April 4, 2025 · 4 min read
The WordPress plugins we install on (almost) every site
Open the dashboard of a WordPress site you didn't build and the first thing to look at is the plugin list. From there you can tell how much maintenance will be needed: if you find thirty, ten of them deactivated, you already know how it's going to go. After years spent building new sites and fixing inherited ones, we have a short list of WordPress plugins we install on almost every project. In this article we cover the categories that are always needed, the criteria we use to choose and the mistakes we keep running into.
The plugin categories almost every site needs
Categories matter more than names: plugin names change over the years, the needs stay the same.
- Backups: a plugin that saves files and database to storage outside the server (cloud storage or remote FTP), with automatic scheduling. A backup stored on the same server as the site is of little use the day the server itself has the problem.
- Security: login attempt limiting, application firewall, scanning of modified files. One, configured well, is enough; two security plugins active at the same time get in each other's way.
- SEO: management of titles, descriptions, XML sitemap and structured data. Among the most popular plugins the difference is minimal: what matters is how you configure it, not which one you pick.
- Cache and performance: page caching, CSS and JavaScript minification, deferred script loading. It has to be configured according to the hosting, because some providers already have a server-level cache.
- Forms: a contact form plugin with built-in anti-spam protection. The form is often the only conversion channel of a brochure site, so it deserves attention, not the first plugin you find.
With these five categories you cover the baseline of any brochure site or blog. Everything else depends on the project: an eCommerce store, a multilingual site or a members area brings its own specific needs.
How we evaluate a plugin before installing it
Before adding anything to a client's site we always check the same points:
- Date of the last update: if the plugin has been idle for more than a year we discard it, even if it works for now. An abandoned plugin is a vulnerability waiting to be discovered.
- Declared compatibility with the WordPress and PHP versions running on the server.
- Active installations and reviews: a large user base means bugs surface and get fixed before they reach you.
- Changelog: a well-kept, frequent change log says a lot about how serious the developer is.
- Support: we look at whether the author replies in the plugin's forum and how quickly. When you have a problem, that will be your first resource.
One more criterion we often apply: we prefer plugins that do one thing. The all-in-one suites bring dozens of features into the site you will never use, and every feature is extra code to load, update and secure.
The mistakes we see most often
In the sites we take over we find almost always the same problems. The most common is overlap: two caching plugins active at the same time, or a security plugin stacked on top of hand-written rules in the .htaccess file, with conflicts that are hard to diagnose. The second is the plugin installed for a tiny feature: to add a tracking snippet or hide the WordPress version, a few lines in the child theme are enough, no need for an entire package. The third is the most serious: paid plugins downloaded from sites that distribute them for free. Those copies often contain malicious code and are among the most frequent causes of the compromised sites we're asked to clean up.
Then there's the mistake of perspective: looking for a plugin for every need. If the site needs specific logic (a price list, a calculation, a particular request flow), sometimes the right answer is a small piece of custom development, not the fifteenth plugin that almost does what's needed.
Maintenance matters more than the initial choice
Even the perfect plugin list ages. What makes the difference over time is the routine: updates applied regularly (on a staging environment first, if the site is critical for your business), deactivated plugins removed instead of sitting there for years, a periodic check that flags components abandoned by their authors. When we build websites and eCommerce stores we always deliver a configuration stripped to the essentials, precisely to keep this routine sustainable: the fewer components there are, the fewer things can break with each update and the less time it takes to keep them under control.
Want a clean base to build on?
If your WordPress has grown through plugins added over the years and every update has become a gamble, we can tidy things up: we analyze what's installed, remove the unnecessary and fix configuration and performance. Take a look at our website and eCommerce service and book a free call: we'll go through your site together and tell you what we would keep and what we would remove.
