A Core Set of Plugins for any WordPress Website and a Warning

PluginsI’ve lost count of the number of times I’ve seen threads asking which are the best WordPress plugins. The responses inevitably list lots of them, covering the widest range of functionality you can imagine.

One of the benefits of using WordPress is the range of plugins that extend its functionality into pretty much any area you can think of.

But be careful: plugins can be a double-edged sword.

The more of them you use the more there is to go wrong on your site, the slower your page load-times will become and the greater your chances of having problems after WordPress upgrades are.

So before you go out and install a range of super-cool plugins make sure of two things:

  1. They add functionality that you actually need in order to meet the goal of your site
  2. They aren’t duplicating the functionality of another plugin you already have installed.

I reviewed a site recently which had a huge number of plugins installed, some of which did the same thing as others, and 10 of which were deactivated.

That added an enormous amount of completely pointless bloat to the site.

So rather than building a site and then asking what plugins you can add, reverse the process:

  1. Be clear on the goal of your site
  2. Understand how much of the functionality that you need can be achieved without plugins
  3. Look for plugins to fill the specific functionality gaps you’ve identified.

Basic functionality for which you probably need to add plugins

All that said, there are some plugins that I install on every new site I build in order to strengthen functionality in three key areas:

  1. Site Administration
  2. Spam and security
  3. SEO

Whatever the goal of your site, you will benefit from installing plugins to help in those areas.

I’ve set out below the plugins I use. In all cases there are many options available, so if you’re not sure about the specific plugin I’ve mentioned search for others that perform the same function.

Taking each in turn:

Site Administration

BackupBuddy. This is a premium plugin but well worth the investment. It backs up and restores your entire WordPress site, not just the database, and it will migrate your site from one server (and domain) to another.

Backing up your entire site, rather than just the database, enables you to restore your site quickly and easily in the event it’s hacked or corrupted.

Of course, you can achieve the same result with a database backup plugin and manually copying your site files back to your local machine each week. But BackupBuddy takes the time and hassle out of all that.

If you’re not sure about BackupBuddy search for other full-site backup plugins.

WP-DBManager. This is a database management plugin and I use it simply because you can set a regular schedule for optimizing the database. You can also repair your database and write simple SQL queries.

It will back up your database and I used it to do that for a long time before I found BackupBuddy. Since I started using BB the only use I make of WP-DBManager is to regularly optimize my database.

If WP-DBmanager doesn’t get you going do a search for WordPress database management plugins.

Spam and Security

Akismet. No link, as this comes with all WordPress installations. It’s an excellent anti-spam plugin and it’s still free as long as you’re using it on a personal site. But you will need to get an API in order to activate it.

Bad Behaviour. Another anti-spam plugin that works differently from (and combines with) Akismet. The major difference is that it prevents access to your site in the first place, whereas Akismet allows access to your site but then flags the comment as spam.

Because of the way it works, Bad Behaviour claims to be effective against denial of service attacks. Thankfully, I’ve not had to deal with any of those so I can’t comment on how well it does that.

The combination of those two works very well for me, but if they don’t look interesting just do a search for WordPress anti-spam plugins – there are quite a few others.

WP-Security-Scan. This started off well but then went stagnant for a long time. However, it was recently taken over by Website Defender who’ve reactivated development on it, so it’s now being regularly updated again – good news!

As its name implies, it scans your site for security loopholes and flags them up to you, along with an easy way of fixing them.

If WP-Security-Scan doesn’t do it for you search for WordPress security or WordPress exploit scanning plugins.

Login Lockdown. This plugin monitors access attempts through your login page and locks down the site after a fixed number of unsuccessful attempts within a specified time period.

It’s good for protecting your site against brute force attacks where automated bots attempt to guess your username and password to gain access to your site.

If you don’t like Login Lockdown do a search for access protection or login protection plugins.

You can use your .htaccess file to restrict access to your admin directory to a fixed IP or range of IP addresses. However, you run the risk of being locked out of your own site if your ISP uses dynamic IP addresses and assigns you one that isn’t in the range you’ve specified!


SEO plugins such as All-in-one-SEO-Pack, Yoast SEO and Platinum SEO are all good plugins and, if your theme doesn’t offer you SEO controls, you should install one of them.

They all make it easier to specify index and follow settings as well as title, description and keywords for both your site and individual articles,

I don’t use any of those now because Thesis has a lot of SEO controls built in, but I used the All-in-one-SEO-Pack for a long time and it did a great job.

Google XML Sitemaps. This plugin creates an XML site map for your site and automatically pings the search engines whenever you update it. It has an extensive range of settings that enable you to optimize it according to the way you’ve set up your site.

An XML sitemap is for the search engines – you need an HTML sitemap if you want to provide one for your visitors. Doing a search for WordPress sitemap plugins will bring you quite a few results to check out – both HTML and XML.

SEO Smartlinks. This plugin automatically creates internal links between relevant posts and pages on your site. You can also use it to set up links to external sites so I use it to link automatically to affiliate products based on keywords I define.

It has a wide range of options, so you can define the characteristics it should look for when attempting to inter-link relevant posts or pages.

Do a search for WordPress internal linking plugins if SEO Smartlinks doesn’t float your boat.


Those are the plugins I install as a basic set on all new sites I set up (with the exception of the first SEO plugins), and they’ve served me well for a long time – several years in most cases.

But, rather than focusing on those specific plugins, put your focus on strengthening the functionality in those three key areas – site admin, spam & security, and SEO. Within those areas look for plugins that work well for you and don’t clash with either your theme or other plugins.

And, as I’ve said before: the less plugins you can use the better.

Don’t run two plugins that do the same thing and delete entirely (not just deactivate) any plugins you’re not using.

On top of those you may need to add additional plugins to fill functionality gaps you have, based on what you’re doing with your site. For example, if you’re running an online shop you’ll need an eCommerce plugin.

But, as always, keep your plugins to the minimum to ensure that your page load times are as quick as possible and your site remains as stable as possible.


Martin Malden.

What do you think?

Comments on this entry are closed.

  • Lydia Oct 10, 2011 @ 17:54

    Pretty good article. I’ve followed your WP security series closely and my only problem with Bad Behavior is that a statement appears in the footer of my home page that reads “Bad Behavior has blocked ___ access attempts in the last 7 days.” Is there a way I can get rid of this text without uninstalling the plugin. It seems to be doing its job of protecting our site.

    • Martin Oct 10, 2011 @ 18:42

      Hi Lydia,

      If you go to Settings > Bad Behavior the top section of settings is headed ‘Statistics’. Just un-check that check box and that statement will disappear.



  • Lydia Oct 10, 2011 @ 19:24

    Thank you Martin. I missed that completely when I set up the plugin.