“Less is More” is the principle you always should have in mind when considering what plugins you should use in your WordPress or WooCommerce installation. Any experienced developer knows that fewer lines of code means fewer bugs and fewer security holes.
Servebolt has highly optimised server setups, that take care of aggregation, optimization, gzip, caching and a lot more. Any alterations to this setup by plugins in WordPress is very likely to have a negative performance impact.
There is no need to install any form of Security plugin in WordPress. These plugins are often very large in code size, touch central parts of the WordPress core that should be left untouched, add logging, bad
.htaccess practices etc.
If you use strong passwords, and your WordPress plugins are maintained and kept up-to-date, your site will be safe. Robots, crawlers and scripts will continuously probe your site for weaknesses, or test logins, but this is not dangerous or something you need to spend time on preventing.
Discouraged security plugins:
- All In One WP Security & Firewall
- iThemes Security
- Wordfence Security
- WP Hide & Security Enhancer
Stopping malicious traffic before they reach your server should be your goal.
Any plugin that alters and adds to your
.htaccess file is likely doing things it should not do. Servebolt’s servers are already finely tuned for performance, static caching of elements and gzip – and if a plugin modifies Servebolt’s default policies, it is guaranteed to doing either duplicate work, or changing something for the worse.
For example gzip should always be turned off in your WordPress, because Servebolt’s servers gzip everything in nginx. If gzip is enabled in apache, nginx will have to unzip the file before re-zipping it, which will cause added latency and resource wasting.
Discouraged optimization plugins:
- fast-velocity-minify (doubles TTFB on many installations)
Plugins that prevent caching limit the performance of your website, and reduce the scalability. It is also usually unnecessary, as there are techniques that can be applied to provide the same functionality, without preventing your pages from being cached.
Discouraged caching plugins:
- Cache Enabler
- WP Fastest Cache
Note that we also maintain a list of WordPress plugins that break caching.
Our absolute strongest recommendation is Accelerated Domains. It allows you to eliminate the use of security, caching and optimization plugins on your website. As well as improving the performance of your website significantly, while reducing the server resources needed and the developer time that’s required to keep it running. Additionally, there are also external services like a Cloudflare Pro Plan which is a much better option with its Web Application Firewall (WAF). See all our Cloudflare options and offerings here.
Strongly(!) Discouraged plugins
This plugin creates lots of POST requests to /wp-admin/admin-ajax.php each time a visitor loads or refreshes your site. This does not scale with lots of traffic as it’s a dynamic request. Note that these settings can be tweaked in the configuration of the plugin.
This multi-language plugin has a tendency to destroy the structure of your database, and has a major performance degrading impact. We recommend using MultiLingual Press or Polylang.
This plugin generates lots of unnecessary POST requests to your site on every page views.
This is a plugin requiring heavy resources, which also has been acknowledged by the plugin developer.
The plugin runs an UPDATE query against larger datasets. Even though this should be avoided as it seriously affects performance when that is done on runtime.
Complete list with Plugin Folder Names
all-in-one-wp-security-and-firewall better-wp-security ithemes-security wp-hide-security-enhancer fast-velocity-minify remove-query-strings-littlebizzy cache-enabler wp-fastest-cache pixelyoursite pixelyoursite-pro wpml translatepress-business wise-chat wp_simple_user_insight