Unnecessary, Banned and Malicious Plugins

WordPress has nearly 60,000 plugins, of which vast majority serve their function well. However, we have identified some plugins that we can not endorse to be used on your site hosted at Seravo. Plugins that perform poorly or that have poor code quality may cause severe issues with your site's loading speed, or be a threat to your site's security by offering an attacker a backdoor to access your data. Seravo may take action and automatically remove a plugin, if we detect any malicious activity on your site.

Top 10 most vulnerable WordPress plugins.

Cache Plugins

Seravo has invested considerable effort into page speed optimization on several levels. Additional caching may actually end up hindering the website's performance by introducing new tasks, and even interfere with the low-level optimization in our infrastructure.

Popular caching plugins that are ineffectual at Seravo's WordPress hosting are, for example:

  • W3 Total Cache
  • WP Super Cache
  • WP File Cache
  • Autoptimize

Security Plugins

At Seravo, we have invested a lot in the security of our customer's sites and have ensured their security in various ways. The following plugins are considered redundant, and are likely to slow down your website:

  • Better WP Security
  • iThemes Security
  • WordFence
  • Limit login attempts
  • Login wall

For example, WordFence has been known to remove the readme.html file, which is a part of the WordPress Core. It is highly ill-advised to remove any files from the WordPress Core, because Seravo's automatic security services will alert whenever any files are missing from the core. Seravo has taken measures to protect the readme.html and having WordFence remove it holds no additional value. Instead, WordFence exposes its own readme file in the directory /wp-content/plugins/wordfence/readme.txt. WordPress itself is safe, with most of the security flaws rooting from plugins. Therefore, we advise installing as few plugins as possible to minimize any potential vulnerabilities. Majority of the most vulnerable plugins are actually security plugins, intended to improve the site security but ending up having a contradictory effect on it.

We strongly suggest using two-factor authentication (2FA) on the login page and taking good care of your passwords. We also recommend integration with reCaptcha, because it effectively secures commenting functions and the login page against automated attacks.

Plugins with Database Issues

A few common plugins slow down the database with heavy queries, corrupts its data or hampers its functions in some other way. This results in poor WordPress performance.

  • Broken Link Checker
  • SEO Redirection Plugin – 301 Redirect Manager
  • WP RSS Aggregator
  • MyReviewPlugin
  • LinkMan
  • Fuzzy SEO Booster
  • WP PostViews
  • Tweet Blender

Backup Plugins

Seravo's hosting plans include automatic backups, and your site is backed up one per day. Each backup is available for 30 days. This means additional backup plugins are not needed at Seravo's WordPress hosting.

  • Backup Guard
  • Backup Scheduler
  • Backup WordPress
  • BackWPup Free
  • BlogVault
  • Updraft
  • Duplicator
    • Following the Duplicator Quick Start guide to import a site breaks down the database connection.

Plugins with Poor Security

Here is a list of plugins that are known to have multiple security issues, or that intentionally allow additional access to database or files, which makes your site more vulnerable to attacks and compromise its security.

  • phpMyAdmin or Adminer as-is, or as WordPress plugins
    • Adminer is pre-installed by Seravo on each site, and can be used to access the database. See instructions.
  • File Commander
  • Sweet Captcha
  • Upladify
  • Ultimate Member

Plugins with Poor Code Quality

Programmers with varying skill levels contribute to WordPress by creating plugins. Therefore it's common to see plugins that are not written using the best practices. Sometimes the plugin creator does not improve their code despite requests for improvement. If a plugin repeatedly causes issues, we advise removing it.

  • WPML
    • Performs poorly and has issues in coding standards. We recommend Polylang instead.
  • TimThumb
    • Codebase has serious issues and commonly has security issues.
  • ReduxFramework
    • Has had a spotty history of not supporting websites using https. Uses a non-standard URL-framework which does not work on all sites. The team is reluctant in implementing improvements.
  • Seraphinite Accelerator
    • Does not follow general or WordPress project-specific coding standards. 

Maintenance Plugins

Most maintenance plugins work well, but the following plugins have been noticed to break site functionality:

  • Maintenance Mode with Timer
  • Simple WP Maintenance Mode

Unused Plugins

Many websites have deactivated plugins that have not been used for a long time. These should be uninstalled completely, as all additional code and files on the server can offer a way for an attacker to find a path into your site. It's also a good practice to remove unnecessary files to save storage space. You can remove all unused plugins with the following command:

$ wp plugin delete $(wp plugin list --fields=name --status=inactive)
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles