When signing up for web hosting, convenience is often a key selling point. Many hosting companies pre-install WordPress along with a set of plugins they recommend to get you started. However, pre-installed WordPress plugins can present some risks—especially if the hosting company doesn’t stay on top of updates. This is particularly concerning when it comes to security and performance.
One example I’ve encountered is with LiteSpeed Cache, a popular caching plugin. It’s commonly pre-installed by web hosting companies to boost site speed, but it has had known vulnerabilities in recent months. My host continued to install outdated, vulnerable versions, leaving my site exposed. After researching why this kept happening, I had to ask the host to stop pre-installing it on my WordPress installations.
The Problem with Pre-Installed WordPress Plugins
While pre-installing plugins may seem like a helpful time-saver, there are several potential issues to be aware of:
1. Security Vulnerabilities
Pre-installed WordPress plugins need to be regularly updated to avoid security risks. If your host pre-installs a plugin and fails to keep it up to date, your site is left vulnerable. For example, LiteSpeed Cache had known vulnerabilities in recent releases, but my host wasn’t updating it, leaving me exposed to potential attacks.
2. Outdated Versions
Even when security isn’t a concern, running outdated plugins can lead to compatibility issues with the latest version of WordPress. This can slow down your site or cause frustrating errors. Many users assume their site is fully optimized, but the reality is that they’re running old versions of pre-installed WordPress plugins that aren’t compatible with newer WordPress releases.
3. Unwanted Bloat
Not every pre-installed plugin is necessary for your specific needs. These plugins can add bloat to your site, increasing load times and complicating your plugin management. By the time you get to work on your site, it might be filled with unnecessary pre-installed plugins that add no value.
My Experience with LiteSpeed Cache
To illustrate this problem, my hosting provider automatically installed LiteSpeed Cache on each new WordPress installation. However, they didn’t bother to update it, even though vulnerabilities had been reported. After doing some research to figure out why it kept appearing, I finally asked the host to stop pre-installing the plugin. While that fixed the immediate issue, it made me question whether web hosting companies should pre-install plugins at all.
What Web Hosting Companies Should Do Instead
If hosting providers continue pre-installing WordPress plugins, they must do so responsibly. Here’s what they should be doing:
1. Stay on Top of Updates
Pre-installed WordPress plugins should always be the latest version. If vulnerabilities are found, they should be patched immediately. Hosts need to ensure their customers aren’t unknowingly running insecure software. One solution to this is enabling automatic plugin updates to ensure users are always running the latest and safest versions of pre-installed plugins.
2. Offer an Opt-In Option
Rather than pre-installing plugins by default, hosts should allow users to choose the plugins they want during the setup process. This gives users control over their WordPress setup, ensuring they only have the tools they need.
3. Be Transparent
Hosting providers should clearly communicate which plugins they’re pre-installing, why they’ve chosen those plugins, and whether they’re keeping them updated. Users should have full visibility into their WordPress environment.
How HostBot Does It Differently
At HostBot, we believe in keeping things simple, secure, and under your control. Unlike other hosts, we don’t leave your website exposed by installing outdated or vulnerable plugins. We stay on top of updates, ensuring that every plugin is secure and up to date. We monitor your site for vulnerabilities and apply updates as soon as they’re available.
Our approach is designed to give you peace of mind. We handle the technical aspects so you can focus on growing your business. Want a fast, secure, and worry-free WordPress setup? Check out our hosting plans to learn more.
What You Can Do as a Site Owner
If your hosting provider pre-installs plugins, here are a few steps you can take to protect your site:
1. Check Your Installed Plugins
Once your new WordPress site is set up, check which plugins were pre-installed. If you don’t need them, remove them. If you want to keep them, make sure they’re updated to the latest version.
2. Stay Informed About Vulnerabilities
Use tools like Wordfence or WPScan to check for known vulnerabilities in your installed plugins. If you find a vulnerability, either update the plugin or contact your host to request an update.
3. Request More Control
If you’d prefer to choose which plugins are installed, ask your host to stop pre-installing plugins automatically. You can then manage the installation and updates of plugins on your own terms.
Final Thoughts: The Case Against Pre-Installed Plugins
While pre-installing WordPress plugins may seem like a helpful shortcut, it often introduces security and performance risks. If hosting providers aren’t staying on top of plugin updates, customers are left vulnerable to outdated software and potential attacks.
At HostBot, we take a different approach. We ensure your plugins are always up to date. If you want more control over your WordPress setup without the hassle of managing updates, we’ve got you covered.