“There’s a plugin for that” is a long-time notion in the global WordPress community. In one way it’s a positive example of the flexibility of WordPress, but on the other hand it has created a mind-set of “everything should be solved using plugins”. We know slow WordPress plugins is one of the biggest performance killers in the WordPress ecosystem.
The downside to the “there’s a plugin for that” mindset is that WordPress sites have become slower than they have to be. In contrast to what some users of other CMSes and static content generators claim, WordPress is not slow. It’s what we add to WordPress that makes it slow. For example plugins.
Earlier this year I gave a talk at WordCamp Nordic in Helsinki, Finland, about some of the most popular WordPress plugins, with the most negative impact on performance. This is based on my experience with WordPress since 2005, and from my work as a performance expert here at Servebolt.
Here’s a video of my talk. More information has also been added in the post below.
Before you add any plugin to WordPress there are a few very important questions you need to ask yourself.
- Do you really need this plugin?
- Is the plugin a “must have” or just a “nice to have”?
- Can it be solved server-side or some other way outside of WordPress (that won’t affect the performance of your website)?
Many features found in WordPress plugins can easily be added through small code snippets in your WordPress theme functions.php file, or as a small plugin. So if you just need one feature you usually should not install a large plugin. Just like you don’t need to install Photoshop to resize photos.
Many features, like image optimisation, don’t even need a plugin. Image optimization can as easily be done with server tools like imagemagick via command line and SSH.
The fact is that every line of code you add to WordPress will increase your loading times. And all plugins slow down your site, but for some well built or small plugins the performance impact is negligible.
Another important thing is to avoid using plugins that “do it all”, also known as “swiss army knife plugins”. They tend to do a lot of things not that well and add bloat. Since it’s not the amount of plugins that slows down your code but the total amount of code that needs to be run, it’s much better to add small specialized plugins.
When installing plugins, you must test your WordPress website both before and after. What’s the performance impact of the plugin? Is it worth it? Again, “must have” vs. “nice to have”.
You should also check the following:
- If it’s available through the WordPress plugin directory, what’s the rating there?
- Check the support forum for the plugin, are there many unanswered questions there?
- When was it last updated?
- Is it tested with your version of WordPress?
Another nice thing to check is the history of security vulnerabilities in vulnerability databases like wpvulndb.com.
Activate plugins the right way
Running plugins the right way is also important. If you have a WordPress network (multi-site), don’t activate a plugin for the whole network if it’s only going to be used on one website. Activate it for that one website only!
Plugins that perform scheduled tasks should of course be setup with server based cron. You don’t still use WP-cron do you? That’s a major performance killer! Go ahead and switch to server cron with WordPress right away.
Here’s how to setup cron the right way with Servebolt: How to setup WordPress and WooCommerce Cron Jobs
The plugins that hurt your WordPress performance
I’ve sorted these plugins in different categories, along with some better alternatives. These are not all the bad plugins that exist, I’m afraid there’s more of them out there, but it’s some of the most popular ones that we’ve seen to have a negative impact on performance.
- WordFence Security
- Sucuri Security
- iThemes Security (Better WP Security)
- All in One WP Security & Firewall
- Firewall with your hosting provider
- Deactivate XML-RPC
- Update plugins, themes and core regularly
- Use & enforce safe passwords
Security plugins really don’t add that much security to WordPress. Instead they tend to give a false sense of security. And many times they’ve contained security holes themselves.
If you want to stay safe and secure with WordPress, the most important thing is to update WordPress with plugins and themes properly. When WordPress is hacked, it’s almost always due to an insecure plugin.
A firewall with your hosting provider or an application firewall with a provider such as Cloudflare is great for protection as well. They protect websites from known attacks (based on a database with vulnerabilities) even before the attacks hit your website.
Want more tips on security? Read our good friend Bjørn Johansen’s blogpost WordPress security for the casual blogger or small business with limited resources.
- WPBakery (Visual Composer)
- Beaver builder
- WordPress Block Editor (Gutenberg)
- Advanced Custom Fields – Flexible Content Fields
Page builders can be both a blessing and a curse. Sure, they tend to make things a whole lot easier, but they also add a lot of bloated functions and unnecessary code. Especially on the frontend. With the recent introduction of the Block Editor (Gutenberg), several page builders have become more performant, but they’re still far from good.
Until the block editor is a full-fledged page builder (yes, this will eventually happen), a combination of Gutenberg and Advanced Custom Fields is the most performant solution. This is also how we at Servebolt do page builder on our own website. We use ACF Flexible Content as the page builder, and use the block editor on blog posts.
- EWWW Image Optimizer
- Smush Image Compression & Optimization
- Various “resize” plugins
- Serverbased image optimization
- Optimize images locally before upload
- wp media regenerate (WP-CLI)
- Compress JPEG & PNG images (TinyPNG)
- ShortPixel Image Optimizer
The one thing that usually takes up most space in a website is the images. So it’s a very good idea to optimize the images, to reduce their size and loading time. Unfortunately, many users just install an image optimization plugin and think they’re good. But they’re really not.
We’ve tested and evaluated many image optimization plugins and to our surprise, many of them are really bad. The plugin with the most negative impact is definitely EWWW Image Optimization. If you have to use a plugin, it’s better to use plugins that off-load the optimization.
But better than using plugins is to manage the image optimization either when the images are produced. Export them properly or optimize the images server-side with programs like jpegoptim, imagemagick and optipng. Note also that WP-CLI has some nice image tools nowadays!
Broken links and related posts
- Broken Link Checker
- WP Broken Link Status Checker
- Yet Another Related Posts Plugin
- Google Search Console
- Moz, Screaming Frog, Sitebulb etc.
- Yoast SEO Premium
These are plugins with scheduled tasks that benefit hugely from a proper cron setup, as mentioned above. Best of all though is to use specialized external services, like the Google Search Console and Moz or Screaming Frog.
The related posts function in the premium version of Yoast SEO is also something we can recommend. Yoast SEO in general is very good performance-wise these days, so check them out if you haven’t already.
- Updraft/Updraft Plus
- Backups by hosting provider
- mysqldump + rsync (command line)
- wp db export/import (WP-CLI)
Backups can be really difficult to set up. We’ve seen many cases where backup plugins have completely “frozen” websites, causing them to not respond at all. The best way to do backups is always server-side, if it’s done in a way that doesn’t affect the web- and database services.
Traditional server-side programs like mysqldump/mysql and rsync are built for performance from start. Use them as intended! Also, recent versions of WP-CLI has excellent features for export/import of databases.
- Social Media Share Button (+others)
- Functions from social networks
Social media, or sharing plugins, have a tendency to include extremely much external code and functions. Many of them also don’t respect website visitors privacy (and sell information about your visitors to third-party). These plugins also tend to match the “do it all” mentality.
If you want your website visitors to share your content, use the functions readily available with the social networks that you use. Check the developer documentation with Facebook, Twitter and similar. And if you really have to use a plugin, use MashShare.
- Loco Translate
- Plain Multisite install
The multi-lingual support of WordPress has slowly become better with the years, and we’ll probably see full translation support included in WordPress core in the future, but until then much of this functionality is solved using plugins.
Cache and optimization
- WP Super Cache, W3 Total Cache (+others)
- Server based cache
- Cloudflare Edge Cache
- Pagespeed module (mod_pagespeed)
If you’ve read any of the articles previously written by my colleagues at Servebolt, you know that we aren’t big fans of using cache for optimization. That’s not how cache is supposed to be used. It’s much better to focus on the code rather than the cache.
Cache plugins speed up the requests that is cached, but slow down the requests that are not cached. Since a regular cache hit rate is somewhere between 10 and 25% a cache plugin will slow down the site for 75-90% of your visitors.
If you still need cache, use a server based cache solution. Another good alternative for caching of static resources (images, scripts and similar) is Cloudflare. And for optimization of database and scripts, use the proper server-side tools instead of adding more code to WordPress.
Really unnecessary plugins
This last category really shouldn’t need any explanation.
Don’t use the Revolution Slider plugin if you want performance with WordPress.
The same thing applies with Really Simple SSL (which only is necessary for broken WordPress installations). It’s more than enough to update the siteurl and home url, and do a search replace of with http://yourdomain.com with https://yourdomain.com.
With WP-CLI doing a search replace doesn’t even need an additional plugin. You can just run this command, and you’re good to go:
wp search-replace http://yourdomain.com https://yourdomain.com --all-tables
Don’t use the Revolution Slider plugin if you want performance with WordPress.
And plugins that allow custom PHP execution within WordPress are usually both negative for performance as well as a huge security risk. Use functions.php for your theme, setup a child theme, or make a custom plugin. That’s how custom PHP is supposed to be managed with WordPress.
If you know anything about performance with WordPress, you’re probably missing one plugin here. Yeah, we all know about it. We’ve all used it at some time. It’s one of the most downloaded WordPress plugins and it’s developed by Automattic.
What about Jetpack?
Jetpack is not the best performing WordPress plugin out there. But I haven’t included it in my list of bad plugins since Jetpack has become better, much better with time.
Nowadays, it’s modular and you can use just certain features that you want.
Would I install and use Jetpack? No, I would not. But I won’t judge those who do, if they really “must have” it and have evaluated the alternatives. Do your homework with Jetpack!
Final words on troubleshooting plugins
WordPress plugins fail. They break websites, adds security holes and causes problems. But we still use them, we still need them and love them. Luckily for us there are many ways to resolve issues with plugins, both inside and outside of WordPress.
The Health Check & Troubleshooting plugin is awesome. It’s so awesome that it will soon be a part of the WordPress core. With it, it’s easy to test plugins and themes on a WordPress site without the visitors even noticing it and much more. Check it out if you haven’t already.
The Query Monitor and WP Performance Profiler plugins are also great for troubleshooting plugins. And with wp profile in WP-CLI, it’s really easy to profile and analyze everything that loads on a WordPress website. Be sure to check it out as well!
Did a plugin break your site? Rename the folder of the plugin (through SSH/SFTP, check the wp-content and plugins folder) to disable it. It’s the oldest trick in the book, but it still works.
Of course, plugins can also easily be installed, activated and removed through WP-CLI.
WordPress has a built-in debugging mode that’s easily activated through wp-config.php. And many hosting providers, such as Servebolt, can give you access to the error logs directly on the server. Many times the cause of faulty plugins are listed in clear text there.
And a final note on errors, make sure to fix even “just warnings”. If a warning occurs, PHP have to write a log notice about it which in the end reduces your performance. The goal for all websites should be to have a clean error log