Help articles Plugins

What plugins are not allowed?

Flywheel is a managed WordPress hosting company, so we go to great lengths to ensure that the quality of your hosting experience is always at its best. As such, there are a number of security and performance considerations that we must take into account in order to provide the absolute best service.

We also strongly believe that people shouldn’t have to “fiddle” with their site to get the best performance and security – it should just work. It’s our goal to help you achieve this.

To both of these ends, we place limitations on a handful of types of plugins. These are plugins that either duplicate functionality that Flywheel already provides, or are known to not work or cause major issues.

Backup plugins

We take a backup of your site every night and allow you to easily restore, so you don’t actually need backup plugins. But more importantly: many backup plugins are incredibly resource-intensive. They may also store large backup files on your server, which can unnecessarily fill up your disk space, and they may fail completely based on our security settings.

Common examples include BackupBuddy, BackWPUp, BackUpWordPress, and others.

If you’d like to keep your own backups, we recommend either downloading a backup from the Flywheel dashboard, or if you must, choosing a plugin which allows you to store backups offsite.

Caching plugins

Flywheel handles caching at the server level, eliminating the need for caching plugins. Server-side caching is significantly more efficient and scalable than any plugin-based caching, as it doesn’t rely on PHP at all. This aside, caching plugins run the risk of interfering with the caching we already have in place. Common examples include W3 Total Cache, WP Super Cache, Batcache, and others.

In addition, plugin-based caching solutions tend to cause serious issues when used in tandem with Flywheel features that move or duplicate sites, including Blueprintscloning, and Staging.

NOTE: some caching plugins also handle other tasks, like JavaScript and CSS file minification and concatenation. W3 Total Cache is among these, as is WP Rocket. These are tasks which are ideally handled at the site development level, but if you would prefer to use a plugin, that’s fine. We just recommend not using the caching features of the plugins and leaving that to our servers instead.

Security plugins

Flywheel servers are configured specifically with WordPress security best practices, and we have server-level blocking and scanning of hackers and malware. We prevent brute force attacks, lock down core WordPress files, and take many other security measures for you.

Security plugins duplicate this, and in many cases significantly slow down sites by interfering with our caching, bloat the site’s database, and/or interfere with our native security software. Common examples include Wordfence, Better WP Security, and others.

Plugins with known issues

  • SMTP email plugins tend to interfere with our server mail sending, and run the risk of preventing your site from sending any emails at all. This is specific to SMTP; other email plugins that don’t use SMTP are generally ok.
  • EWWW Image Optimizer and other plugins rely on the exec() function, which we disable for security purposes. We don’t have any issue with image optimization plugins in general, though; in fact, we encourage them, as long as they compress existing image files and don’t create duplicates (since that could fill up your site’s disk space very quickly).
    Some recommended alternatives: Compress JPEG & PNG Images, EWWW Image Optimizer Cloud (which does not rely on the same function as the non-cloud version of EWWW Image Optimizer), Imagify and
  • Hide My WP won’t work with our default setup, although we can work with you to get it running properly on request. That said, it’s generally unneeded as long as you follow our security recommendations.
  • Any plugin that specifically modifies .htaccess will not work on Flywheel, since .htaccess is an Apache file and we run NGINX.
  • Similarly, any plugin that needs to write to the wp-config.php file will be unable to do so, although in most cases you can contact Flywheel support and we’ll be happy to work with you to put whatever you need in place.

Other things to watch out for

The TimThumb image resizing script is embedded in lots of older themes and plugins built from about 2000–2014, but it is no longer supported or updated, so it’s a vulnerability. Besides, it tends to break things on Flywheel anyway. Stick with the image optimization plugins recommended above.

Along with TimThumb, Sucuri reports that outdated versions of Gravity Forms and RevSlider contribute to a high number of security incidents and vulnerabilities with WordPress sites. This is largely because these plugins are frequently embedded in themes and aren’t updated. As long as your theme is kept up-to-date and you are running the latest versions of these plugins, you shouldn’t have issues, but it’s worth double-checking.

Note that certain plugins run database queries to work, and these interfere with caching, which will slow down a site. These include (but are not limited to) Broken Link Checker (which also doesn’t play well with Staging/cloning) and some “related posts” plugins.


We take this issue very seriously and try our best to strike a balance between freedom, security, and performance. If you have any issues, we’re happy to work with you to figure out the best solution for your site!
This is by no means an exhaustive list, but gives you a sense for the types of plugins that we strongly discourage and/or don’t allow. If you have any questions about a particular plugin and whether it is allowed, don’t hesitate to contact Flywheel support.

  • Organizations

    Everything you need to know about managing your team with our Organizations feature.

    8 Articles
  • Blueprints

    Learn everything there is to know about what Blueprints are, how to create them and how to make the best use of them.

    5 Articles
  • Simple SSL

    All there is to know about our free, automatically installed and activated SSL certificates.

    8 Articles
  • Staging

    How to get the most out of Staging, which allows you to duplicate a site, make changes, and then push those changes to the live site.

    6 Articles
  • Local by Flywheel

    Everything you need to know about our amazing, free local WordPress development software for Mac and PC.

    5 Articles
  • White Label

    Everything you need to know about our Whitelabel subscriptions for branding and reselling Flywheel.

    4 Articles
  • Getting started

    Everything you need to know to get your first Flywheel site up and running.

    8 Articles
  • Frequently Asked

    The most commonly asked questions, and a few we just think you should know.

    24 Articles
  • General Questions

    Questions that don't fit elsewhere, or those about Flywheel in general.

    56 Articles
  • Billing & Accounts

    Questions relating to payments, billing and managing your account on Flywheel.

    12 Articles
  • Domain Names

    Details about how to manage DNS and point your domain names at Flywheel.

    10 Articles
  • Database

    How to access your WordPress database to make changes and update content.

    3 Articles
  • Security

    Details about everything Flywheel does to makes your site so secure.

    12 Articles
  • Plugins

    Which plugins work best, which plugins work worst, and everything in between.

    7 Articles

Get in touch with us

Standard support hours are M-F 9am-5pm CDT and 24/7 emergency support.

WordPress experts

Try it yourself. It's free & takes less than 60 seconds. Sign up

× How to manage 50+ WordPress Sites

Here's a free ebook!

How to manage 50+ WordPress Sites