I’m a WordPress professional, versed in design, development, plugins, education, and organizational strategies. I work to assist clients with building and maintaining high-performance, scalable WordPress websites. I will on an irregular basis post (hopefully) useful WordPress insight here on the blog. Reach out to me if you have feedback – or ideas for new posts! I’ve also cross-posted this in 2 parts on LinkedIn (1, 2).
Nothing is as constant as change
Four years ago, I published a performance plugins post on the blog that contained useful how-tos for speeding up a WordPress site. Since then, the recommendations I gave in that post have… aged a bit. The primary guidance in that post is still valid: prioritize performance, use plugins and other techniques to make WordPress faster, make backups and use version control, and test test test. However, two of the three plugins I recommended at that time have since fallen off my “starting lineup” for various reasons – some of which I’ll explain in this post.
Much of my professional effort is spent in increasing WordPress performance for clients, so an update to the plugins that I use most in the pursuit of faster websites is included in this post. However, that update also seemed like an opportunity to broaden my coverage. Over the past two years, I’ve noticed that a steady list of plugins outside of a performance focus also finds its way into the grand majority of my sites, and I’m going to share those plugins with you as well. Additionally, some previously much-loved plugins have faded into the shadows of obsolescence. Alas, poor P3 Plugin Performance Profiler, I used it.
Even though WordPress development has evolved significantly in the last four years, the WordPress world is changing even more rapidly in 2018. With Gutenberg’s eventual release already shaking up the WordPress landscape, it’s even more critical to keep up-to-date with useful tools and services – and just as important to discard what no longer works. In that spirit, here are the essential plugins that I currently use for nearly all of my WordPress work in 2018.
Criteria for selection
There are scores of plugins I use on a regular basis – but my primary objective is to focus on those that I feel are truly essential. Below is the basis for my plugin selections.
The featured plugins here are ones I use on over 75% of my WordPress sites. These plugins have real utility! It’s practically guaranteed that the plugins here will align with the majority of WordPress use cases you’ll find yourself in.
Each plugin has proven to be performant. I’ve had to make hard decisions in the past with whizbang plugins with a hundred useful features only to select a simpler plugin (or set of plugins) before a site launch. Additionally, a problem with performance during development often magnifies at scale. The moment a viral marketing campaign hits your site could be catastrophic for that plugin that was only a bit slow during normal traffic days. In the post-analysis, it doesn’t matter how neat or useful a plugin is if it slows your or your client’s website down to a crawl. Be selective in choosing plugins that provide useful features as well as execute at acceptable speeds.
The plugins here have remained in good standing. What does “good standing” mean? Two things: the plugin must continue to be maintained, and the plugin must remain off of security and vulnerability lists. Many of the oldest and once-useful plugins have not been able to maintain this standing. The plugins I’m featuring in this list have all been updated in the last year, which is a good standard to keep. Always, it’s beneficial to occasionally review what’s in your developer toolbox to see if better and more updated versions exist.
The cheapskate factor
Each plugin is free – or has a useful free version. I believe wholeheartedly in developers getting paid for their work, and I’ve donated money to many of the contributors that have created or maintained the plugins listed. That being said, the barrier for entry when it comes to evaluating if a plugin solves a problem or adds value gets a lot lower when it’s free or freemium. Additionally, not every client (or for that matter, every developer) will have the budget to purchase licenses for every bit of code that goes into their projects. Each of the plugins selected is the result of work that the developer wants to offer for free to the community – either completely so or a degree of it.
Enough pre-qualification! Let’s dive in.
What developer doesn’t mind a helping hand? Here are the plugins I’ve used to ease the development cycle most often.
Admin Post Navigation
As a developer, you might have been in this situation before. Say you’re migrating your client’s old blog into a new rebuild, and there’s a change that will affect each of the existing posts in the blog. As you make changes to each blog post, you’re constantly finding yourself back at the Posts screen, only to click back into the next post. With two separate clicks to get to the next post, you’re wasting valuable time. Time you could easily be using to practice your planking or play Pokémon Go. People still eat Tide Pods, right?
Save yourself a click, and get the Admin Post Navigation plugin. Two simple buttons next to the Edit Post heading will allow you to navigate to the previous and next post in chronological order. Not down with the chronological sequence? Within Screen Options, Admin Post Navigation will allow you to select other forms of sorting. Additional filters will allow you to further customize the plugin via your own custom plugin or within functions.php.
Post-development, this particular plugin is lightweight and useful enough to keep activated. As an aside, the plugin creator, Scott Reilly, has a number of other useful plugins that might help out your next WordPress project.
Ah, the old debugging workhorse for WordPress. Debug Bar provides a whole mess of useful information on your WordPress site. It’s especially useful when it comes to chasing down slow queries, with detailed information on execution times. A critical tool when it comes to pinpointing why Advanced Custom Fields is suddenly acting up, as an example.
There’s a good selection of add-ons to Debug Bar as well. My current favorite is Debug Bar Slow Actions, which ranks the slowest 100 actions and filters running in your site. This is especially good for me since I tend to fill up my functions.php file with lots of code. Maybe I didn’t need to run that Custom Howdies function in production after all…
This plugin (and its add-ons) can be a bit of a resource hog so I would suggest deactivating this on your live server and activating it only when needed. If your WordPress site involves a multi-server development and staging environment, you might want to write a deployment script to deactivate your Debug Bar plugin(s) in production using wp-cli commands. If you happen to be developing WordPress on Pantheon, I wrote a template for automating this process.
Enable Media Replace
The utility provided by Enable Media Replace is one that many would assume that WordPress provides out of the box. Why wouldn’t you be able to easily replace an image with an updated version? Unfortunately, the default behavior for WordPress requires that you delete an image before uploading the new version. This can be especially tedious when linked images in posts and pages lose their links because of a naming difference in the process of image deletion and upload. Why risk the potential mess? Use Enable Media Replace!
Though I have this listed as a Development plugin (because the ability to replace images easily is critical to the development cycle), you’ll want to continue running this on your live server due to the irreplaceable utility it provides. You won’t regret it.
It’s not listed here because I don’t use it that often, but if you also spend time resizing thumbnails along with your new media uploads, you will likely be interested in the Regenerate Thumbnails Advanced plugin (though there is a handy wp-cli command for that, too).
NEED. MORE. SPEED! Despite your captivating, well-written content, visitors will drop off your site in no time flat if your site is slow. Here are all the plugins I use most often to throw my site visitors back into their chairs.
It is important that I state that “performance” in this context refers to web application and front-end speed, specifically. Plugins I favor that improve other types of performance (such as SEO) are detailed under “Utility plugins”.
a3 Lazy Load
When it comes to website performance, images are a pain. Sure, they can make a website look pretty, and the visual information they provide tells much that simple text cannot. But images are one of the biggest factors in slow site performance, and it’s all too common to see a waterfall chart dominated by their loading times. But it doesn’t have to be that way, even if you’re running a media-heavy website.
If you’re reading this content on my site, you might notice that each of the images fade into view as you scroll down the page. This means that the images aren’t requested until they’re nearly in view of the visitor. That functionality is provided by a3 Lazy Load, and it’s a panacea for your image download ills. As a bonus, a3 Lazy Load can also handle your video files as well!
Enter Autoptimize. With a little configuration, Autoptimize minifies and compresses all HTML, stylesheets, and scripts, dramatically speeding up those requests. Additionally, scripts and styles can be moved to more optimized locations in your site’s front end code, further increasing render speed. With a little more work, you can utilize an outside Critical CSS tool and add your generated CSS to the head with Autoptimize, ensuring that the visitor can see the rendered site before external stylesheets are even requested.
Even though Autoptimize creates its own cache, I haven’t seen any conflicts with Varnish or caching plugins. When I installed Autoptimize on this blog, it immediately shaved off 0.4 seconds off the tested render time. There’s a good chance that it can have a similar effect for your next WordPress project.
Will your client’s WordPress website have one or more content contributors? Will they be uploading images along with their content? If so, Imsanity will help maintain all the hard website performance work you spent many late night hours getting right. Bloated image byte size is a usual suspect for slow websites, and the average content contributor on a deadline isn’t going to know (or care) much about image optimization. Moreover, some freemium image smushing plugins will not attempt to optimize images over a certain byte size. Imsanity will help keep your performance metrics sky high after site handoff!
Imsanity will resize any uploaded images that are larger than the maximum dimensions specified in the Imsanity settings. It also works hand-in-hand with image smushing plugins – like reSmush.it, detailed below. It’s like a tag team, dropping the big boot on big images!
Avoid that awkward conversation with a post-launch client where they complain that their site has become slow, only to discover that their own uploaded images caused the problem. Use Imsanity!
reSmush.it Image Optimizer
In my time, I’ve used a whole mess of image smushing plugins. For years, I used WP Smush (also once known as WP Smush.it, and now known as Smush Image Compression and Optimization). Smushing queues were often long, and sometimes it simply didn’t work. In 2015, the servers at Yahoo! which did the smushing work for free users of WP Smush.it were offlined. Hence, the search for a new solution was on for over 300,000 users of the old plugin.
It’s hard to overstate the utility of an image smushing regimen. Many types of images are not optimized for the web, even with quality options set from an image editor like Photoshop. Also, Photoshop can’t touch the kinds of optimization levels that lossless compression tools like image smushing plugins can provide. It’s a common event for me to upload a screenshot (like the ones in this post) and immediately see a 30-45% size reduction without a loss in quality.
The plugin that currently does this work for me is reSmush.it Image Optimizer. Completely free, reSmush.it will optimize any uploaded image up to 5MB in size. Happily, each image will usually by smushed within seconds of upload – no queues!
Perhaps there should be a band named Smush Mouth, because with the help of reSmush.it, your image download speed will be an All Star!
Alas, if only wp-cron was a true cron. The default mechanism that governs scheduled tasks in WordPress, wp-cron, runs as a piggyback process each minute the site is receiving traffic – and only when the site receives traffic. As a negative, each wp-cron process also consumes an additional network socket. Normally, this does not lead to issues for sites with a small-to-moderate amount of traffic. However, in high-traffic scenarios, the processes can add up and lead to substandard performance. In low-traffic scenarios, pending wp-cron jobs can pile up on a visitor’s first visit of a cache cycle, potentially leading to a much longer TTFB depending on the queued scheduled tasks.
Ideally, you’ll want to deactivate wp-cron and schedule any required tasks in an actual cron. In reality, not every project will allow for the use of a separate cron. Barring this, one thing you can do is ensure that the work that wp-cron attempts to do is as minimal as possible. That’s where WP Crontrol will come in handy. WP Crontrol allows you to see all scheduled tasks, and in most instances, delete, run, or edit their scheduling. This is key when installing new plugins or themes because the schedule for their jobs can be quite aggressive by default. It’s not uncommon for jobs with 5-minute intervals to appear in this scenario.
When it comes to optimizing scheduled jobs with WP Crontrol, I’m never going to stop. Does it bug you that WordPress checks for new updates every 12 hours? With WP Crontrol, you can get what you want. Adjust those schedules to daily, weekly, or monthly. Now the update checks won’t run a lot. Be sure to review all of the scheduled jobs and optimize accordingly. Now your wp-cron schedules are all grown up!
Not every wp-cron job will benefit from an adjustment from WP Crontrol. Be sure to do your research and test, test, test when changing the frequency of business-critical plugins such as WooCommerce.
Of the plugins I detailed in my 2014 list as crucial for high performance, WP-Optimize is the sole survivor as an essential plugin! Year after year, WP-Optimize continues to prove its value. Nowadays there are many options to optimize query speeds (such as object caching), but WP-Optimize works in tandem with those solutions to keep your database small and speedy.
The same common problems that the plugin fixes are still present in WordPress. The recording of revisions, spam comments, auto-drafted posts, trashed content, and expired transients can still inflate your database and slow it down. You can fire off WP-Optimize’s cleaning manually at any time, but you can also schedule it as well. It is recommended that you have automated daily backups if you use WP-Optimize, as there are uncommon edge cases where database optimization can foul up your data. UpdraftPlus is a backup plugin in the same plugin family as WP-Optimize and they will harmoniously work together.
Minding to WordPress security is incredibly important in keeping your site working in the way you designed it. With this in mind, hosting differences for each of my various WordPress projects disqualified many valuable security plugins from this list (more context on that later). In fact, only two plugins fulfilled the 75% usage criteria.
Force Strong Passwords
Imagine, for a moment, that hackers (or, at the very least, people able to guess simple passwords) exist on Planet Spaceball. If so, they likely gained access to President Skroob’s luggage (with the ill-chosen combination of 1-2-3-4-5) a long time ago! It’s comedic, but the behavior of picking simple, easy-to-guess passwords is far more common than many site administrators are comfortable with. Like the image upload size problem described above, weak passwords are another way that a client or your client’s users can turn the whole website you toiled over into a sudden clean-up job. And the possibilities for an intruder having admin user access are far, far worse than a few slow images.
By default, WordPress will generate a complex password for new users, but the option for the user to write a new, weak password and have WordPress accept the weak password is accomplished with a checkbox. That’s where Force Strong Passwords comes in. If a user types in a weak password and hits Save… denied! Force Strong Passwords will insist that the new password be stronger. If you’d like different password enforcement options, a number of filters are available as well.
Now, if only we could install this plugin into Planet Druidia’s air shield…
Limit Login Attempts Reloaded
The Spaceballs scenario I described above is perfect for a sci-fi comedy, but it’s a use pattern that brute force attacks attempt to exploit. A large percentage of Internet novices pick easy-to-guess usernames and passwords, and the machines behind a brute force attack slam a login page with usernames and passwords often used by those novices. More sophisticated patterns of attack will include patterns from a known user’s public information. And if the brute force attack fails to gain access, there’s a chance that the attempts themselves will bring the site down due to the resources consumed by the authentication process.
Granted, using the Force Strong Passwords plugin can help a great deal, though it does not remove the issue of authentication overhead being incurred with each attack. Luckily, a simple approach to block those attacks exists, and it’s one of the features at the core of Limit Login Attempts Reloaded. Limit Login Attempts Reloaded will only allow a certain number of login attempts from a specific IP before engaging a lockout period. Each aspect of the login enforcement can be configured, from the number of allowed retries to the length of the lockout. Additionally, Limit Login Attempts Reloaded also protects against XML-RPC attacks, another common vector of attack.
Moreover, if you’ve been using the old Limit Login Attempts plugin that’s not been maintained for a few years, switching over to the Reloaded version is a snap! Simply remove the old plugin and activate the Reloaded plugin. Your settings will be transferred over.
All of the following plugins provide utility that would be difficult to go without!
All in One SEO Pack / Yoast SEO
Here’s the sole plugin tossup in this post, where I either use one or the other on most of my sites. However, I do have a preferred horse in this race. Both plugins provide much of the same value – though the devil (really, more of a helpful daemon) is in the details.
Search engine optimization is not something you should ignore if you’re developing a website intended for an audience. Long gone are the days of blogrolls and curated web portals as a primary source of traffic. Nowadays, Google is the homepage of the Internet, and if you want Google to direct visitors to your artisan content, you’ve got to try to play the algorithm as best as you can. Moreover, a lack of SEO strategy can actively deter Google from indexing your content.
Of the two SEO plugins in the header, I’ve used All in One SEO Pack the longest. It’s the simpler of the two, and has a higher performance profile. Presentation-wise, it’s much more straightforward and you’ll rarely have to dig through multiple screens to find the setting you’re looking for. Generally speaking, I tend to install All in One SEO Pack for sites with content that isn’t expected to change much. This way, I can ensure that the content being offered at launch is optimized without worry for any future content optimization. All in One SEO Pack is my choice if site performance at scale is a concern, as various features offered by the plugin can easily be turned on and off. If the client has an SEO expert on staff, this is likely my plugin pick as well.
For sites with contributors that write much of their own content (like mine!), Yoast SEO is my clear favorite. For administrators that are novices in search engine optimization, Yoast SEO gently guides the user through the basic setup process. The Configuration Wizard is a good beginning to education in basic search optimization issues and techniques. For content contributors, Yoast SEO provides the invaluable Readability Analysis tool, which prompts writers on simple edits that can increase your SEO. Although depending too much on the Analysis tool can have its own problems, as long as contributors treat its suggestions as guidelines – and not dogma – stronger content is bound to occur.
Really, it’s hard to go wrong with either plugin. Both are covered in a ton of tutorials and documentation and will help enable a stronger SEO game than without.
Oddly, Duplicate Post is another plugin that provides functionality that many might assume WordPress provides by default. It allows just that – easy duplication of previously-created posts into new drafts (and it works for pages, too). There are even settings for granularity; you can choose exactly which elements of posts and pages you wish to clone. Its simplicity is such that it’s a wonder that its utility hasn’t been introduced into WordPress Core yet. Get this plugin.
Plugin Notes Plus
Likely, this simple plugin might have made a bigger impact on my task of maintaining multiple client websites than any other this year. When it comes to developing many websites, it’s completely possible to lose track of the reasons for your decision making on plugins. After six months away from a client’s site, you may scratch your head as to why it was important to keep Hello Dolly – and it’s not even a Louis Armstrong fan site!
End the guessing and get Plugin Notes Plus. This handy plugin allows you to record notes for each plugin on the Plugins admin screen. You can even record multiple notes per plugin! The option to attach different icons to each note will help you visually identify warnings, notices, and other note types.
The need to redirect requests from deprecated URLs touches upon so many important aspects of site development. First, every 404 served to a human visitor has a great chance to be a lost traffic opportunity. Second, 404s are hard to cache – and hence, has a big impact on overall site speed. Third, migrated, un-redirected content that is lost to Google and other search engines heavily impacts SEO efficacy.
Historically, I’ve handled 301s in a variety of ways. I’ve used mod_rewrite on Apache, to writing regex redirects in wp-config.php, to using various plugins for the purpose. Most of the sites I work on have a great deal of legacy content, and it’s typical that a great deal of content will be generated in the future. With the high probability of redirects having to be created at launch and the need to manage legacy redirects, along with the likelihood that future content edits might introduce edited slugs, I typically choose Redirection to manage most of my 301s.
Now, I’ve seen too many redirect rules adversely affect a site’s performance. There’s a sinking feeling to seeing an HTTP server slow down to a crawl due to several thousand 301 rules in place. That’s why I’m grateful that Redirection records the number of hits a specific redirect rule incurs. As an example, if after a year’s traffic a specific redirect rule has only a handful of hits, it’s likely a good call to just delete it. Why incur the overhead for a seldom-used rule?
A truly essential feature of Redirection is its 404 log. Since bots can and will hit parts of your site you didn’t anticipate, sorting through the frequency of 404s can really help with writing effective 301s. The option to create a redirect to counter a logged 404 is given with each result.
As may be apparent, a way to sanitize uploaded SVGs would help mitigate the security hole, and that’s where Safe SVG comes in. The free version of Safe SVG will parse your uploaded SVGs and clean out any potentially malicious code. Equally handy, Safe SVG will enable image previews of SVGs in the Media Library, which some solutions to allow SVG uploads do not enable. If you’re interested in the paid version, Safe SVG will allow you to set the user role(s) that is allowed to upload SVGs. Additionally, if you like squeezing even more performance out of your uploaded SVGs, the paid version will also run them through the SVGO optimization library, making them even faster!
SVGs will be the future of many images, and the security challenges with SVG are being actively discussed in the community. In the meantime, post them with confidence with this useful plugin!
“What? That’s it? Why didn’t you include…”
A word about managed WordPress hosting
Though many of my WordPress projects occur on simple hosting, just as many of those projects in the past few years are on managed WordPress hosting. Development environments such as those given by managed WordPress hosting platforms have many advantages. Common features offered include automated backups, page and object caching, and platform-level security, including a WAF and active malware scans. Having these sorts of features is fantastic – one reason being that these features are offered on the platform level, and are not subtractive of my website’s performance like a plugin would be. In these sorts of secure hosting situations, I usually find myself disqualifying plugins from my project that I would normally use on single server projects.
That doesn’t mean I don’t have recommendations for features like backups and page caching! Though I don’t consider the following plugins “essential” for every project, they’ll likely be useful for projects outside of managed hosting.
I still occasionally use UpdraftPlus on hosting without a backup feature. It is a freemium plugin, with options to store your backups on multiple platforms or your own external storage.
In most cases where a web server accelerator is not available (and in some cases where a web server accelerator is available but no external object cache is), I’ve used W3 Total Cache in the past to great effect. W3 Total Cache provides object caching using disk, opcode or memcache(d) memory stores.
Google Analytics often comes into consideration in two ways. First, the need to insert the analytics code into the front end. Second, the ability to view analytics within the WordPress admin with a plugin.
Some of my clients have historically used a plugin to view analytics within wp-admin. I typically recommend to them a different approach: using a browser bookmark! Indeed, any user can get the same information from viewing their analytics directly from the Google Analytics website, all without having to install a plugin. The wisdom bears repeating:
Off of secure hosting, I’ve used both WordFence and Sucuri Security. As mentioned earlier, be sure to go through the security settings for either plugin with a fine-toothed comb, as there may be features in your hosting environment which may make a specific security plugin feature redundant. Be sure to turn off the Live Traffic Tracking feature for WordFence – it consumes a not-inconsequential amount of server resources and it can potentially break your page caching. In fact, I would disable Wordfence cookies entirely. Use Google Analytics if you want a live view of your traffic!
So why is an essential plugins list crucial? For starters, starting states! If you’re able to determine which plugins you’re most likely to use at the beginning of a project, you can create and maintain a repository that you can use as a base for each new site. You could even automate plugin and core updates to your repo, and make it even more bulletproof with visual regression against a testing instance loaded with testing data. Some managed WordPress hosting platforms also offer different solutions to developers that desire starting states for their projects.
I hope you were able to get some value from this post and I look forward to providing more working insight in future posts. Of course, I’ll never pretend to know everything about this topic, and I’m continually looking for additional knowledge and feedback. Did I miss an indispensable plugin that you couldn’t live without? Do you have a better recommendation than the ones I provided? Let me know, and I’ll likely give it a spin!
Additional resources and upcoming topics
For avid readers, here’s more contextual information on the items covered in this post. Additionally, I have in the works more posts on various, knotty WordPress challenges a developer can face.
Future posts I’ll eventually write
- Performance at scale – utilizing load testing and software analytics to deliver at truly massive scale
- Manage all the contributors! – corralling a large team of contributors will be easier, with special tools and processes that I developed while managing a global team
Articles on the web
- The nightmare that is wp-cron.php
- pantheon.io: A Quickstart Guide to WordPress Security
- wpmudev.org: How Many WordPress Plugins Is Too Many Plugins…?
Managed WordPress hosting platforms, strictly in alphabetical order
If managed WordPress hosting sounds like a favorable option for your next project, check out the list of platforms!