“There’s a plugin for that” is a long-time notion in the global WordPress community. In one way it’s a positive example of the flexibility of WordPress, but on the other hand it has created a mind-set of “everything should be solved using plugins”. We know slow WordPress plugins is one of the biggest performance killers in the WordPress ecosystem.



The downside to the “there’s a plugin for that” mindset is that WordPress sites have become slower than they have to be. In contrast to what some users of other CMSes and static content generators claim, WordPress is not slow. It’s what we add to WordPress that makes it slow. For example plugins.

Earlier this year I gave a talk at WordCamp Nordic in Helsinki, Finland, about some of the most popular WordPress plugins, with the most negative impact on performance. This is based on my experience with WordPress since 2005, and from my work as a performance expert here at Servebolt.



Here’s a video of my talk. More information has also been added in the post below.

WordPress is not slow. It’s what we add to WordPress that makes it slow.

Plugin hygene

Before you add any plugin to WordPress there are a few very important questions you need to ask yourself.

Do you really need this plugin? Is the plugin a “must have” or just a “nice to have”? Can it be solved server-side or some other way outside of WordPress (that won’t affect the performance of your website)?

Many features found in WordPress plugins can easily be added through small code snippets in your WordPress theme functions.php file, or as a small plugin. So if you just need one feature you usually should not install a large plugin. Just like you don’t need to install Photoshop to resize photos.

Many features, like image optimisation, don’t even need a plugin. Image optimization can as easily be done with server tools like imagemagick via command line and SSH.

The fact is that every line of code you add to WordPress will increase your loading times. And all plugins slow down your site, but for some well built or small plugins the performance impact is negligible.

Another important thing is to avoid using plugins that “do it all”, also known as “swiss army knife plugins”. They tend to do a lot of things not that well and add bloat. Since it’s not the amount of plugins that slows down your code but the total amount of code that needs to be run, it’s much better to add small specialized plugins.

When installing plugins, you must test your WordPress website both before and after. What’s the performance impact of the plugin? Is it worth it? Again, “must have” vs. “nice to have”.

You should also check the following:



If it’s available through the WordPress plugin directory, what’s the rating there?

Check the support forum for the plugin, are there many unanswered questions there?

When was it last updated?

Is it tested with your version of WordPress?

Another nice thing to check is the history of security vulnerabilities in vulnerability databases like wpvulndb.com.

The Servebolt Optimizer plugin in the WordPress plugin directory

Activate plugins the right way

Running plugins the right way is also important. If you have a WordPress network (multi-site), don’t activate a plugin for the whole network if it’s only going to be used on one website. Activate it for that one website only!



Plugins that perform scheduled tasks should of course be setup with server based cron. You don’t still use WP-cron do you? That’s a major performance killer! Go ahead and switch to server cron with WordPress right away.



Here’s how to setup cron the right way with Servebolt: How to setup WordPress and WooCommerce Cron Jobs

The plugins that hurt your WordPress performance

I’ve sorted these plugins in different categories, along with some better alternatives. These are not all the bad plugins that exist, I’m afraid there’s more of them out there, but it’s some of the most popular ones that we’ve seen to have a negative impact on performance.



Security



The bad WordFence Security

Sucuri Security

iThemes Security (Better WP Security)

All in One WP Security & Firewall The alternatives Firewall with your hosting provider

Cloudflare

Deactivate XML-RPC

Update plugins, themes and core regularly

Use & enforce safe passwords

Security plugins really don’t add that much security to WordPress. Instead, they tend to give a false sense of security. And many times they’ve contained security holes themselves.



Security plugins touch areas that should not be touched by a plugin, and they try to do way too much. When a security plugin has an error in a function that touches an otherwise harmless area, it causes horrible consequences. Bjørn Johansen

If you want to stay safe and secure with WordPress, the most important thing is to update WordPress with plugins and themes properly. When WordPress is hacked, it’s almost always due to an insecure plugin.



A firewall with your hosting provider or an application firewall with a provider such as Cloudflare is great for protection as well. They protect websites from known attacks (based on a database with vulnerabilities) even before the attacks hit your website.

Want more tips on security? Read our good friend Bjørn Johansen’s blogpost WordPress security for the casual blogger or small business with limited resources.

Page builders



The bad WPBakery (Visual Composer)

Beaver builder

Elementor The alternatives WordPress Block Editor (Gutenberg)



Advanced Custom Fields – Flexible Content Fields

Page builders can be both a blessing and a curse. Sure, they tend to make things a whole lot easier, but they also add a lot of bloated functions and unnecessary code. Especially on the frontend. With the recent introduction of the Block Editor (Gutenberg), several page builders have become more performant, but they’re still far from good.



Until the block editor is a full-fledged page builder (yes, this will eventually happen), a combination of Gutenberg and Advanced Custom Fields is the most performant solution. This is also how we at Servebolt do page builder on our own website. We use ACF Flexible Content as the page builder, and use the block editor on blog posts.



Image management



The bad EWWW Image Optimizer

Smush Image Compression & Optimization

Imsantiy

Various “resize” plugins The alternatives Serverbased image optimization

Optimize images locally before upload

wp media regenerate (WP-CLI)

Compress JPEG & PNG images (TinyPNG)

ShortPixel Image Optimizer

The one thing that usually takes up most space in a website is the images. So it’s a very good idea to optimize the images, to reduce their size and loading time. Unfortunately, many users just install an image optimization plugin and think they’re good. But they’re really not.



We’ve tested and evaluated many image optimization plugins and to our surprise, many of them are really bad. The plugin with the most negative impact is definitely EWWW Image Optimization. If you have to use a plugin, it’s better to use plugins that off-load the optimization.



But better than using plugins is to manage the image optimization either when the images are produced. Export them properly or optimize the images server-side with programs like jpegoptim, imagemagick and optipng. Note also that WP-CLI has some nice image tools nowadays!



Broken links and related posts



The bad Broken Link Checker

WP Broken Link Status Checker

Yet Another Related Posts Plugin The alternatives Google Search Console

Moz, Screaming Frog, Sitebulb etc.

Yoast SEO Premium

These are plugins with scheduled tasks that benefit hugely from a proper cron setup, as mentioned above. Best of all though is to use specialized external services, like the Google Search Console and Moz or Screaming Frog.



The related posts function in the premium version of Yoast SEO is also something we can recommend. Yoast SEO in general is very good performance-wise these days, so check them out if you haven’t already.



Backups



The bad WP-DBManager

Updraft/Updraft Plus

Duplicator The alternatives Backups by hosting provider

mysqldump + rsync (command line)

wp db export/import (WP-CLI)

Backups can be really difficult to set up. We’ve seen many cases where backup plugins have completely “frozen” websites, causing them to not respond at all. The best way to do backups is always server-side, if it’s done in a way that doesn’t affect the web- and database services.



Traditional server-side programs like mysqldump/mysql and rsync are built for performance from start. Use them as intended! Also, recent versions of WP-CLI has excellent features for export/import of databases.



Social media



The bad AddThis

ShareThis

Social Media Share Button (+others) The alternatives Functions from social networks

MashShare

Social media, or sharing plugins, have a tendency to include extremely much external code and functions. Many of them also don’t respect website visitors privacy (and sell information about your visitors to third-party). These plugins also tend to match the “do it all” mentality.



If you want your website visitors to share your content, use the functions readily available with the social networks that you use. Check the developer documentation with Facebook, Twitter and similar. And if you really have to use a plugin, use MashShare.



Translations



The bad WPML

Loco Translate The alternatives MultilingualPress

Polylang

Plain Multisite install

The multi-lingual support of WordPress has slowly become better with the years, and we’ll probably see full translation support included in WordPress core in the future, but until then much of this functionality is solved using plugins.



If you need to go multi-lingual, don’t use WPML. That’s the best advice I can give you here. Both MultilingualPress and Polylang are better alternatives. Just don’t use WPML.



Cache and optimization



The bad WP Super Cache, W3 Total Cache (+others)

WP-Optimize

Autoptimize The alternatives Server based cache

Cloudflare Edge Cache

mysql/phpMyAdmin

Pagespeed module (mod_pagespeed)

If you’ve read any of the articles previously written by my colleagues at Servebolt, you know that we aren’t big fans of using cache for optimization. That’s not how cache is supposed to be used. It’s much better to focus on the code rather than the cache.

Cache plugins speed up the requests that is cached, but slow down the requests that are not cached. Since a regular cache hit rate is somewhere between 10 and 25% a cache plugin will slow down the site for 75-90% of your visitors.



If you still need cache, use a server based cache solution. Another good alternative for caching of static resources (images, scripts and similar) is Cloudflare. And for optimization of database and scripts, use the proper server-side tools instead of adding more code to WordPress.

Really unnecessary plugins



This last category really shouldn’t need any explanation.

Don’t use the Revolution Slider plugin if you want performance with WordPress.

The same thing applies with Really Simple SSL (which only is necessary for broken WordPress installations). It’s more than enough to update the site_url and home_url , and do a search replace with http://yourdomain.com with https://yourdomain.com .

With WP-CLI doing a search replace doesn’t even need an additional plugin. You can just run this command, and you’re good to go:

wp search-replace http://yourdomain.com https://yourdomain.com --all-tables

Don’t use the Revolution Slider plugin if you want performance with WordPress.



And plugins that allow custom PHP execution within WordPress are usually both negative for performance as well as a huge security risk. Use functions.php for your theme, setup a child theme, or make a custom plugin. That’s how custom PHP is supposed to be managed with WordPress.



If you know anything about performance with WordPress, you’re probably missing one plugin here. Yeah, we all know about it. We’ve all used it at some time. It’s one of the most downloaded WordPress plugins and it’s developed by Automattic.



What about Jetpack?



Jetpack is not the best performing WordPress plugin out there. But I haven’t included it in my list of bad plugins since Jetpack has become better, much better with time.

Nowadays, it’s modular and you can use just certain features that you want.



Would I install and use Jetpack? No, I would not. But I won’t judge those who do, if they really “must have” it and have evaluated the alternatives. Do your homework with Jetpack!



Final words on troubleshooting plugins

WordPress plugins fail. They break websites, adds security holes and causes problems. But we still use them, we still need them and love them. Luckily for us there are many ways to resolve issues with plugins, both inside and outside of WordPress.



Inside WordPress



The Health Check & Troubleshooting plugin is awesome. It’s so awesome that it will soon be a part of the WordPress core. With it, it’s easy to test plugins and themes on a WordPress site without the visitors even noticing it and much more. Check it out if you haven’t already.



The Query Monitor and WP Performance Profiler plugins are also great for troubleshooting plugins. And with wp profile in WP-CLI, it’s really easy to profile and analyze everything that loads in a WordPress website. Be sure to check it out as well!



Outside WordPress



Did a plugin break your site? Rename the folder of the plugin (through SSH/SFTP, check the wp-content and plugins folder) to disable it. It’s the oldest trick in the book, but it still works.



Of course, plugins can also easily be installed, activated and removed through WP-CLI.



WordPress has a built-in debugging mode that’s easily activated through wp-config.php. And many hosting providers, such as Servebolt, can give you access to the error logs directly on the server. Many times the cause of faulty plugins are listed in clear text there.



And a final note on errors, make sure to fix even “just warnings”. If a warning occurs, PHP have to write a log notice about it which in the end reduces your performance. The goal for all websites should be to have a clean error log

WordPress plugins fail. They break websites, adds security holes and causes problems. But we still use them, we still need them and love them.

Feel free to comment below if you have any input. Do you know of any plugins that should be included in my list? Or do you think a plugin above shouldn’t be included? I’d love to hear about it in the comments!