WordPress Plugins

The following plugins are automatically available in your WordPress website:

Plugin name	Description	Activated by default
Connect Matomo	Adds Matomo Analytics tracking to WordPress for detailed visitor insights.	No
FluentForms with FluentSMTP	User-friendly form builder with SMTP integration for improved email deliverability.	No
Fluent Forms PDF Generator	Automatically convert form entries into PDF documents.	No
Polylang	Enables multilingual support by allowing translation of posts, pages, media, and more.	No
Jetpack Boost	Optimizes WordPress site performance with one-click CSS, JavaScript, and image lazy-loading improvements.	✔️
CERN Roles	Maps OpenID Connect roles to WordPress roles.	✔️
OpenID Connect Generic	Provides SSO or opt-in authentication using OpenID Connect OAuth2 API.	✔️
Disable REST API	Disables the WordPress REST API to enhance security and limit unauthorized access.	✔️
FileBird Lite	Organizes media library files into folders for better management.	✔️

Additionally, plugins specific to the CERN infrastructure and SSO are present and enabled by default.

As part of our efforts to maintain the security, performance, and stability of all WordPress sites, we have restricted the ability for individual users to install plugins at will. It is important to accentuate that this does not mean plugins and additional functionality cannot be added to WordPress: the WordPress Service is a living and breathing offering that will grow as the requirements of the Organization evolve. As such, if you believe a specific plugin would benefit both your website and the wider CERN community, we encourage you to submit it as a suggestion.

On Plugin Restriction

While we appreciate that plugins and third-party customisation can add valuable functionality on websites, the decision to disable on-demand plugin installation has been made by the Web Governance Board for, among others, the following reasons:

1. Security Concerns: Not all plugins are created equally. Some may contain vulnerabilities or malicious code that could compromise the security of your website and, by extension, the entire network. This poses a concrete security risk, but also a broader reputational risk for the Organization. Any plugin included centrally must be thoroughly vetted before inclusion.
2. Maintenance and Updates: Plugins require continuous maintenance to stay compatible with WordPress as well as to fix bugs or vulnerabilities. We have no interest in recreating the many challenges we faced with Drupal and site-specific customisation. Centralised management allows us to test updates for you, programmatically verify their compatibility with not only your website, but all websites that utilise the plugin, reducing the risk of downtime or issues caused by untested updates.
3. Performance Impact: Poorly coded or resource-intensive plugins may negatively impact the performance of your website. This, in turn, leads to a poor experience for visitors and potentially malfunctioning components. A malfunctioning website with poor performance and breaking components could pose a reputational risk to the Organization.
4. Consistency Across Sites: A key pillar for the Web Governance Board is to ensure a uniform and consistent web presence. Allowing unrestricted plugin installations can lead to inconsistencies in functionality and user experience across websites. By managing plugins centrally, we ensure that all sites adhere to organizational standards and best practices. This applies to all elements from branding to accessibility. Official CERN websites are already required to comply with these guidelines, but a centralised WordPress offering removes the workload from the individual website owner, allowing them instead to focus on their content.

Suggest a Plugin

If you have specific requirements not currently supported by the Service, please contact us:

• Open a ticket via WordPress Support

• Chat with us in the WordPress Mattermost channel

Once your suggestion is submitted, the following process commences:

1. The plugin is compared to other plugins already offered in the Service as well as to the list of plugins previously considered: if the plugin has already been considered and rejected, or if another, existing plugin provides identical or similar functionality, the process immediately concludes and the ticket updated accordingly.
2. If the plugin has not previously been considered, is not supported by existing plugins and customisation, and could benefit more than a single website, the Web and Infrastructure teams both proceed with a technical review, seeking to affirm compatibility and overall value when comparing to alternatives.
3. In parallel with the technical reviews, and dependent on the specific nature and functionality of the suggested plugin, relevant entities such as Computer Security and the Data Privacy Office are involved through domain-specific reviews.
4. If the plugin passes all reviews and is deemed beneficial for the broader CERN Community, it will be included in the central Service, becoming available to all websites.

If the plugin in question requires a license, additional requirements and budgetary considerations apply. In some instances, a license is tied to the specific domain of a website. As the WordPress Service supports hundreds of websites, such a configuration would fast become prohibitively expensive. We thus encourage users to ensure their suggested plugin(s), should they require payment, either support(s) unlimited websites, or considers CERN's multisite-esque infrastructure equivalent to WordPress' multisite structure, thereby only requiring a single license.