The following are what I consider to be essential plugins to install on your site. These cover backups, security and performance among other things.
These aren’t the only plugins available that will handle these jobs, but they’re the ones that I default to. I’ve decided on these, in most cases, because as well as doing their jobs well, in my opinion they’re also the easiest to get to grips with, making them ideal for new WordPress users.
I’ve also put together a round up of various other plugins that I think you may find interesting.
I never fail to be astonished when I encounter someone who has a site for their business and yet has no system of making backups of the site. Probably a bit hypocritical as in the past I’ve completely lost more than one site due to unforeseen problems.
A few years ago, friends of my wife had a site earning $1,000s a week. In an incident that made the national news in the UK, their hosting company accidentally deleted dozens of sites with no way to restore them. It took weeks for my wife’s friends to get their site running again and cost them close to $10,000.
I recommend you learn from mine and their mistakes the same way that we did and ensure you have at least one form of backup for your site. Ideally you’ll have several.
It’s possible that your web hosting package will include some form of backups. If so, that’s great, but don’t depend on that solely. Even established and reputable businesses can make mistakes. Plus you can’t guarantee that they will be able to restore a backup in as timely a manner as you would like.
Install a backup plugin into your site so that you have control over backups when you need them.
UpdraftPlus (https://wordpress.org/plugins/updraftplus/) is a freemium plugin that will backup your complete site. The free version lets you store the backed up files remotely using cloud services, including Dropbox and Google Drive. Both those services offer you free storage space, so if you don’t already have an account, ensure that you sign up with one of those services.
Do not think it is enough to just store your backups on your web hosting account along with your site. In the event that the server your site is on fails, your backups will be lost along with your site.
UpdraftPlus allows you specify how many backups you keep in storage. I recommend you save as many as your Dropbox or Google Drive account will allow. In some cases you will need to restore your site because something has broken on your site. The more backups you keep, the more chance you will have a version of your site that was stored before the problem occurred.
If you ever need to restore a backup, make sure you first make a duplicate of the backup files to be on the safe side. I once encountered a problem during restoring a site and over 5GB of backup files were deleted before I could resolve the problem. Fortunately Google staff were able to restore the files for me, but had I duplicated them first, it would have saved me time and the loss of several years from my life expectancy.
I’ve suggested you have more than one backup system in place, but what if your host doesn’t offer a free backup service?
Enter ManageWP (https://managewp.com/), a GoDaddy owned company. This freemium web service is primarily designed to make running multiple WordPress websites easier. By installing their free plugin (https://wordpress.org/plugins/worker/) on each of your WordPress sites, you can automatically trigger core, plugin and theme updates for all your sites with just two button clicks in your ManageWP account.
If you only have one site, that might seem like a pointless service, but the free service also includes an addon that will store a monthly backup of your site. Obviously a monthly backup isn’t ideal, but if you ever need to use a backup, you may be lucky and find it’s a few days old. If not, a month old backup is usually better than no backup.
Despite what some people claim, WordPress is a pretty safe and secure platform as it is, but it makes sense to take a few steps to harden it further.
Wordfence is a Web Application Firewall (WAF). Its purpose is to block many of the most common types of attacks on your website.
You can use this plugin for free, but it’s important to understand the difference between the free and paid for versions of the plugin. The paid for version has new rules added that protect against new forms of attack as soon as the new protection becomes available.
The free version receives the same updates 30 days later. As long as you’re careful in which plugins you install and keep an eye out for reports of new exploits, then the free version will probably keep your site safe.
The cost of the paid for version isn’t too much however and once your site is generating a bit of income, it makes sense to get the maximum protection by upgrading.
When you activate Wordfence, you get the option to subscribe to their free newsletter, which includes timely notifications about newly discovered exploits. Take the opportunity to sign up and read the emails. I’ve just updated a plugin with a critical vulnerability on one of our sites thanks to one of their notifications.
During activation, it’s also easy to miss the free install option. When you get to the screen that asks you to enter your Premium License Key, just click the small No Thanks link as shown in the screenshot
Rather than explain the basic setup of the plugin here which could become outdated when the plugin updates, I suggest you take a look at Wordfence’s own docs at https://www.wordfence.com/help/firewall/optimizing-the-firewall/. That will get you started and you’ll find all the help you need to make use of other features if you need them, but I often do nothing more than the extended setup. Note that if your site is on Siteground, that page has some specific information on getting setup under the On SiteGround and other similar hosts that use cPanel heading.
Wordfence also includes an option to enable Two Factor Authentication (2FA) on your site. Click the Login Security submenu item to get to it.
This adds a new step to the admin login which requires you to enter a code generated by an app on your mobile device. You can choose to have your computer remembered when you log in which reduces the number of times you have to use a 2FA code to once every 30 days.
To take advantage of the 2FA feature, and I strongly recommend you do, you will need an app on at least one of your mobile devices.
I’ve used a few, but my favorite is Authy (https://authy.com/) as this allows you to automatically sync between devices. Trust me, if you use 2FA on a lot of sites, this can be a godsend when you change phones. It can also be useful if you ever lose one device as you have another you can use to log in. Should that happen, you can remotely disable the lost device from accessing your codes too.
For best reassurance though, make sure you download the recovery codes when you configure 2FA on your site.
In the Backups section, I suggested ManageWP as an additional service for taking a backup of your site. If you do this, there’s a small setup step you should take in Wordfence.
Click on Firewall under the Wordfence menu and on the new screen, click All Firewall Options.
On the next screen, click Advanced Firewall Options to open the panel, check the ManageWP checkbox and then click the Save Changes button.
If you don’t complete this step, it’s possible that whenever ManageWP tries to connect with your site, Wordfence’s firewall will block it and cause the backup to fail.
When you first activate Wordfence, it operates for a week in what is called Learning Mode. During this time it is more permissive in what it allows as it learns how your site normally functions. After that first week, it automatically switches itself to Enabled and Protecting.
Sometimes, you may install a plugin that behaves in a way that Wordfence finds suspicious. In these cases, Wordfence may intervene to stop what is happening until you confirm that you initiated the action. If the action causes the page to reload, you will see a fairly blank screen with a message from Wordfence asking you to click a button to confirm that you want the action it blocked to run. Click the button and the page will reload and the action you were carrying out will continue as intended. Wordfence will also remember this for the next time the action runs.
A problem may sometimes occur when a plugin runs an action in the background rather than reloading the whole page. If Wordfence thinks the behavior is suspicious, it will block the action again. In the past, this could be problematic because the action happened in the background and the page with the confirm button could not be displayed to you.
In modern versions of Wordfence however, you should see a popup instead asking if you want to whitelist the action. As long as that appears as a result of you clicking something, click the Whitelist this action button so that in the future Wordfence should allow this action to happen unblocked.
The old behavior of an action being silently blocked without a popup being displayed shouldn’t happen now.
However, I’ll explain how to resolve it just in case. So if you ever install a plugin and some of its functions don’t seem to work, you could try temporarily deactivating Wordfence and seeing if the plugin starts working. If that does make a difference, you can usually resolve this issue by reactivating Wordfence and switching it back to Learning Mode.
Go to Firewall under the Wordfence menu and click All Firewall Options.
Under Web Application Firewall Status, set the dropdown control to Learning Mode. Also check the Automatically enable on checkbox and then click the Save Changes button at the top right of the screen.
You can now try to use your new plugin and see if it works correctly now.
Really Simple SSL
You only need this if your site has an SSL certificate installed. If you’re not sure, a quick check is to enter the URL of your site in your browser, starting with https://, and see if you see a padlock in the address bar. If you get an error, it may be possible that your hosting account includes an SSL certificate but you need to activate it first. Check with your hosting company first.
Assuming you do have SSL enabled, this plugin will ensure you don’t get mixed content error messages on your site. Those errors occur when a web page that has a URL starting with https:// attempts to load some content, such as an image, using a URL that starts with http://.
Really Simple SSL tries to ensure that all content is loaded over https:// so avoiding any errors.
It will also redirect all traffic that attempts to connect over http to https. On the Settings tab, the first three toggle switches should be turned on.
Note that the Enable 301 .htaccess redirect comes with a warning that it can cause an infinite redirect loop. I’ve never seen this happen, but it would stop your site working. I’m only outlining the fix below, because I don’t anticipate you having any problems with this.
In that event, there will be a block of text in the .htaccess file that starts with a line similar to # BEGIN rlrssslReallySimpleSSL rsssl_version[3.2.9] and ends with the line # END rlrssslReallySimpleSSL. Both of those and the lines of text between them will need to be deleted. If you’re unable to edit the .htaccess file yourself, contact your web hosts and they should be happy to help.
This is only really essential if you are going to allow others to access the admin part of your WordPress site.
If you’re the only user, you can skip this as it will serve no purpose. For site owners who are letting others, such as Virtual Assistants or Developers access their admin section, installing this is a sensible precaution.
This will track what changes other users make when logged into your site. It will make it easier to see what activities they’ve undertaken and many changes they make.
For example, if someone was employed by you to update the date of 100 posts, but while they had access they changed the payment address for your PayPal checkout, this plugin would track that change.
Such cases are likely to be very unusual, but I’ve read examples where site owners have experienced such incidents.
The one criticism I have is that it can’t be set to email warnings of certain types of actions, so you will need to keep an eye on this if you have others working on your site. A plugin called Activity Log (https://wordpress.org/plugins/aryo-activity-log/) does have an email notification option and is meant to cover most backend activity, but when I tried it, it didn’t seem to track changes to WooCommerce payment gateways.
The performance of a website boils down to just a few things. We’ve already discussed web hosts and choosing wisely there will help ensure consistent performance at that level.
The content of your site is another big factor. Image files can come out of your camera or phone much larger than you need for your website. Big image files are one of the most common causes of slow web pages. Ideally you’ll manually optimize images before upload, but I’m sharing some plugins that will do this for you when you upload images.
Video files are usually even larger and should rarely be uploaded to your own site. They can use huge amounts of bandwidth and lead to your site running slowly for all users. In fact, many shared web hosts specifically prohibit their users from hosting videos on their site. Even well optimized videos will continue to be large files, so rather than a plugin being the answer to maximize performance, you’ll need to host your videos elsewhere and embed them. We’ll cover that later in How to add videos.
There’s a wide range of different plugins and services available that are intended to improve the performance of your website. I’m going to limit this to just a few plugins.
WP Fastest Cache
WordPress is a database driven platform. When someone visits a page, the text and other data for that page is retrieved from the database and combined with various template files to create the page and serve it to the visitor. This can be achieved very quickly, but on a site using multiple plugins, this period of time may be extended significantly as many more requests are made to the database to get more data.
If a few seconds later another person visits the page, WordPress has to go through the same process to retrieve the same text and data.
While on a well optimized site, each page load may be quite quick, it’s still forcing the server to repeat the same operation.
One way to get around this is to cache pages. What that means is that when someone visits a page on your site, the page is generated and then a copy of it is stored as a file in a cache directory. The next time someone visits that page, the cached page is presented to them. That cached page is presented until it expires and then a new copy of the page is generated and saved.
There are several well established page cache plugins to choose from. They largely work the same way and in every head to head test I’ve seen, performance has generally been so close as to be indistinguishable for the average user.
For that reason, my recommendation is based on selecting what I believe is the simplest one to use, not necessarily the most popular. In fact some of the most popular caching plugins are so complex, used without care, they could even slow your site down.
WP Fastest Cache (https://wordpress.org/plugins/wp-fastest-cache/) performs fine in every comparison I’ve seen and benefits from one of the simplest set up procedures. There’s also a paid for version that unlocks some disabled features from the free version, but the free version is a great starting point.
After installing and activating, click on WP Fastest Cache in the side menu.
On the Settings tab, you can check every checkbox except the one labeled Mobile. For Preload a pop up will open to specify which pages should be cached automatically. You can select all the different types. For other controls that open pop ups, just leave them set to the default setting.
If you use emojis in your writing, you shouldn’t check the Disable Emojis checkbox as that will stop emojis displaying in the front end.
When you’ve checked your checkboxes, click the Submit button to save your settings and that’s job done.
After saving those settings, it’s important to check that everything is still working fine on your site.
The minification and combining options will reduce the size of the code that is served to your users which will help speed page loads. However, be aware that it is possible that they can break the front end of your site.
For that reason, be sure to test all the pages of your site after saving changes here to make sure that you don’t have errors. If something has broken, try unchecking the combine and minify controls, one by one, and testing your site again.
Note, when testing it’s best to open your site in an incognito or private browsing window so you’re not signed into your site. This helps ensure that you see your site as your visitors will see it. Also, even if you have turned Preload on, it’s best to refresh each page once to ensure you’re seeing the cached page.
While potentially time consuming, this is important because it may help you find problems you’d otherwise be completely unaware of. Many years ago I tried an ecommerce site with my wife. We were slowly building traffic to it, but had no sales at all in the first six weeks. Then I received an email from someone saying they had a problem with the shopping cart. I checked and it was fine. Then I thought to log out and test it again. When I logged out, I started seeing the cached pages and discovered the caching plugin I was using was breaking the cart. Using incognito mode is a quick way to see your site as someone who isn’t logged in.
In the event that you make changes to the appearance of your site, you will need to manually clear the cache. Changes to the content are handled automatically by the plugin.
Clearing the cache is as simple as mousing over the Delete Cache entry in the top bar and clicking on Delete Cache and Minified CSS/JS. You’ll see a spinner graphic overlay the page for a few moments while all cached files are removed from the server.
Before we finish, you need to set an expiry on your cache so that your pages are regenerated after a period of time. This means that if you make a change to the appearance of your site and forget to clear the cache, this will ensure your changes become visible the next time the cache is regenerated.
Click the Delete Cache tab and in the Timeout Rules section, click the Add New Rule button. In the popup, set the IF_REQUEST_URI dropdown control to ALL. I normally set the Then control to Once a Day but you can choose a different period. That means the cached files will be deleted once a day and regenerated for new visitors.
By default, the cache is deleted at midnight. Note that the time is specified by the server and may be different to your time. The server time is displayed in the popup. Generally, you will want to clear the cache at a quiet time so the files can be regenerated when there are few users on the site. The early hours is usually best, but remember to make this coincide with the early hours for the location of your users, not yours if you are located elsewhere.
EWWW Image Optimizer
One of the most common ways to slow down the loading of web pages is including images that are larger than required.
Ideally you will manually optimize and compress your images before uploading them. This is the best way to ensure all your images are as small as possible while maintaining the best quality. I’ve suggested some free apps that you can use to compress JPEG and PNG files in the Graphics apps section.
You can also install plugins on your WordPress site that will compress your image files as you upload them or in bulk if you’ve already got images uploaded.
EWWW Image Optimizer can effectively compress JPEGs and PNGs.
This plugin may not work on all types of web hosting, so you can only try activating and then seeing if your hosting is compatible. If not, they also have a paid for cloud based service that handles the compression on their servers.
However, you don’t have to use that paid service, you could just use the next plugin suggestion, WP-Optimize.
Let’s have a quick look at the basic settings you should use to get started.
After activating, go to EWWW Image Optimizer under the Settings menu. On the Basic tab, change PNG Optimization Level to Premium. This is a lossy setting, meaning some data is removed from the image during compression. In my experience, the image quality remains excellent and you will achieve significantly greater savings in file size. Click the Save changes button.
Click the Easy Mode tab and check the Lazy Load checkbox. This can help your page load times by not loading images until the page is scrolled to the point that they’re visible. By not loading images until they’re required, this can save bandwidth both for you and your users. Note that it’s possible this setting will be removed in future as lazy loading for images is planned to be included in WordPress core in an upcoming release.
After clicking the Save changes button, you should check your site is still displaying correctly, particularly any pages that use image sliders or carousels. Lazy loading can cause these to break. If you find any problems, you’ll have to turn lazy loading off again.
Click on the WebP tab. WebP is an image format designed to work as an alternative to JPEGs and PNGs, that will achieve smaller file sizes while maintaining image quality. At the time of writing, pretty well all modern browsers other than Safari, can use WebP images.
Check the JPG/PNG to WebP checkbox to have WebP versions of your images created and click the Save changes button.
The screen will reload and then scroll down and click the Insert Rewrite Rules button. After a few moments, you should see Insertion successful display above the button. If the red PNG graphic at the right of the page doesn’t change to green, reload the page.
If you’re still seeing the red PNG graphic, there may be a warning message highlighting an issue. In the screenshot, there’s a message about a missing Apache module and the suggestion to contact the web host about this. In the event that you have such a message you could contact your host or try turning the following setting on.
Go back to the WebP tab and check the JS WebP Rewriting checkbox and click the Save changes button. The screen should reload and you should now see a green WEBP graphic.
If you’re still not seeing the green graphic, it’s most likely that your browser doesn’t support the WebP image format. Otherwise it may be an incompatibility with your web host, in which case it may be best to uncheck the JPG/PNG to WebP checkbox and Save changes. Everything else will work fine, it just means you won’t get the additional file size savings of WebP.
These settings will automatically be applied to images that you upload from now on. Should you have existing images uploaded, mouseover the Media menu item and click Bulk Optimize in the flyout menu.
Click the Scan for unoptimized images button and the plugin will find all the images that it can compress.
If your site is established and being used by visitors, you may want to use the slider control to pause for a few seconds between optimizing each image. This will extend the time this process takes, but should reduce the impact it has on your users. This could slow the site down a bit.
Click the Optimize button to start the process. Do not leave this page until this process has been completed.
It will display a Finished message when all the images have been optimized.
WP-Optimize – Clean, Compress, Cache
WP-Optimize was, for a long time, a plugin that just optimized your database. It’s expanded beyond that now, as I’ll discuss, but first let’s look at the database optimizations as that’s why I recommend installing it.
Over time, particularly on larger sites with regularly updated blog posts, the database of your WordPress site can start to fill with unnecessary data, that can slow down the site.
Every time you save a post, WordPress saves a copy or revision of it. These can start to mount up surprisingly quickly. WP-Optimize can delete old revisions and other unneeded data, like spam comments and trashed posts.
After activating the plugin, go to Settings under the WP-Optimize menu. Check the first checkbox under General Settings to Keep last 2 weeks data. This will ensure that recent changes that you may still need, such as post revisions, aren’t deleted until they’re at least a couple of weeks old.
This screen also allows you to schedule optimizations, but as a beta feature at the time of writing, I’d leave it disabled. Instead, try and make it part of your monthly routine to run the database optimizations.
Scroll down and click the Save settings button.
Go to Database under the WP-Optimize menu.
I’ve already recommended installing UpdraftPlus. Assuming you have installed this, check the checkbox to Take a backup with UpdraftPlus before doing this. This will backup your database, so in the rare circumstance that the optimizations hit a problem, you can quickly get your site running again.
You can work through the list of optimizations and run each one individually using the related Run optimization button. That allows you to target just those that have a lot of data to be removed.
The quickest way to optimize though, is to check the checkbox in the header row to select all optimizations and then click the Run all selected optimizations.
A word of warning about this though. As you scroll down the list, you will see some are labeled with an exclamation mark. That indicates that if the server encountered a problem while the optimization is running, it could corrupt part of your database. That’s why checking the backup checkbox is advisable.
While such a circumstance should be very rare, if you’re not taking a backup first, you may wish to exclude the optimizations marked with the warning label.
You can now have your images optimized using WP-Optimize. The optimizations are handled by a free remote service called reSmush.it.
I used to use reSmush.it via their own free plugin and for a long time it was great. I switched to using EWWW Image Optimizer when I was persistently hitting problems with reSmush.it where it became very slow to optimize images and regularly failed altogether. Hopefully those issues are resolved now, but in my experience, using a plugin that runs on my site rather than a remote service has been a more reliable solution.
However, if you can’t use EWWW Image Optimizer, then go ahead and enable this feature.
Go to Images under the WP-Optimize menu. Click the Automatically compress newly-added images toggle switch to turn it on.
Leave the Compression options set to their defaults. Under Uncompressed images, if you’ve already got some images uploaded to your site, click the Select all link and then the Compress all selected images button. Depending how many images were selected, this process of optimizing the images could take a little while, so just leave it running and don’t leave the page until it’s finished.
Another addition to this plugin is a page caching feature. This is very simple to set up and in time I can imagine I may recommend this for your page caching needs. For now though, it doesn’t offer quite the flexibility of WP Fastest Cache, but it is moving the right direction.
If you want an even easier caching option and don’t need some of the additional features of WP Fastest Cache, such as excluding specific pages, it might be all that you need.