Most “must-have plugin” lists are useless. They’re stuffed with 20+ plugins, half of which do the same thing, and following them is a guaranteed way to end up with a slow, bloated site that breaks every time WordPress updates.
After 10 years of building WordPress sites — hundreds of them — I’ve narrowed my default plugin stack down to just a handful. Each one earns its place. If a plugin doesn’t justify its weight, it doesn’t get installed.
Here’s exactly what I install on day one, and why.
1. Rank Math SEO
SEO is non-negotiable. Every site needs it, and Rank Math is the best free option right now — it’s overtaken Yoast as my go-to, and honestly it’s not close anymore.
What I like about Rank Math is that it doesn’t just give you a traffic light and vague suggestions. It gives you real control: XML sitemaps, schema markup, redirect manager, keyword tracking, and Open Graph settings all in one plugin. Yoast charges you extra for half of that.
The setup wizard is clean and walks you through everything in about five minutes. Once it’s configured, it mostly stays out of your way.
One thing: don’t obsess over getting every post to a green score. The score is a guide, not a rule. Write for humans first. Google is getting better at figuring that out.
2. LiteSpeed Cache (or WP Rocket if you’re on a different host)
Caching is the single biggest performance improvement most WordPress sites can make, and most people either skip it entirely or install something heavy like W3 Total Cache and then wonder why things break.
If your hosting runs on LiteSpeed — which most good shared and cloud hosts do these days — LiteSpeed Cache is completely free and genuinely excellent. It handles page caching, object caching, image lazy loading, CSS/JS minification, and CDN integration. It’s the most powerful free caching plugin I’ve used.
If you’re on Nginx or Apache, WP Rocket is worth the price. It’s the one premium plugin I’d tell almost anyone to buy without hesitation. The configuration is simple, it plays well with other plugins, and the performance gains are real.
Don’t install both. Pick one and configure it properly. If you want to understand just how much page speed affects your visitors and sales, read about why a slow website loses you customers — the numbers might surprise you.
3. UpdraftPlus
I’ve restored sites from backups more times than I can count. Hosting companies mess up. Plugins break things. Clients accidentally delete content. Without a working backup, any of these situations becomes a crisis.
UpdraftPlus is the most reliable free backup plugin available. It lets you schedule automatic backups and store them offsite — Google Drive, Dropbox, Amazon S3, or any remote storage you prefer. The key word is offsite. Keeping backups on the same server as your site isn’t a backup strategy, it’s false security.
My default setup: daily backups, stored in Google Drive, kept for 30 days. Takes ten minutes to configure and you never have to think about it again — until the day you desperately need it. Pro tip: always test your updates on a staging site before pushing to live, so your backups stay a last resort rather than a constant necessity.
The premium version adds incremental backups and more storage options, but for most sites the free version is plenty.
4. Wordfence Security
WordPress powers around 40% of the web, which makes it a giant target. Automated bots are constantly scanning for outdated plugins, weak passwords, and known vulnerabilities.
Wordfence is the firewall that sits between your site and the junk. The free version includes a web application firewall, malware scanner, login protection with two-factor authentication, and real-time blocking of known bad IP addresses.
Some people say Wordfence is heavy. They’re not wrong — it does use some server resources. But I’d rather have a slightly heavier site that doesn’t get hacked than a lightweight site that someone defaces or uses to send spam.
My minimum Wordfence setup on every site:
- Enable the firewall in learning mode for a week, then switch to enabled-and-protecting
- Turn on two-factor authentication for admin accounts
- Set a login attempt limit (I use 3 attempts before lockout)
- Schedule weekly malware scans
If you’re on a managed WordPress host (like Kinsta or WP Engine), they often have server-level security built in and Wordfence may be redundant. Check what your host includes before installing it.
5. WPForms Lite
Every site needs a contact form. WordPress doesn’t include one by default, which is baffling, but here we are.
WPForms Lite handles the basics cleanly: contact forms, simple multi-field forms, spam protection via honeypot and reCAPTCHA, and email notifications. The drag-and-drop builder is fast and intuitive.
The free version covers 90% of what most sites actually need. The paid version adds payment forms, conditional logic, file uploads, and multi-page forms — worth it if you’re running a business site with complex form requirements, but not necessary for most.
One alternative worth knowing: Contact Form 7. It’s been around forever, it’s free, and it’s extremely lightweight. The interface is more code-based than drag-and-drop, but if you’re comfortable with it, it’s a solid choice for simple contact forms.
What I Don’t Install (That Everyone Else Does)
A few plugins that show up on every “must-have” list that I skip:
Jetpack — It does too many things and none of them especially well. It adds significant bloat. Use dedicated plugins for the specific features you actually need.
Broken Link Checker — Constantly hammers your database and slows down the admin area. Run an external crawl tool like Screaming Frog periodically instead.
Social share plugins — Most are bloated and load unnecessary scripts on every page. If you need social sharing, a lightweight option or even custom HTML buttons work fine.
The Actual Rule
Every plugin you install is a potential performance hit, a potential security vulnerability, and a potential source of future conflicts. The question isn’t “is this plugin useful?” — it’s “is this plugin worth what it costs me to run it?”
Start with the five above. Add others only when you have a specific, real need they solve. Audit your plugin list every six months and remove anything that’s not actively earning its place.
A clean, fast WordPress site with five well-chosen plugins will always outperform a site buried under thirty of them. And once you’ve got your stack sorted, combine it with a solid website maintenance routine to keep everything running smoothly long-term.
Leave a Reply