I have started to compile a list of plugins that in my opinion shouldn’t be used under a shared hosting environment as they either have security issues or are poorly coded and become resource hogs.
The list below (which isn’t under any particular order) will be updated in the future, whenever newer plugins are discovered and included:
Broken Link Checker – resource intensive – opens too many HTTP and MySQL connections which shortly saturate all the resources available.
Wordfence – resource intensive/insecure – while it’s advertised as the most downloaded security plugin, Wordfence has major drawback given that the “Live Traffic” and “Scheduled Scans functions invoke the WordPress cron too frequently and this saturates the available MySQL and HTTP resources. Besides that it’s also been subject to multiple security vulnerabilities (one & two) in the past.
Yet Another Related Posts Plugin – resource intensive – just like all other plugins used to display related posts, the Yet Another Related Posts Plugin (YARPP short) is known to open large volume of queries to the database in order to determine and match post relationship and this eventually ends up saturating all the available resources.
WP-phpMyAdmin – insecure – it provides an insecure bridge between WordPress and phpMyAdmin, thus exposing the sites to any form of insecure phpMyAdmin attacks. With over 44 vulnerabilities since it’s release, phpMyAdmin could be a major security risk if no additional steps are taken or if a plugin that exposes it is being used.
WP-Slimstat – resource intensive/insecure – populates the database with a lot of statistical data throughout time which if not removed ends up causing huge MySQL databases which become more and more resource intensive and eventually cause the saturation of all resources available on the server. This plugin was also subject to a vulnerability so it might as well prove insecure.
WP Fastest Cache – resource intensive/insecure – this plugin offers the possibility to use a preload bot which makes a large volume of internal queries in order to speed the website by preloading specific data. This plugin was also subject to a Blind SQL injection vulnerability so it should be considered to be insecure as well.