Whilst WordPress gets a lot right out of the box, there’s always room for enhancement, customisation, and extension.
Whilst every site is unique and has different requirements, I frequently find myself turning to the same set of foundational plugins to help manage data structures, performance and administrative tasks.
Here are my must-haves (in no particular order), which help tlo take WordPress from a blogging platform to a fully-featured, enterprise-ready CMS.
Redirection (and the similar functionality in Yoast SEO Premium) is a phenomenally powerful tool for managing 301 (and other types of) redirects, for logging 404 errors, and for maintaining lists and sets of redirect rules.
I’ve written about the critical role it plays in managing how Google and other bots interact with your site – how they continually and indefinitely request old URLs, invalid URLs, and URLs you didn’t even know about, and how failing to manage this impacts your performance and user experience.
If I’m building or working on a site which has complex content structures (anything more nuanced than a block of body content), ACF is a powerful and flexible solution for defining content elements and their components, and managing that content easily.
Building content like recipes, complex lists and reviews often requires more structured content storage rules and admin workflows than a simple text editor can easily manage (without building lots of messy HTML directly into the content editor).
The ‘Pro’ version unlocks more advanced functionality around nested and repeating component fields, which is a must-have for building complex content workflows.
Whilst this ships with WordPress and does a great job of capturing spam comments, many people don’t realise that it also comes with an extensive API which can be used to spam-check any user-submitted content.
If you’re building custom forms, processes or interactions which take inputs, you can pipe user fields and metadata (including IP, HTTP header information and more) to an endpoint which will immediately classify the submission.
With a little extra work, you can also build administrative workflows to flag ham submissions (false positives) and train the system to do a better job of classifying your inputs.
Any site which is running more than a handful of plugins and custom functionality can soon become cumbersome to manage. In particular, WordPress’ native admin menus begin to sprawl and difficult to navigate – especially if you’re using plugins which add functionality to different sections and submenus.
Admin Menu Editor lets you take control, to hide or move links, and to create new groupings. You can also restrict visibility by role and other variables, making it a great way to keep things simple and streamlined.
One minor annoyance is that the plugin stores the entire refactored menu code as a single field in the wp_options table, which in some cases can lead to performance issues in the back end (on lower end hosting).
When I’m building complex WordPress sites and projects which involve lots of custom functions, PHP and database interactions, Query Monitor is my tool of choice for diagnosing performance and issues.
It spots bottlenecks, slow or duplicated queries and PHP errors, as well as outlining how my pages are constructed and rendered.
WordPress’ default search sucks. It’s barely suitable for even the most basic blogs and websites, and lacks the customisation required to provide a good experience for most complex websites.
Relevanssi builds its own index, and enables heavy customisation of weighting, inclusion/exclusion, and fuzzy matching logic, and searching of custom fields. It’s particularly powerful for sites which don’t assume that recency should be the primary sorting option.
For particularly complex or bespoke requirements, developers can hook the WP_Query object into the relevanssi_do_query function to build completely bespoke search functionality on top of the powerful matching engine.
Any site with more than one owner/editor should carefully consider its policies on access, publishing, deletion and administration. Whilst the WordPress default roles cover most of the basics, sometimes it’s helpful to have more fine-grained control over specific permissions.
User Role Editor allows you to create, modify or remove role types, as well as the ability to create/assign specific permissions to individual users and posts. It adds a huge amount of flexibility when it comes to managing your people, posts and permissions.
For websites with complex or bespoke functionality and template logic, it’s often good practice to cache results of complex queries and slow processes. Typically, this uses the WordPress transients caching system, which caches and stores strings directly in the database (or externally, if you’ve configured external caching) for quick retrieval.
As anybody who’s worked with caching will know, it’s frustrating to test and debug systems, and you’ll frequently find yourself wanting to conditionally bypass or purge specific or global caching layers.
The Transients Manger plugin gives you all of this – you see the data types, expiry and details of all transients and interrogate/alter/delete individual rows. You can also temporarily suspend all transients as you work, to avoid tripping over your caching logic as you develop it.
If you’re scheduling events and processes, WP Crontrol is an excellent tool for gaining complete insight into everything in the cron queue, the functions each action hooks into, and the arguments passed.
It’s also a great tool for diagnosing performance challenges arising from plugins or processes backing up or multiplying out of control – something which happens frustratingly often with poorly build themes and plugins!
Both handle a ton of clever performance optimisation, static page caching, header management and a myriad of minor stuff which all combine to make a site run super-fast. Can’t live without them.
WP Rocket gives you a great boost out of the box, but lacks fine control over individual elements.
W3 Total Cache provides an incredible degree of fine-level control, but each site needs manually configuring and in-depth tinkering to get the best results.
They’re both great solutions, but neither’s perfect or always the best choice. Results may also vary in both cases, based on your site structure/setup and infrastructure.
Both plugins integrate also seamlessly with your CloudFlare account (as well as your Varnish setup).
Yoast SEO (WordPress SEO)
The famous ‘Yoast’ plugin handles most of the SEO basics out of the box. For an average site, this will provide support for most of the basics you’ll need; from structured data and meta tags, to XML sitemaps and indexation control.
For more complex sites, there are hooks and filters for procedurally modifying titles, descriptions, canonical tags and similar. It’s relatively straightforward to refine, enhance or overwrite the inbuilt logic for individual pages, templates or scenarios.
This plugin is relatively new to my arsenal, but it packs a punch. This layers extra speed and performance optimisations on top of WP Rocket / W3 Total Cache to really dial things up.
Takes a little bit of effort to configure for each site (you’ll need to extract your critical path CSS), but well-worth the effort. It makes it pretty straightforward to achieve a 100/100 Google PageSpeed score, which is always a treat (even though the PageSpeed scoring is nonsense).
Sucuri Security and/or iThemes Security Pro and/or WordFence
When it comes to hardening and securing your WordPress site, it’s best to over-protect than it is to risk leaving gaps.
Between these three plugins, you can cover everything from scheduled filesystem scans and backups, to access logging, IP blacklisting, to database obfuscation, and much more.
Don’t leave home without at least a couple of these in place, but make sure to tailor and configure to your environment and setup.
Also, use with care. It’s remarkably easy to lock yourself out of your system, block your IP address, or break (some complex or poorly built) plugins if you’re not careful. Backup, test settings, and work through step-by-step.
I’ve deliberately kept the focus on architectural/foundational plugins, which means that I’ve left out a bunch of other favourites which only apply in certain use-cases.
Some of these still bear mentioning, however, so here are a few extras which you should definitely consider, based on your needs:
- Yet Another Related Posts Plugin, for managing ‘related posts’
- AdRotate, which is an excellent ad management tool
- wpDiscuz, which is an exceptionally good replacement for the default WordPress comments system.
- wp-Typography, which does some cool stuff like adding CSS hooks to numbers and symbols, and preventing phrase orphaning.
- WP-PageNavi, which replaces the clunky default WordPress ‘next/previous post’ pagination with something a bit more sensible.
- Nelio Content, which is an excellent collaborative content & promotion workflow platform
- DuracellTomi’s Google Tag Manager for WordPress, which handles GTM injection and creates a sophisticated datalayer object
- Broken Link Checker, which is a handy (but sometimes performance-intensive) tool for spotting broken links in your content
- WPML, which is the de-facto internationalisation plugin [may require a LOT of modification/extension based on your requirements but does a good job of handling much of the heavy lifting]
- EWWW and Kraken.io are both good choices for automatic image compression and optimisation
- Rewrite gives you an interface to test, manage, and to see all of your website’s URL logic in one place. Remove, alter, overwrite or add to WP’s default URL handling processes.
- WP Offload S3 is useful if you’re hosting your images on S3 and want to sync/move your media and/or source references, etc, without breaking your media library [can have some hiccups when used in conjunction with WPML]
- WP Less adds LESS support right within the theme editor and filesystem – allowing you to write mixins, functions and variables within your CSS, as well as to manage dependencies and relationships. Plays nicely with enquering and other processes.
- Gravity Forms is the de-facto form plugin, though there are some good simpler alternatives like WPForms if you need less firepower
- WP-DraftsForFriends lets you generate shareable but private links to draft/unpublished posts, so that you can share or get feedback on content without having to publish and open it to the world.
- Controversially, Jetpack. For a long time, this felt like little more than bloated widgetware. However, recent upgrades see it starting to take on the role of filling out a lot of useful core functionality.
- Plugin Organiser is a useful tool for selectively managing scripts, styles and plugin loading on a per-page/template level. I’d always recommend doing this through functions and hooks, but sometimes that’s not possible or straightforward.
- WP Pusher, which allows you to sync GitHub repos to themes and plugins – makes it easy to juggle multiple environments, and to avoid messing around with FTP’ing files between different versions of your site.