Whilst WordPress gets a lot right out of the box, there’s always room for enhancement, customisation, and extension.
Whilst every site is unique and has different requirements, I frequently find myself turning to the same set of foundational plugins to help manage data structures, performance and administrative tasks.
Here are my must-haves (in no particular order), which help to take WordPress from a blogging platform to a fully-featured, enterprise-ready CMS.
Redirection (and the similar functionality in Yoast SEO Premium) is a phenomenally powerful tool for managing 301 (and other types of) redirects, for logging 404 errors, and for maintaining lists and sets of redirect rules.
I’ve written about the critical role it plays in managing how Google and other bots interact with your site – how they continually and indefinitely request old URLs, invalid URLs, and URLs you didn’t even know about, and how failing to manage this impacts your performance and user experience.
If I’m building or working on a site which has complex content structures (anything more nuanced than a block of body content), ACF is a powerful and flexible solution for defining content elements and their components, and managing that content easily.
Building content like recipes, complex lists and reviews often requires more structured content storage rules and admin workflows than a simple text editor can easily manage (without building lots of messy HTML directly into the content editor).
The ‘Pro’ version unlocks more advanced functionality around nested and repeating component fields, which is a must-have for building complex content workflows.
Whilst this ships with WordPress and does a great job of capturing spam comments, many people don’t realise that it also comes with an extensive API which can be used to spam-check any user-submitted content.
If you’re building custom forms, processes or interactions which take inputs, you can pipe user fields and metadata (including IP, HTTP header information and more) to an endpoint which will immediately classify the submission.
With a little extra work, you can also build administrative workflows to flag ham submissions (false positives) and train the system to do a better job of classifying your inputs.
Any site which is running more than a handful of plugins and custom functionality can soon become cumbersome to manage. In particular, WordPress’ native admin menus begin to sprawl and difficult to navigate – especially if you’re using plugins which add functionality to different sections and submenus.
Admin Menu Editor lets you take control, to hide or move links, and to create new groupings. You can also restrict visibility by role and other variables, making it a great way to keep things simple and streamlined.
One minor annoyance is that the plugin stores the entire refactored menu code as a single field in the wp_options table, which in some cases can lead to performance issues in the back end (on lower end hosting).
It spots bottlenecks, slow or duplicated queries and PHP errors, as well as outlining how my pages are constructed and rendered.
Relevanssi builds its own index, and enables heavy customisation of weighting, inclusion/exclusion, and fuzzy matching logic, and searching of custom fields. It’s particularly powerful for sites which don’t assume that recency should be the primary sorting option.
For particularly complex or bespoke requirements, developers can hook the WP_Query object into the relevanssi_do_query function to build completely bespoke search functionality on top of the powerful matching engine.
Based on your permalink settings, WordPress automatically defines a set of regex patterns for different URL types. It specifies the kinds of URL structures which should return pages, posts, archives and other result types.
However, many sites will use only a fraction of the default types. Single author blog posts, for example, don’t need support for author indexes. Rewrite lets you edit, add or remove all of the defined rewrites, and to streamlined and customise your URL matching logic.
Whilst there are plenty of plugins available to control the behaviour of these templates (e.g., to noindex or return a 404 for unwanted result types), it feels cleaner to disable the functionality altogether through this approach.
Lastly, whilst it’s relatively straightforward to define these rules within a theme, the rewrite interface gives you a convenient and safe environment to test, manage revisions, and to see all of your URL logic in one place.
Any site with more than one owner/editor should carefully consider its policies on access, publishing, deletion and administration. Whilst the WordPress default roles cover most of the basics, sometimes it’s helpful to have more fine-grained control over specific permissions.
User Role Editor allows you to create, modify or remove role types, as well as the ability to create/assign specific permissions to individual users and posts. It adds a huge amount of flexibility when it comes to managing your people, posts and permissions.
For websites with complex or bespoke functionality and template logic, it’s often good practice to cache results of complex queries and slow processes. Typically, this uses the WordPress transients caching system, which caches and stores strings directly in the database (or externally, if you’ve configured external caching) for quick retrieval.
As anybody who’s worked with caching will know, it’s frustrating to test and debug systems, and you’ll frequently find yourself wanting to conditionally bypass or purge specific or global caching layers.
The Transients Manger plugin gives you all of this – you see the data types, expiry and details of all transients and interrogate/alter/delete individual rows. You can also temporarily suspend all transients as you work, to avoid tripping over your caching logic as you develop it.
If you’re scheduling events and processes, WP Crontrol is an excellent tool for gaining complete insight into everything in the cron queue, the functions each action hooks into, and the arguments passed.
It’s also a great tool for diagnosing performance challenges arising from plugins or processes backing up or multiplying out of control – something which happens frustratingly often with poorly build themes and plugins!
Managing complex and interdependent stylesheets in WordPress can be a nightmare. WP Less adds LESS support right within the theme editor and filesystem – allowing you to write mixins, functions and variables within your CSS, as well as to manage dependencies and relationships.
You don’t need to do anything complex; just enqueue your LESS files in the same was as you’d enqueue normal CSS. The plugin processes the LESS files and creates (and then caches) optimised, minimised CSS files.
I should note that whilst LESS has fallen out of fashion in favour of SCSS, I’ve found the latter to be less well-supported – and it’s worth sacrificing some of the extra shiny features in favour of simplifying the workflow.
WP Rocket gives you a great boost out of the box, but lacks fine control over individual elements.
W3 Total Cache provides an incredible degree of fine-level control, but each site needs manually configuring and in-depth tinkering to get the best results.
They’re both great solutions, but neither’s perfect or always the best choice. Results may also vary in both cases, based on your site structure/setup and infrastructure.
Both plugins integrate also seamlessly with your CloudFlare account (as well as your Varnish setup).
Yoast SEO (WordPress SEO)
The famous ‘Yoast’ plugin handles most of the SEO basics out of the box. For an average site, this will provide support for most of the basics you’ll need; from structured data and meta tags, to XML sitemaps and indexation control.
For more complex sites, there are hooks and filters for procedurally modifying titles, descriptions, canonical tags and similar. It’s relatively straightforward to refine, enhance or overwrite the inbuilt logic for individual pages, templates or scenarios.
Takes a little bit of effort to configure for each site (you’ll need to extract your critical path CSS), but well-worth the effort. It makes it pretty straightforward to achieve a 100/100 Google PageSpeed score, which is always a treat (even though the PageSpeed scoring is nonsense).
Plays surprisingly nicely with WP Less and enque’d resources.
Sucuri Security and/or iThemes Security Pro and/or WordFence
Between these three plugins, you can cover everything from scheduled filesystem scans and backups, to access logging, IP blacklisting, to database obfuscation, and much more.
Don’t leave home without at least a couple of these in place, but make sure to tailor and configure to your environment and setup.
Also, use with care. It’s remarkably easy to lock yourself out of your system, block your IP address, or break (some complex or poorly built) plugins if you’re not careful. Backup, test settings, and work through step-by-step.
I’ve deliberately kept the focus on architectural/foundational plugins, which means that I’ve left out a bunch of other favourites which only apply in certain use-cases.
Some of these still bear mentioning, however, so here are a few extras which you should definitely consider, based on your needs:
- Yet Another Related Posts Plugin, for managing ‘related post’
- AdRotate, which is an excellent ad management tool
- Nelio Content, which is an excellent collaborative content & promotion workflow platform
- DuracellTomi’s Google Tag Manager for WordPress, which handles GTM injection and creates a sophisticated datalayer object
- Broken Link Checker, which is a handy (but sometimes performance-intensive) tool for spotting broken links in your content
- WPML, which is the de-facto internationalisation plugin [may require a LOT of modification/extension based on your requirements but does a good job of handling much of the heavy lifting]
- EWWW and Kraken.io are both good choices for automatic image compression and optimisation
- WP Offload S3 is useful if you’re hosting your images on S3 and want to sync/move your media and/or source references, etc, without breaking your media library [can have some hiccups when used in conjunction with WPML]
- Gravity Forms is the de-facto form plugin, though there are some good simpler alternatives like WPForms if you need less firepower
- Controversially, Jetpack. For a long time, this felt like little more than bloated widgetware. However, recent upgrades see it starting to take on the role of filling out a lot of useful core functionality.
- Plugin Organiser is a useful tool for selectively managing scripts, styles and plugin loading on a per-page/template level. I’d always recommend doing this through functions and hooks, but sometimes that’s not possible or straightforward.
Is there anything missing from my core set? Are there any worthy mentions which should make the list? Let me know!