long as you choose plugins that are actively developed and approved for the current WordPress version, chances are they will work just fine and not cause any issues. Below are plugins we either have experienced problems with, or which have been found to be problematic or insecure by leading WordPress security partners such as Wordfence or Sucuri.
Most caching plugins do not cooperate with our custom caching environment and can ironically cause performance loss, outages or break access to your admin:
- WP Super Cache
- WP File Cache
- W3 Total Cache
- WP Rocket
We've got you covered when it comes to caching and performance tuning. If you need additional help or advice on optimizing your site content for speed, or evaluating your site load based on its content/theme, contact one of our WordPress Theme experts using the Get Help button below.
(Some) Backup Plugins
Daily backups are included in your Envato Hosted package to ensure you always have access to a snapshot if something goes wrong. These are kept in a secure location outside of your WordPress install and can be restored or made available to you at your request to Hosted Support. See How to Manage Your Backups or Restore Your Site for more detail.
In general, we discourage the use of backup plugins aside from content-export plugins such as WP Importer, Widget Importer or Customizer Backup.
In short, backup plugins that do not use offsite syncing needlessly duplicate our built-in functionality and may take up unnecessary space on your site.. Backup plugins set to automatically backup to your webspace can also slow database connectivity with extra — and sometimes very large — MySQL queries and cause timeouts on larger sites. Please avoid the following:
- WP DB Manager — Do not use
- BackupWordPress — While the plugin is not insecure, it duplicates a number of files on disk that are already in our backups.
- VersionPress — Disallowed
- VaultPress - blocked due to how it degrades the file system performance on the server when it runs
Server & MySQL Thrashing Plugins
The following plugins are disallowed due to how they interact with our database servers.
- Broken Link Checker
- Fuzzy SEO Booster - Use All In One SEO or Yoast SEO instead
- WP PostViews — Select's themes will require this plugin in Photography and Grand Photography, please ignore the notice to install and activate it.
- To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work wonderfully.
- Tweet Blender
Related Posts Plugins
Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing and search. All of these problems make the plugins themselves extremely database intensive. Most themes offer a light solution within the theme options for displaying related content which we recommend taking advantage of.
Specific related posts plugins we ask you to avoid are:
- Dynamic Related Posts
- SEO Auto Links & Related Posts
- Yet Another Related Posts Plugin
- Similar Posts
- Contextual Related Posts
Security /Maintenance Plugins
It is important you keep your WordPress install secure and hardened against malware attacks, as we can only provide and ensure security at the server level. However, not all security plugins are created equal, and some can actually disable your own access to WordPress or break our ability to maintain your site or provide support. Please avoid the following:
- Bad Behavior
- WordPress Multisite (not supported)
- Any plugin attempting to perform .htaccess changes
- WP Malware Checker
- WP Virus Scan
Additionally, WP phpMyAdmin and WP File Manager are disallowed due to a fairly major security issue.
To keep your WordPress secure, we recommend the following:
- Wordfence Security (please turn off Live View)
When our customers want to send emails, we want them to have the same best-in-class service. Email plugins found to be using WordPress to send large numbers of outgoing email, such as WP Mailing List, will be removed. Please consider using 3rd party services like the ones listed below if you need to manage a large subscriber list or send mass-emails to customers:
- Active Campaign
- Vertical Response
- Campaign Monitor
Note that normal use of email in contact forms or plugins for things like notification, order status and so on are fine.
Are these Bad Plugins?
Not all of these plugins are bad plugins. Some of them, like related posts plugins, can be very good for SEO on most sites. However, our main focus is on making sure our customer's sites all perform well and are secure, so some plugins just aren't good for us.
As for insecure plugins, we try to work with the plugin developer to find a fix. While we work with the developer we may temporarily add a plugin to our disallowed list but will happily allow it again once the issue has been addressed.
In all cases, when asked, we try to provide reasonable alternatives. If you have any questions about these plugins or help finding an alternative, click Get Help below to send us your request.