Unnecessary, Banned and Malicious Plugins
Top 10 most vulnerable WordPress plugins
Most of the over 55 000 WordPress plugins serve their function well. However, we have identified some plugins that we can not endose to be used with your Seravo hosted website. Malicious plugins might cause severe issues with security or speed of your website. If the issue causes considerable harm, we can take action and automatically remove the plugins listed in this document from the customer's environment.
Cache plugins: Seravo has invested considerable effort into page speed optimization. Mainly any caching tricks done at the WordPress PHP-layer might actually hinder the website's performance by introducing new tasks and even as far as interfering with the low-level optimization in our infrastructure.
Popular caching plugins that are ineffectual with Seravo services are for example:
- W3 Total Cache
- WP Super Cache
- WP File Cache
Security-plugins: Because Seravo has taken security seriously, the following plugins are mostly redundant and only help in making the website slower:
- Better WP Security
- iThemes Security
- Limit login attempts
- Login wall
The security plugin WordFence removes the readme.html -file which is a part of the WordPress Core. It is highly ill-advised to remove any files from the WordPress Core, because Seravo's automatic security services will alert whenever any files are missing from the WordPress Core. Seravo has taken measures to protect the readme.html and having WordFence remove it holds no additional value. Instead WordFence exposes it's readme-file in the directory /wp-content/plugins/wordfence/readme.txt. WordPress itself is infact safe with most of the security flaws rooting from plugins. Therefore we advise installing as few plugins as possible to minimize any potential vulnerabilities. To reiterate the fact the fact is that the top-10 most vulnerable plugins are mostly security-plugins.
Concerning security, instead we suggest you install Google ReCaptcha integration plugin, because it effectively secures commenting functions and the login page against automated attacks.
Plugins creating issues with the database: A few common plugins slow the database down or make a mess in the database, making WordPress upkeep and performance worse.
- Broken Link Checker
- Fuzzy SEO Booster
- WP PostViews
- Tweet Blender
Backup plugins: Seravo backup is handled automatically daily and no such plugins are required.
- Backup Guard
- Backup Scheduler
- Backup WordPress
- BackWPup Free
- E.g. following the Duplicator Quick Start guide to import your site the database connection breaks down
Plugins with poor security: Plugins that are known for having multiple security issues or that intentionally open database- or file access are not allowed.
- PHPMyAdmin or Adminer as is or as WordPress plugins. You are to use Seravo's services for accessing the database. Adminer, as pre-installed plugin by Seravo, can be used to access the database.
- File Commander
- Sweet Captcha
Poorly programmed plugins: Programmers with varying backgrounds and skill levels contribute to WordPress by creating plugins. Therefore it's common to see plugins that are not written using the best practices. Sometimes the plugin creator does not improve their code despite improvement requests. If a plugin repeatedly causes issues, we advise removing it.
- WPML: Performs poorly and has issues in coding standards. Try Polylang instead.
- TimThumb: Codebase has serious issues and commonly has security issues.
- ReduxFramework: Has had a spotty history of not supporting websites using https. Uses a non-standard URL-framework which does not work on all sites. The team is reluctant in implementing improvements.
Unused plugins: Many websites have deactivated plugins that have not been used for a long time. These should be uninstalled completely, because at all PHP-code on the server can be considered as a potential security flaw. It's also a good practice to remove unnecessary files to save storage space. You can remove all unused plugins with the following command:
$ wp plugin delete $(wp plugin list --fields=name --status=inactive)