Why I Yanked VaultPress off My Recommended List
VaultPress is one of the best backup solutions on the planet. But now it’s bundled into JetPack. See why that’s such a big deal and why I have to remove it from my trusted vendor list.
UPDATE: 12/15/16 I’ve been in daily email contact with the folks at VaultPress over this and they are listening to their user base and are taking us seriously. I’ll continue to update this post if they find a way to let us use the existing VaultPress plugin without JetPack.
UPDATE: 9/6/18 You still have to install JetPack to initially connect VaultPress. But, it does not require that XML-RPC be turned on to work. Just ensure that you turn off everything else in Jetpack anyway, to avoid other plugin conflicts.
What Happened to VaultPress?
On Dec. 9, 2016, VaultPress announced new pricing plans. It was thrilling to see they had lowered the plan pricing by 30%.
And then they dropped the bomb.
VaultPress would now be bundled into JetPack.
Why the folks at Automattic decided to ruin a perfectly good backup product is beyond me.
There is no way in hell I’m going to open my site to a security hole for a bloated plugin I don’t even want!
Let me explain.
JetPack is a Security Issue
JetPack uses XML-RPC to talk back and forth from your site to WP.com.
Since 2014, XML-RPC has been used by hackers in brute force attacks and to hijack site hosting resources to use in DDoS attacks on other sites.
I advise turning XML-RPC completely off as a core security measure to keep your site safe.
Read: Disable XML-RPC in WordPress to Prevent DDoS Attack
Now that the REST API has been included in the WordPress core, and is the new, safer input/output layer for sites, others have been calling for the death of XML-RPC too, including Jesse Nickles’ guest post on WP Tavern.
VaultPress does not require XML-RPC to be turned on.
To use JetPack, or even install it, you have to turn XML-RPC at least partially on.
That’s a security risk.
And one I’m not willing to open my site up to.
My security challenge to you
If you don’t think having XML-RPC partially turned on is a problem, try this.
Leave one of your ground-floor windows open all the time. Hey, it’s just one little window. All of the other windows and doors are locked. What could be the problem?
See what happens to your peace of mind under that condition. That’s how I feel about opening any part of XML-RPC on my site and why I won’t do it.
JetPack is Bloatware
Jetpack is a behemoth that only belongs on WordPress.com.
The WP.com hosting service has extreme restrictions and no other custom plugins can be installed there, so they built a bunch of functions directly in.
And they wanted to make those functions available to self-hosted WP users, so they chose to throw the kitchen sink of functionality into one huge plugin called JetPack.
As self-hosted WordPress site owners, we have no such restrictions and have better choices than the bundled functions in JetPack.
Well, unless you’re on WPEngine, where they have a long list of plugins you can’t use too, and therefore recommend JetPack as well.
A whopping 19 modules are turned on by default when you install JetPack!
I went through all of them and found multiple conflicts with plugins I already had installed, plus a bunch of stuff I had zero need for that would directly contribute to a performance issue.
I’m 100% positive installing JetPack is going to cause issues for site owners.
I see it all the time in site audits.
Folks install plugins and never configure them.
If 19 functions are turned on from the get go, they will stay that way.
VaultPress is saying to just turn all of those JetPack functions off to get rid of the problem.
Why in the world would I install a plugin just to turn off all of its functions simply to get an interface for another service that already has a plugin interface?
How does that make any sense at all?
If you have the VaultPress plugin now and install JetPack, it simply gets moved under the JetPack tab.
Debunking JetPack Bloat
The devs at BruteProtect made a nice brute force protection plugin. Then they got folded into the WP.com family.
They wrote a post on The Jetpack Bloat Myth that attempts to debunk the idea that Jetpack is slow and bloated.
They ran head-to-head tests on a site with all 19 default modules of JetPack turned on compared to another site that had just 5 plugins which replicated the most popular features of JetPack.
The criteria for those 5 plugins was that they were the most downloaded.
They failed to make their case.
Be sure to read the comments on that benchmark post. Most address the extremity of bundling so much into a single plugin, multiple types of bloat, and complexity of troubleshooting.
One of the second site plugins was Add to Any. It had one of the worst performance scores in my head-to-head share plugin tests.
Read: Social Share Buttons – Site Performance and Security Killers
If they had chosen a lighter plugin just for that function, the test would have been radically different.
They also didn’t address the load time with all the least used functions turned off.
And they didn’t address immediate conflicts with other installed plugins that are not allowed on WP.com
Nor did they test on a loaded site with all those functions running at full steam.
In other words, it’s a benchmark test that proves their assertion, but misses the point entirely.
A Step Backward
WordPress powers 27% of all sites online. (As of 2016 reports.)
The bulk of those are on WordPress.com.
Matt Mullenweg, the guy who started all of this, is dead set on doubling that number.
If he’s serious about that goal, then Automattic, the parent company of the whole shebang, needs to decouple itself from the extreme limitations of WordPress.com and start thinking more about how to promote WordPress.org, which is the version all of us business folks who self-host use.
Tying standalone products to JetPack is a step backwards in both thinking and functionality.
It’s like a bloated, restrictive, slow moving government agency trying to compete with free market enterprise solutions that do it better and are far, far, far more profitable.
I’m Disappointed and Pissed Off
VaultPress was a perfect backup product.
I was delighted to switch to it and away from resource-intensive plugins that had serious stability issues, like BackupBuddy.
I slept easy at night knowing my backups were generated every day and stored in the cloud. I knew how easy it was to do a 1-click restore, no matter what happened to my site.
And the price was super!
VaultPress was already cheaper than its direct competitor, BlogVault, and cheaper than backup plugins like BackupBuddy and UpDraftPlus Pro, both of which did not include storage, or only limited storage.
So, lowering the price in this latest move is not going to make up for the JetPack bundling hoohaa, at least not for me and most of my clients who want super safe sites.
It took me weeks to vet another good backup service when I had to move away from plugins.
It’s going to take a lot of tests and time to vet another one when my renewal date comes up for VaultPress.
I was happy VaultPress. So were my clients. And it’s sad to have to split this relationship, especially when the backup service itself is still so amazingly good. But I won’t be renewing unless you find a way to decouple from JetPack.
I’ve never used JetPack but have read horror stories. Thanks for keeping us up on this bad business decision.
Hi Tammy. I haven’t heard too many horror stories about it, but I certainly do see the performance issue and folks having no idea that all that stuff was turned on or what it does. Sounds to me like they are going to do even tighter integration with JetPack. So sad.
I went back to BackupBuddy and am using Amazon for my storage. I don’t know how safe this is but it is all I can do for now. Your thoughts, MaAnna?
It’s perfectly safe Blair. And good for you using off-site storage. I just can’t get BackupBuddy to be stable on all sites, especially bigger ones. And I need to know that my backups are being made. Some folks have had zero issue with it. Just depends on site size and hosting resources more than anything. But it’s certainly safe for sure.
Hi MaAnna,
I still use BackupBuddy for one of my sites and was considering switching it over VaultPress. I don’t use JetPack on any of my sites and don’t really want to. What would you recommend now? Wait before switching to VaultPress?
Thuy, I would wait a bit to see what they come up with, as far as another way to use VP without JetPack. But, don’t hold your breath. If BackupBuddy is still working, then it’s okay to keep it. Or, you may want to look at UpDraftPlus (plugin) or BlogVault (cloud service like VaultPress)
You go girl!. I know your opinion of JetPack, but I’m still using three plugins from JetPack, mostly because I couldn’t locate a good replacement (but I still am looking from time to time). I, too, am a VaultPress customer. So, give ’em an earful for those of us that rely on your technical expertise and advice.
Patti, they did listen and do take the concerns seriously. But they need to hear from all of their customers, not just me, to know just how many folks feel this way. Please do consider contacting them yourself too!!!
Hi — Matt here, the co-founder and project lead of WordPress.
I think you have some misunderstandings about XML-RPC, which might make issues worse for people reading this, rather than better. As one example in your next post you talk about brute force attacks, but don’t mention that Jetpack includes the best brute force protection available for WP, for free, far better than Login Lockdown which just fills up the database for modest-at-best benefit. There is also a huge implication for the millions of people using the mobile apps.
I notice you very generously spend time with folks to walk through WordPress and answer their questions. I’d be happy to return the favor and spend 30 minutes on a call with you to talk over all these issues, like a Site Audit for super-advanced WP and security knowledge. It’s not something I’d normally do but hey, it’s the holidays. :)
Drop me an email to my address left here and we’ll set up a time.
Hi Matt!! Thanks so much for commenting. Yes, I know about Jetpack’s brute force protection, but don’t agree with you about the ineffectiveness of Login Lockdown.
And, I also understand about the implications of folks using the mobile apps to access their sites, which is why I included references to plugins that only turn XML-RPC partially off, so folks can still use those apps.
There are millions more who want a fully secured site with XML-RPC all the way off.
I’m always willing to learn and discuss and will most definitely be contacting you.
Really poor execution of this migration.
I do the familiar thing on a new site:
Install VaultPress
Click button to visit dashboard
Choose the most expensive plan
Greeted with “Ok go install some other plugin named JetPack”
Scratching head. Suddenly all that trust you built is toppled.
No kidding Tony. And 14 steps later, you still don’t have VaultPress installed and no clear path to do it. I HATE that 19 modules are turned on by default and none of them are the one thing you wanted.
So I decided to just go ahead and install the additional Jetpack. Did that, clicked Activate, and logged into my WordPress.com account when prompted and was then redirected to a custom Page not found. What?! (comment edited by MaAnna at Tony’s request to remove image link of the page)
That’s really odd Tony!!! I’d definitely want to contact support and see what’s up with that
A couple of years back I had installed Jetpack to my website. It wasn’t too long after I started having issues~of course I can’t remember what they were about now. With the help of someone from my theme support we narrowed it down to the plugin Jetpack.
I myself loved that plugin and hated the idea of dropping it, but I did.
My issues disappeared immediately. After reading this I am glad I did.
Cheers
Thanks for letting us know Cindy. There’s just too much bundled into one plugin to suit me.
Thanks very much for bringing this to our attention. I hate Jetpack so certainly don’t want it turned on. Hopefully our pressure can persuade them to change back.
I don’t think they’re going to change it back Dale. But maybe if they could offer an alternative for folks who would drop their existing VaultPress plans because of it, that would be good.
Hi MaAnna! Thank you for sharing this! Which method of backup do you recommend now? or as today VaultPress change their mind?
Hi Mary, I want to give this a little more time to shake out before making any new recommendations. I sure would like to stay with VaultPress if at all possible, but not at the expense of security on my site.
Can’t believe I missed this great post last year, MaAnna! Also, thanks for mentioning my WP Tavern guest post on why it’s long past time for XML-RPC to be disabled in WP core by default.
In case you or other readers are looking for VaultPress alternatives, we at LittleBizzy have been using the very fantastic CodeGuard service for all our hosting clients for the past few years with great results, and it remains one of our most popular features. We are long-term partners of CodeGuard, but I’ve also seen great things being done over at BlogVault and have chatted with them a few times too.
Ultimately while I appreciate Matt’s desire to provide free Jetpack services to self-hosted WordPress sites, I agree heartily with many of your points. Only Automattic knows whether VaultPress subscribers are growing or not, but hopefully they see the value in returning some of their services to standalone products — not that smaller companies need any more competition, but at least to fit into the WP ecosystem better.
It would also be nice if Automattic didn’t overly promote their plugins at WP.org, because ultimately this whole community only works if a bit of neutrality and competition exist!
Thanks for the tips Jesse!! I’ll check into CodeGuard and BlogVault again, as I know everything is always evolving.
Agreed about too much WP.org stuff going the WP.com way. Think that’s still happening with Gutenberg and more. Thinking the leadership is too tied to WP.com and is a little blind to how so many bloggers use WP to make money now.