WordPress Essential Plugins

Whenever I get involved in and established site I review the installed plugins and look for the must-have, essential plugins. Of course, when I create a new site, I make sure that such plugins are in place.

Below is a list of functions that every website needs to perform well and to avoid problems.

The red functions contain links that will take you to the details and recommended WordPress plugins that address these requirements.

Website Performance

Good site performance is essential.  A website needs to load fast, both from a user perspective and for SEO purposes.

Users are rightfully impatient and will easily click a button to stop waiting on a slow site and move on.

Google penalizes slow sites and rewards fast ones.

 2-3 seconds for page visibility is the maximum one should aim for .

Other elements such as font usage, CSS, image management and site structure play a major role in website performance.  But caching is the bedrock, for good performance, so we start there.

SG Optimizer

SG Optmizer is the best overall plugins I know, but it is only available if the Hosting account  is Siteground.

It takes advantage of Siteground’s host based services which include:

  • Memcache
  • Image optimization and sizing, including autoconversion to Webp formats for all images.

w3 Total Cache

W3 Total Cache gives you many options to configure and this makes it appear more complex than other plugins that make some of these decisions for you and therefore appear easier. 

Fortunately the latest versions of W3 Total cache have a very good easy setup feature that measures the setting options and guides you through the basic choices. The measurement function, before choosing caching functions is at this point unique to W3 Total cache.

WP Rocket

WP Rocket is a highly promoted premium plugin that works well and it easy to set up.  But it requires an annual fee and it offers no advantages over SG Optimizer or W3 Total Cache which are free plugins. 

Other WordPress Caching Plugins

Other plugins that are worth mentioning include:

  • WP Fastest Cache
  • JetPack (see the full discussion on Jetpack)


Image Optimization

One of the biggest causes for poor site performance lies in bad image management.

Sizing and Compressing Images for Website Use

WordPress Image Optimization Plugins

Images should be sized to the maximum required for internet use.  Any digital camera, including modern phones will typically provide images with densities that allow high resolution printing or projection.  This is far too big for website use.  The pixels on our screens will render high quality display at much lower densities.

To put this in perspective, a modern mobile phone or good camera photo will be about 5,000 pixels wide and take up about 5MB of storage.  If you load this on a website, every image you want to display will take up a lot of disk space and will take several seconds to download over the internet.  The images have to be compressed and resized for web use.

A large 19″ screen is about 1,700 pixels wide.  A laptop is about 1,200 pixels wide.

If you plan to display a large JPG image (full width on a large display screen) it needs to be resized to 1,700 pixel width. Along with basic compression this will reduce the size of a photo from 5MB to around 300K or 6% of the original storage space and bandwidth.  Reducing the width further to the size that you need for inclusion in columns or blog posts will have a further exponential saving. (height and width will be less, so the saving factor is 4x)

PNG images can be even more resource intensive than JPG images, so PNG should only be used for smaller, simpler images or when transparency is needed.

Over the past few years the WEBP format was developed for internet use to offer a better solution to both JPG and PNG images.  By now all browser support WEBP.  It is even more compressed than optimized JPG images and PNG images, so for optimal performance, this should be used, where possible.

There are free online tools available to do image compression and resizing but they are cumbersome to use, especially if you have many images to manipulate. Programs like Adobe Photoshop do a fair job, but they are expensive and there are even better solutions available.

Fortunately there are several WordPress plugins available to do most of the heavy lifting for image optimization.

EWWW Image Optimizer

EWWW is by far the most effective image optimization plugin I have found.

It allows you to define maximum size for all your images and will then automatically resize and compress your photos or other raw images on upload.

EWWW has a bulk optimize function to do the same for previously uploaded images.

It can convert PNG images to JPG and will retain transparent PNG images.

You can choose to convert your entire site to use WEBP and convert the images in bulk.

All the bulk optimization features provide an option to keep a copy of the original images.  This is a good practice to use if you have enough disk space.

It is always a good idea to make a backup before you do any bulk changes on a website!

Other WordPress Image Compression Plugins

More WordPress Image Compression Plugins

The following are popular Image compression plugins that are often used but in my experience not nearly as effective as EWWW:

  • WP Smush
  • ResmushIt

Website Security

There is a general view that WordPress suffers from security vulnerabilities.  That is an unfair and ill informed view and stems from people building sites without taking the necessary precautions.  If you follow the suggestions I outline here, WordPress will be as secure as any other platform and probably more so because of the safeguards in place.

Hackers find new ways of attacking the most secure sites, even banks and government sites.  All site owners or developers have to guard against bad actors and take all reasonable precautions to put up a defense.

Here is a checklist for actions required to make WordPress Safe and unpenetrable.
For Details about each of these, scroll down.

  • Choose a reputable theme
  • Choose only reputable plugins
  • Keep WordPress, your Themes and Plugins up to date.  There are ways to do this automatically or you can hire me or someone else to spend and hour a month on your site to make sure this is done properly.
  • Install a good security plugin such as WordFence, Ithemes Securly or Sucuri and cofigure it.
  • WordFence (and probably Ithemes and Sucuri) will send you weekly or monthly reports.
  • They will also send you additional reports if WordPress, your Theme or some plugins are found to be out of date or have vulnerabilities. 
    Pay attention to these and take the necessary action.
  • In WordFence or similar plugin
    • use the setting to force strong passwords for Admins.
    • choose the setting not to specify which credential is failing in the reset password function.
    • The efault lockout settings are normally good but you can strengthen them further.
  • Install the plugin “Disable WordPress Xmlrpc.php” It is not needed and is a resource used by hackers.
    See this Tutorial for a full discussion and explanation.
  • Install a backup plugin such as UpdraftPlus that can copy your website to another location like Dropbox, Google drive, etc
  • Delete the default Admin user and replace it with an Administrator that does not use “Admin” as a login name.
  • On the new user with Administrator access, make sure that the User Display name is different from the Login name.
  • Do the same for All other users with Administrator Access.
  • Never share your login details with anyone who need Admin access. Create a unique account with Admin access to anyone who needs it.
  • Keep Administrators to the minimum. Once Administrator privileges are no longer required, delete the user or change his or her role.
  • Get assurances from all users with Administrator access that they have paid, Up to Date and regular scanning malware on all devices that they may use to sign on to the site.

These are all things you can do yourself or with minimal costs for a freelancer. 
It can all be done with free plugins.

If you have taken these actions and keep things up do date you will have secured your website.

What Would Make WordPress Vulnerable?

Actions to make WordPress much more secure?

A poor choice of Theme.

A theme that is not well written at the outset and not maintained when WordPress is updated or when underlying code vulnerabilities are discovered can provide a back door.  There are many themes that were introduced years ago and only sold a few hundred since introduction.  This is a bad sign as the developer will not have the inclination or resources to keep up.

Read my article on WordPress Themes. I give many ideas, considerations and recommendation for theme choice.

Choose a reputable theme. 

Reputable Free Themes

This could be a free WordPress theme developed by WordPress variously named “TwentyFourteen”… “TwentySixteen”…  “TwentyTwentwo” and so on and all the years in between.  These are all excellent well supported and maintained and regularly updated.  They are not as versatile as premium themes and mostly harder to customize to look unique but they are safe and perform well.

Proven and Trusted Premium Themes

There are many sources of Premium themes, and none are expensive.  Some, like Divi are sold directly while other come from Theme intermediaries, the larges of which is probably ThemeForest Such themes are initially vetted and

Poor choices Plugins

One of the amazing strengths of WordPress is that you can find a plugin for just about anything you can imagine doing on a website.

Plugins are written in PHP that runs on your server and most often include Javascript which runs on you client (desktop or mobile). 

PHP and JavaScript are programming languages and need to access your files to make things work.  They could therefore be backdoors if poorly written or coulde even be offered criminally as promising a desired function but actually introducing hidden functions along with it.

A poorly maintained plugin may not be updated when new vulnerabilities are discovered.  A plugin with a large user base is more likely to keep up with WordPress changes.

Fortunately there are safeguards within WordPress and you can also take precaution by knowing how to evaluate a plugin before you decide to use it.

Only Use reputable Plugins

The plugins or alternatives discussed in this article are all essential to the form solid, safe structure for a site.  They do not all address function so you will probably consider many other plugins that add function to your website and by the nature of WordPress there are thousands of ready made plugins to meet just about any design idea.  But how can you know that is is good and safe?

How to quickly evaluate a plugin

If you use the WordPress interface to search for a plugin it will come from a repository of vetted and WordPress approved plugins and you can reasonably trust it.   But before you install a plugin you should also check the following.  In the “WordPress/Plugins/Add New” page, search for a plugin you may consider and then click on the “More Detail” link below the “Install Now” … Do this before you click “Install now”:

  • View the number of users.  In general, I would only use a plugin that has been download thousands of times.
  • Check when last it was last updated.  It should be within the last few months, at least.
  • Check the number of reviews and especially read the reviews below 5 stars. If a bad review is from years back it may have been written before the plugin was stable, so you can give them the benefit of the doubt, but take recent poor reviews seriously.

Never download and install a plugin that is not from the WordPress repository without researching it properly for all of the above indicators.

Rest assured that WordFence will also scan all plugins regularly and warn you if malware is present.

Essential WordPress Plugins for Backups

Backups are important for several reasons.  If a site breaks for whatever reason, including if you or the developer made a mistake, it is a life saver if you can just restore an earlier working version of the site.  Hosting accounts offer backup services.  Some make it part of there standard offering and some offer it as a paid add-on feature and I sleep better at night knowing that hosting account backups are in place. 

However, these backups allow you to restore the database only, all your files or both.  Your files, for Themes, Plugins, Uploaded images all need to be restored and sometimes you only want some, not all. 

I like having the choice to backup Plugins just before Updating them so that if one of the plugins create a problem, I want the ability to only restore the plugins, knowing that recently uploaded images will not be lost. 

I have had instances where malware has found its way into the hosting account and even once I have cleaned the site of malware on the site, it just reappeared because the malware had infected files outside of WordPress and into hosting account files.  So I like to also have backups off-site in something like a DropBox.


UpdraftPlus is my Favourite WordPress Backup Plugin

Backup and restoration made easy. Complete backups; manual or scheduled (backup to Dropbox, S3, Google Drive, Rackspace, FTP, SFTP, email + others).

By UpdraftPlus.Com, DavidAnderson

Over 3 Million Installations!

It simply meets the requirements for taking automatically scheduled backups and submitting them to DropBox and others as listed able.  You can also configure it to control the number of backups to save space and important for me is that I have control over which files I want restore.

With Dropbox and these features it is free.


I have worked with other backup plugins when they were installed on sites that I have taken over but none seemed to be as good as UpdraftPlus.

WordPress Custom Posts, Fields and Custom Views

When you get to more demanding site designs you will soon want to add custom fields, custom post Types and be able to display content using these.

Toolset Types is an amazing plugin to do all of this and has features to create unique views, with sort and filter functions.

I use Toolset Types functions extensively on Shunpike.Org, Drachekite.com and a few other sites.



I have worked with other custom field plugins such as Advanced Custom Fields Pro but none of them have the powerful views function that Toolset offers.