ANSWER: We deploy several Must Use plugins for WordPress meaning that our clients are not able to delete or disable these plugins on their website. The concept of Must Use plugins was originally based on WordPress Multi User (MU) where multiple websites are setup on the same database; for easier management, the
mu-plugins directory is created under
wp-content and any plugins in the folder get loaded “first” before all other “normal” WordPress plugins. We have carefully chosen the below Must Use plugins to ensure there is no negative affect on frontend performance (i.e. CPU/RAM, etc).
The reason we use this feature (as do many WordPress-focused web hosts) is that we feel these plugins are an essential part of our speed, stability, and security goals for our hosting environment:
0. Bedrock Autoloader: Any time you are using Must Use plugins, they either cannot be inside of child directories like “normal” plugins or you must use an autoloader script to load each plugin directory (emulating “normal” plugin functionality). We use this awesome autoloader script released by the folks at Roots :)
1. Better Search Replace: One of the best plugins around for searching strings in your database and replacing them from directly within your WP Admin panel. Because this is one of the most frequently used tools of our support team, and one of the most often recommended to our clients, we decided to include it as a Must Use plugin.
2. CloudFlare: By far the most important plugin for our setup, as we require all our managed hosting clients to point their domain’s nameservers at our agency CloudFlare account for DNS management. Without this plugin, visitor IP addresses might not be reported correctly in your analytics, and there would also be no way for your developers to enable ‘dev’ mode which is extremely important in order to clear your site’s caches after making design changes.
5. Disable XML-RPC: By far one of the things we hate most about WordPress currently is XML-RPC, which is enabled by default, and of which we have been vocal critics of for quite a while now. For years now, it has been the #1 most hacked and attacked feature in WordPress, and its only true use is for things like Pingbacks, Trackbacks, and remote logins, all of which 99% of WordPress websites either NEVER use or SHOULD NEVER use. Of course, this plugin does not go far enough to prevent XML-RPC attacks, but at least its a good start along with other methods that we employ.
6. Easy Updates Manager: Manually logging in and checking your WordPress site for updates is a huge pain and waste of time in many cases. While some web hosts offer automatic updates for the WordPress core software itself, usually webmasters are on their own when it comes to plugin and theme updates. In the case of LittleBizzy our team does occasionally login to your site’s backend as part of our pro-active customer support, however, this is not something that our clients should rely on. Instead, we include this Must Use plugin for all our clients so that they can choose which plugins (if any) they’d like to update automatically. In general, this is a good idea so that your site receives security patches immediately, but there are some things that you should probably NOT set to auto-update: this includes any of your themes, any “major” frontend plugins like WooCommerce, bbPress, MemberMouse, or any “sensitive” frontend plugins like cache plugins, or others that you know may be prone to bizarre or unpredictable code changes (such as Yoast SEO, etc). If in doubt, we encourage you to disable auto-updates.
UPDATE: After October 2016, Easy Updates Manager will no longer be included. We made this decision because of multiple customers being confused why certain plugins were or were not updating automatically, and because ultimately it is not wise to have themes or plugins “auto” updating even in the case of security reasons due to the risk of crashing or breaking your website. Although WordPress auto-updates for security and minor updates since version 3.7, we felt that auto-updating themes and plugins only caused more confusion for our customers, more work for our support staff, and ultimately is not a replacement for having an experienced web developer on hand to manually update software if and when needed while checking for any errors that may occur.
7. Error Log Monitor: A nifty little plugin that is nothing more than a dashboard widget in your WP admin panel that allows you to view any recent PHP related errors being generated by your website. This plugin requires your
wp-config.php file to specify the location of your server error log, which is explained here (as per our server blocks).
8. Opcache Dashboard: This plugin came at just the right time as Opcache was becoming evermore popular and useful, which is the PHP file caching method that is now included by default in all PHP versions after 5.5. While some developers see this plugin and often confuse it with traditional page caching plugins (i.e. Comet Cache, Super Cache, etc) it is in fact entirely different, and a key part of our server configuration. Again, it is not possible to remove this plugin and even if you did, that would not turn off Opcache since it is part of PHP itself. Rather, this plugin serves as a basic “control” tool for Opcache that allows webmasters to clear the cache by simply clicking the Invalidate button; please note that even if you don’t click this button, Opcache will automatically refresh itself (your PHP file content) every few minutes no matter what.
9. Revision Control: Although you can use
wp-config.php to control things like revisions in WordPress, sometimes its easier to visualize with a simple WP Admin setting (plus, this ensures that it doesn’t get accidentally deleted by a developer who is messing with files via FTP, etc). We recommend no more than 10 revisions per posts/pages in most cases.
UPDATE: After September 2016, the Revisions Control will no longer be included. Although members of the Automattic team initially released this plugin, it was very poorly maintained in recent years and caused multiple errors to show up in PHP error logs due to outdated code. Instead, we now include a “limit” on revision storage within the wp-config.php file itself for all of our hosted websites which is a much more efficient way to manage this setting.
10. Server Status: Our very first plugin ever released, Server Status aims to provide your developers all of the key data they need while working. It creates a simple dashboard widget in WP Admin along with a small line of code in the footer with some statistics regarding your server, PHP configuration, MySQL database, and WordPress installation. While it’s not meant to replace the need for researching
wp-config on occasion, it should drastically improve the organization and productivity of your WP Admin by collecting most important server information in one place.
11. WP Password Bcrypt: Another true gift from the guys at Roots to the WordPress community, this plugin automatically enforces the new Bcrypt security standard in PHP for all user passwords in WordPress. For several years, teams such as Roots have criticized WordPress for its very poor password security (using old-fashioned MD5 hashes, which are relatively easy to hack). But they put action to their words by releasing this free script, which we include on all our clients’ servers. Keep in mind that user passwords are only “rehashed” using Bcrypt after a user has logged out and then logged back in again, so your old (inactive) users may still have rather insecure passwords stored in your database.
12. WP StageCoach: Quickly becoming a customer favorite, this “plugin” is in fact a full-on service for creating temporary staging sites that we pay for and offer to all of our managed hosting clients free of charge. While this service remains in a sort of “beta” stage, we are actively working with the WP StageCoach team to improve things like the stability of re-importing your staging site to the live site, etc (in the meanwhile, a migration plugin is a better option). Also keep in mind that staging sites will only be active for a few weeks after you stop logging in, at which point they will be automatically deleted.
1. Comet Cache: Previously known as both Quick Cache and Comet Cache, this has been our go-to page caching plugin for several years now. It is extremely easy to use, has very clean code, and is also quite intuitive when it comes to dynamic pages such as shopping carts or forums, etc (it will not cache pages that include
wp_nonce data). Remember that this is only a recommended plugin and not required, so LittleBizzy clients are free to try others (although kindly heed our warnings).
2. Postman SMTP: By far the most popular (and quality) WordPress plugin for managing email that is being sent by your WordPress website, including lost password notices, WooCommerce receipts, and more. Originally we recommended (and installed for our SendGrid clients) the official plugin for SendGrid, but after several serious bugs we shifted to the Postman plugin, which has some pretty useful built-in functionality (such as email logs, which are nice for debugging).
3. Redis Object Cache: Since object caching requires having enough RAM memory, we only install this plugin for our Premium and Enterprise hosting clients. Also, we don’t install this as a Must Use plugin because of the potential for “crashing” WordPress if by some fluke the server’s Redis configuration has any issue.
We recommend only installing any of the below “temporarily” and then disabling and/or deleting afterwards.
1. Adminer: The clear leader when it comes to database management plugins! As we do not allow phpMyAdmin on our servers due to security risks, this is your best bet if your developers need to fiddle with MySQL tables. But whatever you do, please do NOT install Adminer (or other database management scripts) on the root of your server (i.e. directly in the
www root folder), as this greatly increases the risk of attacks and hacking attempts on your server.
2. Query Monitor: A perhaps lesser-known but very powerful plugin for monitoring the database queries on your WordPress site in real-time. If you are noticing slow performance or suspect a certain theme or plugin of being poorly coded, this plugin is a good place to start in pinpointing a script that’s eating up your server’s resources (even when you have Opcache, Redis, and page caching plugins enabled, poor code can result in “uncached” database queries hurting site performance).
3. WP-Optimize: There are absolutely tons of database optimization plugins for WordPress, and many of them focus on just a few aspects (such as removing transients, etc). This plugin focuses on many types of database “cleanup” techniques and has gotten rather popular in the last few years because of that. WARNING: any time you are manipulating your MySQL database, you are taking a serious risk of losing important data… ALWAYS perform a full backup first!