List of discouraged or problematic WordPress plugins, themes, and functionality

The following is a list of themes and plugins for WordPress for which we actively discourage either their use as a whole, or a particular function of the plugin, on our hosting. The reason will be described after the name of the plugin or theme, and typically ranges from unnecessarily running dynamic code (requiring a PHP process when it shouldn't be necessary), to regularly gets hacked. These issues can amount to incompatibility with our hosting. For any of these which are listed due to performance reduction, a potential solution is always to move to a VPS where your site will get the resources it requires to run the intensive functionality described.

If we have blocked a plugin, or more likely a particular action of a plugin, visitors will receive a 403 "Forbidden" (via ModSec) or 405 "Method Not Allowed" or 406 "Not Acceptable" (via nginx rule) error when that action occurs.

Discouraged Themes, Plugins, Configurations:

Plugin or Plugin Configuration:

  • WP Reset: this plugin duplicates your tables within your database to create its snapshots. This forces your database size to double for every snapshot you create to the point where the database server needs to constantly load the database into and out of system memory, causing slow-downs server-wide. If you care about performance, do not use this plugin. It is banned on our shared servers.
  • Google Analytics by ShareThis [link]: On nearly every page load it uses a dynamic call to /?ga_action=googleanalytics_get_script which requires loading a PHP process simply to serve the Google Analytics Javascript embed. This is not necessary. No known way to disable this behaviour.
  • WordFence Live Traffic & Auto-Scanning: WordFence is a decent security plugin as a whole but has, over the years, added features that will slow down your website and our servers. Setting the configuration for Live Traffic to "Security Only" and disabling automatic scans will improve the performance of your website. We provide weekly malware scans free with our shared hosting (and those with a VPS that opt for the Imunify360 security layer) within Plesk, so WordFence's scans unnecessarily eat up CPU resources. Our scans run external to your PHP processing so they don't take up a process slot.
  • BackupBuddy, Updraft Plus, etc: Backup functionality is not somethign that's designed to be operated out of a live website environment on shared servers. Read more on our backup policies to learn how to configure your web hosting account to handle your backups for you, either at the Plesk level, or on a per-app level.
  • Revolution Slider: While we don't actively block this plugin as it is very commonly used, it has had a large quantity of vulnerabilities over the years and is strongly discouraged. There are many other slider plugins like LayerSlider that you may use instead. Our preferred WordPress page builder, Beaver Builder, includes sliders that have no known vulnerabilities and haven't in the years we've been using them.
  • Cookie Notice: This plugin is fine as long as you do not enable the "Reloading" option (Enable to reload the page after the notice is accepted) found in the plugin's settings (Settings > Cookie Notice in WP). This is because it forces an entire page reload for every single visitor to the site and the reload has a query parameter, requiring every page load to occur non-cached.
  • GeoIP Detection: This plugin is fine as long as you do not enable the option called: "Disable caching a page that contains a shortcode or API call to geo-dependent functions." as this will likely disable all caching on the site which is bad for performance. We only allow that option be enabled if you have a VPS.
  • Elementor Pro WooCommerce Mini Cart: Be sure that the option under Settings > Integration > WooCommerce > Mini Cart is set to Disabled, otherwise frequent website visits will result in heavily degraded performance as dynamic processes are launched to request cart contents on every single page load.
  • Popup Builder: As of March 2020, this plugin has been found to have multiple vulnerabilities due to poor coding practices and is therefore discouraged for this reason. From a poor performance perspective, this plugin uses dynamic AJAX calls to WordPress on every single page view in order to track views. This degrades performance on busy websites, and so we've blocked solely these counter requests at the ModSecurity level. Other than view counts not increasing in the plugin admin, you will see no adverse effects as a result of this, and if you were to migrate to a VPS of your own, this rule can be removed upon request.
  • WP-Discuz: This plugin's tooltips and documentation indicates that the "Comment Thread Displaying" section's "Comment List Loading Type" setting will give you better performance if it's set to AJAX loading, however this is incorrec. It is orders of magnitute better for performance to use either of the other two options: "Load with Page" or "Display [view comments] button".
  • WordPress Popular Posts: On high traffic sites the following configuration *must* be set to ensure high performance, as seen with the following configuration values. Note that if you do not set these values and you have sufficient traffic, you will require a VPS with significant resources for it to function.
    • Log Limit: Keep data for 180 days or less
    • Ajaxify Widget: Disabled
    • Data Caching: Enabled
    • Refresh Cache every: 60 minutes or less frequent. Optimally 3+ hours
    • Data Sampling: Enabled
  • WooCommerce Free Shipping Bar (by VillaThemes): When enabled on some sites this plugin doubled all dynamic processing time and dramatically slowed down the site it was installed upon (t-reb). It's strongly recommended to not use this plugin at this time. Last tested on version Premium.

Theme or Theme Configuration:

  • [Any Theme] WooCommerce Cart Items in Header/Footer: If your theme has an option to include your WooCommerce cart on all pages and you have a lot of traffic to your site, disable that option immediately. Using that option ensures that every single page load will create a dynamic request to query the contents of the cart. This works without any problem on sites with less traffic, but sites with a lot of traffic will begin to see dramatic slow-downs from this option being enabled. If your theme does not have the option to disable it, a nearly as effective workaround is to add this to your theme's functions.php or using the Snippets plugin: wp_dequeue_script('wc-cart-fragments');
  • [Any Theme] Custom 404 Page: Many themes (including Astra and Genesis) utilize a 404.php file that, for some stupid reason loads the entirety of site design simply to show custom 404 page content. If the page header or theme framework is particularly heavy, this means that every single time a 404 is encountered, heavy content is dynamically rendered and a PHP process is needed, taking up much CPU resources. To resolve this, copy the 404.php file to your child theme and enter the following on the very first line. This will ensure the PHP process that handles this is super lightweight: <?php http_response_code(404); die('404 Not Found'); //required for performance ?>
  • [Genesis Theme] Custom CSS: Defaults to using dynamically generated CSS via URL, making requests for it look like this: GET /?custom-css=57f2db73cc
    Each of these requests requires a PHP process rather than simply loading from disk. The best solution for this is to not use Genesis's Custom CSS function in the WordPress customizer and only use the child theme's stylesheet. The next best solution is to instruct your caching plugin to always cache the request parameter "custom-css". This will still launch a PHP process, but it'll be much more lightweight.
  • [Salient Theme] Custom CSS: With its default configuration, this theme conflicts with caching plugins by constantly forcing refreshes of minified files. To avoid this problem in the Salient theme settings, go to General Settings > CSS/Script Related and enable the option to "Move Dynamic/Custom CSS Into External Stylesheet".

Admin Notes

  • modsec blocks are only in global server config in Plesk
  • nginx blocks are typically per-domain and applied via "apache and nginx settings" in Plesk. They look like the following:
if ( $args ~ "service=git-upload-pack" ) { return 406; }
  • 1 Users Found This Useful