List of discouraged or problematic WordPress plugins, themes, and functionality

The following is a list of themes and plugins for WordPress for which we actively discourage either their use as a whole, or a particular function of the plugin, on our hosting. The reason will be described after the name of the plugin or theme, and typically ranges from unnecessarily running dynamic code (requiring a PHP process when it shouldn't be necessary), to regularly gets hacked. These issues can amount to incompatibility with our hosting. For any of these which are listed due to performance reduction, a potential solution is always to move to a VPS where your site will get the resources it requires to run the intensive functionality described.

If we have blocked a plugin, or more likely a particular action of a plugin, visitors will receive a 403 "Forbidden" (via ModSec) or 405 "Method Not Allowed" or 406 "Not Acceptable" (via nginx rule) error when that action occurs.

Discouraged Plugins or Plugin Functionality:

  • Google Analytics by ShareThis [link]: On nearly every page load it uses a dynamic call to /?ga_action=googleanalytics_get_script which requires loading a PHP process simply to serve the Google Analytics Javascript embed. This is not necessary. No known way to disable this behaviour.
  • WordFence Live Traffic & Auto-Scanning: WordFence is a great security plugin as a whole but has, over the years, added features that will slow down your website and our servers. Setting the configuration for Live Traffic to "Security Only" and disabling automatic scans will improve the performance of your website.
  • BackupBuddy, Updraft Plus, etc: Backup functionality is not somethign that's designed to be operated out of a live website environment on shared servers. Read more on our backup policies to learn how to configure your web hosting account to handle your backups for you, either at the Plesk level, or on a per-app level.
  • Revolution Slider: While we don't actively block this plugin as it is very commonly used, it has had a large quantity of vulnerabilities over the years and is strongly discouraged. There are many other slider plugins like LayerSlider that you may use instead. Our preferred WordPress page builder, Beaver Builder, includes sliders that have no known vulnerabilities and haven't in the years we've been using them.
  • Cookie Notice: This plugin is fine as long as you do not enable the "Reloading" option (Enable to reload the page after the notice is accepted) found in the plugin's settings (Settings > Cookie Notice in WP). This is because it forces an entire page reload for every single visitor to the site and the reload has a query parameter, requiring every page load to occur non-cached.
  • GeoIP Detection: This plugin is fine as long as you do not enable the option called: "Disable caching a page that contains a shortcode or API call to geo-dependent functions." as this will likely disable all caching on the site which is bad for performance. We only allow that option be enabled if you have a VPS.
  • Elementor Pro WooCommerce Mini Cart: Be sure that the option under Settings > Integration > WooCommerce > Mini Cart is set to Disabled, otherwise frequent website visits will result in heavily degraded performance as dynamic processes are launched to request cart contents on every single page load.
  • Any Theme's WooCommerce Cart Items in Header/Footer: If your theme has an option to include your WooCommerce cart on all pages and you have a lot of traffic to your site, disable that option immediately. Using that option ensures that every single page load will create a dynamic request to query the contents of the cart. This works without any problem on sites with less traffic, but sites with a lot of traffic will begin to see dramatic slow-downs from this option being enabled.
  • Any Theme's Custom 404.php: Many themes (including Astra and Genesis) utilize a 404.php file that, for some stupid reason loads the entirety of site design simply to show custom 404 page content. If the page header or theme framework is particularly heavy, this means that every single time a 404 is encountered, heavy content is dynamically rendered and a PHP process is needed, taking up much CPU resources. To resolve this, copy the 404.php file to your child theme and enter the following on the very first line. This will ensure the PHP process that handles this is super lightweight: <?php http_response_code(404); die('404 Not Found'); //required for performance ?>
  • Genesis Theme Custom CSS: Defaults to using dynamically generated CSS via URL, making requests for it look like this: GET /?custom-css=57f2db73cc
    Each of these requests requires a PHP process rather than simply loading from disk. The best solution for this is to not use Genesis's Custom CSS function in the WordPress customizer and only use the child theme's stylesheet. The next best solution is to instruct your caching plugin to always cache the request parameter "custom-css". This will still launch a PHP process, but it'll be much more lightweight.
  • Popup Builder: As of March 2020, this plugin has been found to have multiple vulnerabilities due to poor coding practices and is therefore discouraged for this reason. From a poor performance perspective, this plugin uses dynamic AJAX calls to WordPress on every single page view in order to track views. This degrades performance on busy websites, and so we've blocked solely these counter requests at the ModSecurity level. Other than view counts not increasing in the plugin admin, you will see no adverse effects as a result of this, and if you were to migrate to a VPS of your own, this rule can be removed upon request.
  • Salient Theme: With its default configuration, this theme conflicts with caching plugins by constantly forcing refreshes of minified files. To avoid this problem in the Salient theme settings, go to General Settings > CSS/Script Related and enable the option to "Move Dynamic/Custom CSS Into External Stylesheet".
  • WordPress Popular Posts: On high traffic sites the following configuration *must* be set to ensure high performance, as seen with the following configuration values. Note that if you do not set these values and you have sufficient traffic, you will require a VPS with significant resources for it to function.
    • Log Limit: Keep data for 180 days or less
    • Ajaxify Widget: Disabled
    • Data Caching: Enabled
    • Refresh Cache every: 60 minutes or less frequent. Optimally 3+ hours
    • Data Sampling: Enabled

Admin Notes

  • modsec blocks are only in global server config in Plesk
  • nginx blocks are typically per-domain and applied via "apache and nginx settings" in Plesk. They look like the following:
if ( $args ~ "service=git-upload-pack" ) { return 406; }
  • 1 Users Found This Useful