VaultPress is one of the best backup solutions on the planet. But now it’s bundled into JetPack. See why that’s such a big deal and why I have to remove it from my trusted vendor list.
UPDATE: 12/15/16 I’ve been in daily email contact with the folks at VaultPress over this and they are listening to their user base and are taking us seriously. I’ll continue to update this post if they find a way to let us use the existing VaultPress plugin without JetPack.
UPDATE: 9/6/18 You still have to install JetPack to initially connect VaultPress. But, it does not require that XML-RPC be turned on to work. Just ensure that you turn off everything else in Jetpack anyway, to avoid other plugin conflicts.
What Happened to VaultPress?
On Dec. 9, 2016, VaultPress announced new pricing plans. It was thrilling to see they had lowered the plan pricing by 30%.
And then they dropped the bomb.
VaultPress would now be bundled into JetPack.
Why the folks at Automattic decided to ruin a perfectly good backup product is beyond me.
There is no way in hell I’m going to open my site to a security hole for a bloated plugin I don’t even want!
Let me explain.
JetPack is a Security Issue
JetPack uses XML-RPC to talk back and forth from your site to WP.com.
Since 2014, XML-RPC has been used by hackers in brute force attacks and to hijack site hosting resources to use in DDoS attacks on other sites.
I advise turning XML-RPC completely off as a core security measure to keep your site safe.
Now that the REST API has been included in the WordPress core, and is the new, safer input/output layer for sites, others have been calling for the death of XML-RPC too, including Jesse Nickles’ guest post on WP Tavern.
VaultPress does not require XML-RPC to be turned on.
To use JetPack, or even install it, you have to turn XML-RPC at least partially on.
That’s a security risk.
And one I’m not willing to open my site up to.
My security challenge to you
If you don’t think having XML-RPC partially turned on is a problem, try this.
Leave one of your ground-floor windows open all the time. Hey, it’s just one little window. All of the other windows and doors are locked. What could be the problem?
See what happens to your peace of mind under that condition. That’s how I feel about opening any part of XML-RPC on my site and why I won’t do it.
JetPack is Bloatware
Jetpack is a behemoth that only belongs on WordPress.com.
The WP.com hosting service has extreme restrictions and no other custom plugins can be installed there, so they built a bunch of functions directly in.
And they wanted to make those functions available to self-hosted WP users, so they chose to throw the kitchen sink of functionality into one huge plugin called JetPack.
As self-hosted WordPress site owners, we have no such restrictions and have better choices than the bundled functions in JetPack.
Well, unless you’re on WPEngine, where they have a long list of plugins you can’t use too, and therefore recommend JetPack as well.
A whopping 19 modules are turned on by default when you install JetPack!
I went through all of them and found multiple conflicts with plugins I already had installed, plus a bunch of stuff I had zero need for that would directly contribute to a performance issue.
I’m 100% positive installing JetPack is going to cause issues for site owners.
I see it all the time in site audits.
Folks install plugins and never configure them.
If 19 functions are turned on from the get go, they will stay that way.
VaultPress is saying to just turn all of those JetPack functions off to get rid of the problem.
Why in the world would I install a plugin just to turn off all of its functions simply to get an interface for another service that already has a plugin interface?
How does that make any sense at all?
If you have the VaultPress plugin now and install JetPack, it simply gets moved under the JetPack tab.
Debunking JetPack Bloat
The devs at BruteProtect made a nice brute force protection plugin. Then they got folded into the WP.com family.
They wrote a post on The Jetpack Bloat Myth that attempts to debunk the idea that Jetpack is slow and bloated.
They ran head-to-head tests on a site with all 19 default modules of JetPack turned on compared to another site that had just 5 plugins which replicated the most popular features of JetPack.
The criteria for those 5 plugins was that they were the most downloaded.
They failed to make their case.
Be sure to read the comments on that benchmark post. Most address the extremity of bundling so much into a single plugin, multiple types of bloat, and complexity of troubleshooting.
One of the second site plugins was Add to Any. It had one of the worst performance scores in my head-to-head share plugin tests.
If they had chosen a lighter plugin just for that function, the test would have been radically different.
They also didn’t address the load time with all the least used functions turned off.
And they didn’t address immediate conflicts with other installed plugins that are not allowed on WP.com
Nor did they test on a loaded site with all those functions running at full steam.
In other words, it’s a benchmark test that proves their assertion, but misses the point entirely.
A Step Backward
WordPress powers 27% of all sites online. (As of 2016 reports.)
The bulk of those are on WordPress.com.
Matt Mullenweg, the guy who started all of this, is dead set on doubling that number.
If he’s serious about that goal, then Automattic, the parent company of the whole shebang, needs to decouple itself from the extreme limitations of WordPress.com and start thinking more about how to promote WordPress.org, which is the version all of us business folks who self-host use.
Tying standalone products to JetPack is a step backwards in both thinking and functionality.
It’s like a bloated, restrictive, slow moving government agency trying to compete with free market enterprise solutions that do it better and are far, far, far more profitable.
I’m Disappointed and Pissed Off
VaultPress was a perfect backup product.
I was delighted to switch to it and away from resource-intensive plugins that had serious stability issues, like BackupBuddy.
I slept easy at night knowing my backups were generated every day and stored in the cloud. I knew how easy it was to do a 1-click restore, no matter what happened to my site.
And the price was super!
VaultPress was already cheaper than its direct competitor, BlogVault, and cheaper than backup plugins like BackupBuddy and UpDraftPlus Pro, both of which did not include storage, or only limited storage.
So, lowering the price in this latest move is not going to make up for the JetPack bundling hoohaa, at least not for me and most of my clients who want super safe sites.
It took me weeks to vet another good backup service when I had to move away from plugins.
It’s going to take a lot of tests and time to vet another one when my renewal date comes up for VaultPress.
I was happy VaultPress. So were my clients. And it’s sad to have to split this relationship, especially when the backup service itself is still so amazingly good. But I won’t be renewing unless you find a way to decouple from JetPack.