Whilst WordPress gets a lot right out of the box, there’s always room for enhancement, customisation, and extension.
Whilst every site is unique and has different requirements, I frequently find myself turning to the same set of foundational plugins to help manage data structures, performance and administrative tasks.
Here are my must-haves (in no particular order), which help tlo take WordPress from a blogging platform to a fully-featured, enterprise-ready CMS.
The famous ‘Yoast’ plugin handles most of the SEO basics out of the box. For an average site, this will provide support for most of the basics you’ll need; from structured data and meta tags, to XML sitemaps and indexation control.
For more complex sites, there are hooks and filters for procedurally modifying titles, descriptions, canonical tags and similar. It’s relatively straightforward to refine, enhance or overwrite the inbuilt logic for individual pages, templates or scenarios.
If I’m building or working on a site which has complex content structures (anything more nuanced than a block of body content), ACF is a powerful and flexible solution for defining content elements and their components, and managing that content easily.
Building content like recipes, complex lists and reviews often requires more structured content storage rules and admin workflows than a simple text editor can easily manage (without building lots of messy HTML directly into the content editor).
The ‘Pro’ version unlocks more advanced functionality around nested and repeating component fields, which is a must-have for building complex content workflows.
Whilst this ships with WordPress and does a great job of capturing spam comments, many people don’t realise that it also comes with an extensive API which can be used to spam-check any user-submitted content.
If you’re building custom forms, processes or interactions which take inputs, you can pipe user fields and metadata (including IP, HTTP header information and more) to an endpoint which will immediately classify the submission.
With a little extra work, you can also build administrative workflows to flag ham submissions (false positives) and train the system to do a better job of classifying your inputs.
Any site which is running more than a handful of plugins and custom functionality can soon become cumbersome to manage. In particular, WordPress’ native admin menus begin to sprawl and difficult to navigate – especially if you’re using plugins which add functionality to different sections and sub-menus.
Admin Menu Editor lets you take control, to hide or move links, and to create new groupings. You can also restrict visibility by role and other variables, making it a great way to keep things simple and streamlined.
It’s worth pointing out one minor annoyance, however. The plugin stores the entire refactored menu code as a single field in the wp_options table, which in some cases can lead to performance issues in the back end (on lower end hosting, or poorly configured setups).
When I’m building complex WordPress sites and projects which involve lots of custom functions, PHP and database interactions, Query Monitor is my tool of choice for diagnosing performance and issues.
It spots bottlenecks, slow or duplicated queries and PHP errors, as well as outlining how my pages are constructed and rendered.
WordPress’ default search sucks. It’s barely suitable for even the most basic blogs and websites, and lacks the customisation required to provide a good experience for most complex websites.
Relevanssi builds its own index, and enables heavy customisation of weighting, inclusion/exclusion, and fuzzy matching logic, and searching of custom fields. It’s particularly powerful for sites which don’t assume that recency should be the primary sorting option.
Any site with more than one owner/editor should carefully consider its policies on access, publishing, deletion and administration. Whilst the WordPress default roles cover most of the basics, sometimes it’s helpful to have more fine-grained control over specific permissions.
User Role Editor allows you to create, modify or remove role types, as well as the ability to create/assign specific permissions to individual users and posts. It adds a huge amount of flexibility when it comes to managing your people, posts and permissions.
For websites with complex or bespoke functionality and template logic, it’s often good practice to cache results of complex queries and slow processes. Typically, this uses the WordPress transients caching system, which caches and stores strings directly in the database (or externally, if you’ve configured external caching) for quick retrieval.
As anybody who’s worked with caching will know, it’s frustrating to test and debug systems, and you’ll frequently find yourself wanting to conditionally bypass or purge specific or global caching layers.
The Transients Manger plugin gives you all of this – you see the data types, expiry and details of all transients and interrogate/alter/delete individual rows. You can also temporarily suspend all transients as you work, to avoid tripping over your caching logic as you develop it.
If you’re scheduling events and processes, WP Crontrol is an excellent tool for gaining complete insight into everything in the cron queue, the functions each action hooks into, and the arguments passed.
It’s also a great tool for diagnosing performance challenges arising from plugins or processes backing up or multiplying out of control – something which happens frustratingly often with poorly build themes and plugins!
Both handle a ton of clever performance optimisation, static page caching, header management and a myriad of minor stuff which all combine to make a site run super-fast. Can’t live without them.
WP Rocket gives you a great boost out of the box, but lacks fine control over individual elements.
W3 Total Cache provides an incredible degree of fine-level control, but each site needs manually configuring and in-depth tinkering to get the best results.
They’re both great solutions, but neither’s perfect or always the best choice. Results may also vary in both cases, based on your site structure/setup and infrastructure.
Both plugins integrate also seamlessly with your CloudFlare account (as well as your Varnish setup).
Sucuri Security and/or iThemes Security Pro and/or WordFence
When it comes to hardening and securing your WordPress site, it’s best to over-protect than it is to risk leaving gaps.
Between these three plugins, you can cover everything from scheduled filesystem scans and backups, to access logging, IP blacklisting, to database obfuscation, and much more.
Don’t leave home without at least a couple of these in place, but make sure to tailor and configure to your environment and setup.
Also, use with care. It’s remarkably easy to lock yourself out of your system, block your IP address, or break (some complex or poorly built) plugins if you’re not careful. Backup, test settings, and work through step-by-step.
I’ve deliberately kept the focus on architectural/foundational plugins, which means that I’ve left out a bunch of other favourites which only apply in certain use-cases.
Some of these still bear mentioning, however, so here are a few extras which you should definitely consider, based on your needs:
- wpDiscuz, which is an exceptionally good replacement for the default WordPress comments system.
- wp-Typography, which does some cool stuff like adding CSS hooks to numbers and symbols, and preventing phrase orphaning.
- WP-PageNavi, which replaces the clunky default WordPress ‘next/previous post’ pagination with something a bit more sensible.
- Nelio Content, which is an excellent collaborative content & promotion workflow platform
- DuracellTomi’s Google Tag Manager for WordPress, which handles GTM injection and creates a sophisticated datalayer object
- WP Offload S3 is useful if you’re hosting your images on S3 and want to sync/move your media and/or source references, etc, without breaking your media library [can have some hiccups when used in conjunction with WPML]
- Gravity Forms is the de-facto form plugin, though there are some good simpler alternatives like WPForms if you need less firepower.
- WP-DraftsForFriends lets you generate shareable but private links to draft/unpublished posts, so that you can share or get feedback on content without having to publish and open it to the world.
- Plugin Organiser is a useful tool for selectively managing scripts, styles and plugin loading on a per-page/template level. I’d always recommend doing this through functions and hooks, but sometimes that’s not possible or straightforward.
- Gmail SMTP allows you to configure your site to route all of your emails through an SMTP systems like GSuite.
- WP Pusher, which allows you to sync GitHub repos to themes and plugins – makes it easy to juggle multiple environments, and to avoid messing around with FTP’ing files between different versions of your site.