8 Plugins That Every New WordPress Install Should Have
Whenever it comes time to set up a new WordPress site or refurbish an old one you've purchased or simply neglected, you need to figure out what plugins to install. Some of them are obvious big names; others are smaller utility plugins. Some even depend on specific themes or functions you want.
What I've done here is put together a list of eight of my favorite must-have plugins. I'm skipping the big, obvious ones like Yoast (or another SEO plugin), MonsterInsights (or another analytics plugin), and various plugins like WooCommerce that not every site might need. Instead, I'm aiming for the simpler utility-style plugins that I think every WordPress site should have, no matter how large or small you are, what your monetization strategy is, or what features you need.
Most of these are very small and lightweight, and they're aimed at either making your site smoother, faster, easier to use, or more secure. Let's dig in!
30 Second Summary
30 Second SummaryWhen setting up a WordPress site, you need to install important plugins for better performance, security, and user experience. Consider using Disable XML-RPC to close vulnerabilities, Open External Links in a New Tab for user retention, WP Rocket for site speed optimization, and WPS Hide Login for security. Check and fix broken links with Broken Link Checker, block spam with Content Powered Spam Filter, optimize images with EWWW Image Optimizer, and tidy up your admin dashboard with Disable Admin Notices.
1: Disable XML-RPC
Plugin found here: https://wordpress.org/plugins/disable-xml-rpc-api/
WordPress is the site architecture for a massive number of websites. That means it's a very, very broad threat surface. Malicious actors, ranging from dedicated attackers and hacker groups to roving bots and brute force attacks, know how WordPress works and know how to attack it.
One of the simplest and most common vectors for attack is simply trying to log into the admin account on a WordPress site. This is why one of the first steps you should take is to rename your admin account; that way, anyone trying to log into "admin" is going to fail, and it takes more effort to find the name of the actual login account.
Another important step to take is disabling XML-RPC. XML-RPC is a protocol WordPress uses for a bunch of different purposes, including pingbacks and trackbacks (an often-abused tool most people don't need anymore; I talk about them in greater detail here) and for remote communication with the WordPress mobile app and a variety of third-party tools. At least, it was, until WordPress implemented a REST API, and most uses of XML-RPC moved over to the API instead.
So, what's the problem? Well, XML-RPC can be used to attempt to log into a WordPress site. And, since it has API-like behavior, it can be used to attempt those logins much faster and in greater volume than using the normal login page. In other words, malicious attackers can spam brute force login attempts or DDoS attempts at your site using XML-RPC.
Since 99.999% of websites aren't going to care about the other features of XML-RPC, you can safely disable it and cut out all of those attacks. This plugin does just that. And, if you DO, for some reason, want to use XML-RPC, you can still use this plugin and just allowlist your own IPs or whatever limited use you need.
One final note: if you use a larger all-purpose security plugin, like Sucuri or Wordfence, it may have the functionality to disable or manage XML-RPC included. Double-check if the feature is there so you don't double up unnecessarily. It probably won't cause problems to do so (it'll likely add duplicate entries in .htaccess and similar) but it's better to be safe.
2: Open External Links in a New Tab
Plugin found here: https://wordpress.org/plugins/open-external-links-in-a-new-window/
You know how, when you're browsing the web, clicking a link can be a bit of a crapshoot? Sometimes, it opens in a new tab or new window in your browser, and other times, it just changes the page you're on. While this behavior can be seemingly random and arbitrary to a web user, it's something a website owner can control.
This plugin, by default, makes every link on your site open in a new tab/window instead of in the same window. It does so using JavaScript, which is XHTML-Strict compliant, which is important for some people. Note that you can manually control your links in WordPress when you add them, but this makes it automatic and helps eliminate the chance that you forget and have inconsistent behavior on your site.
So, why do you want to do this? A huge part of running a successful site is keeping users on your site. Yet, you can't just not include external links on your site; a robust link profile is important for SEO. So, you need to be linking out to authoritative sites, sources, partners, and even affiliate links, but you don't want your users to really leave your page.
When you open those external sites in new windows or tabs, the user is still on your site. So when they do what they wanted to do and close that tab or window, your window is still there for them to pick up where they left off. This can help reduce funnel attrition and encourage deeper engagement with your site.
3: WP Rocket
Plugin found here: https://wp-rocket.me/
I consider WP Rocket to be non-negotiable for any site I spin up, and I frequently install it for my clients as well. In my experience, it's the best plugin I've found for manipulating dozens of tweaks and features site-wide, all aimed at speeding up your site, optimizing your core web vitals, and making sure your content is ready to be served the instant anyone requests it.
What does it do?
- Page caching, so your site isn't generating pages every time someone requests to load one.
- Cache preloading, so your caches automatically update when you make changes to your site instead of waiting for a user to load the page first.
- Browser caching, to preload and cache assets like images, scripts, and CSS ahead of time.
- GZIP compression, so the in-transit load times for your site are minimized.
Even just installing WP Rocket with default settings will show an improvement on your site, and tweaking settings to suit your needs will be even better. It's a huge part of how I can score 90+ on PageSpeed consistently.
The one downside to WP Rocket is that it costs $60 per year for a single website, unlike other plugins on this list that are free. Even so, I consider it immensely worthwhile.
4: WPS Hide Login
Plugin found here: https://wordpress.org/plugins/wps-hide-login/
I've already mentioned that WordPress being immensely popular leaves it vulnerable to attack. Disabling XML-RPC helps stop one vector of login brute force attacks, but that's just one.
Another vector is simply the usual login page. By default, every WordPress site can be logged into by visiting domain.com/wp-admin/. That consistency is nice for anyone who needs to work with a variety of sites, but it's also obvious for any attackers who want to algorithmically try logins and passwords on wp-admin URLs.
A simple way to avoid this is to change the login URL. This plugin allows you to do that simply and easily and without messing around with URL rewrite rules or methods that can be identified from the outside easily. The downside is that if you forget what you changed your login URL to, you might have a hard time logging in later, so make sure to bookmark your login page.
Just like the XML-RPC plugin, double-check to make sure any security plugins you currently use aren't already capable of doing this for you.
5: Broken Link Checker
Plugin found here: https://wordpress.org/plugins/broken-link-checker/
We create blog content that converts - not just for ourselves, but for our clients, too.
We pick blog topics like hedge funds pick stocks. Then, we create articles that are 10x better to earn the top spot.
Content marketing has two ingredients - content and marketing. We've earned our black belts in both.
The larger your site gets, the more of an enormous pain in the butt it becomes to maintain it. When you have a dozen or so pages, making sure all of your images load, your links work, and your content is updated is a routine check. When you have hundreds of pages, it becomes a day or more of work. When you have thousands of pages, you just can't do it.
Broken Link Checker is a plugin that creates an internal list of all of your links, internal and external, throughout your site. Then, every couple of days, it checks the link to see if it loads properly. If you use the local version, it uses your site's server to ping the page; if you use their cloud version, it uses WPMU DEV's servers to do the checks.
The report you get gives you the number of broken links, the status of those links, and the option to change them quickly and easily from the plugin dashboard instead of going in to edit everything on your pages directly. It's very handy. It can even apply CSS to broken links on your pages automatically for user benefit.
There are a few small drawbacks. It pings Amazon URLs, so if you use the affiliate program, it will show up as clicks in your reports.
Since it pings using your site's IP and does so consistently, some sites will start to block that IP as bot activity, so the plugin can report a forbidden or other error code when the link works fine for you or your users.
I recommend putting both of these kinds of links in the exclusions list so you don't cause yourself other problems down the line.
6: Disable Admin Notices
Plugin found here: https://wordpress.org/plugins/disable-admin-notices/
There are a bunch of WordPress plugins that are very useful, even in their free versions, but they're very pushy about being free versions.
They love to put notifications and other messages on your dashboard, and even if you close them, you can bet it'll only be one or two updates down the road before they're back. Eventually you can't even see your dashboard.
Something tells me you know exactly what I'm talking about. 🙂
This might not seem like a problem if you only have one or two of these on a site, but when you have enough of them that you're constantly wading through notifications every time you open your dashboard, well, it's a huge hassle.
This plugin just allows you to hide those notifications permanently. It's simple, easy, and a massive sanity-saver.
Note: On the topic of cleaning up the mess added by your plugins - plugins also love adding things to your sidebar. They have ugly colored icons, bright red badges, or insist on creating brand new sections instead of adding their plugin settings under "Settings". I highly recommend the "Admin Menu Editor" plugin. You can move these to different sections, give them new icons, re-order them, and even create new categories. For example, on my site, I created new categories for "SEO", "Security", "Performance" and so on. Really cool. It's free, too. They have a pro plugin but I've been getting along just fine with the free one. Here's the link: https://wordpress.org/plugins/admin-menu-editor/
7: EWWW Image Optimizer
Plugin found here: https://wordpress.org/plugins/ewww-image-optimizer/
One of the most important technical metrics for modern SEO is site speed. You can improve your site speed in a lot of ways, including with WP Rocket, but one thing you also should do is optimize your images.
There are a bunch of different image optimization plugins and even more tools out there available to use. So, why EWWW? The biggest benefit is that it embeds the image compression algorithms on your server, so you aren't sending images to another site for compression and getting them back smushed down. It can also go through and optimize everything already on your site instead of taking effect only after you've installed it.
This is probably the only one on this list that isn't quite as mandatory, especially if you're already practicing good compression when you create images, but it still can be handy.
8: Content Powered Spam Filter
This is a bit of code that I created to catch spam comments that major spam plugins like Akismet were repeatedly not catching. And yes, I know, these plugins learn over time, but I don't want to have spam sitting on my site at all, even if it's only for a few days.
This code isn't actually a plugin; it's code you need to manually put into your functions.php file. What it does is check your comments to see if there are links in them, and if there are, it flags them as spam. Anything that an anti-spam plugin already catches won't be in your pending comments, but anything that slips through will be marked.
It's also somewhat customizable, as long as you know a little bit of PHP yourself. The page I linked gives you a rundown of what each function does and how to change it if you need to.
Bonus: Classic Editor
Plugin found here: https://wordpress.org/plugins/classic-editor/
Alright, so this one isn't actually essential, which is why I listed it as a bonus.
The truth is, I'm one of those old-school site owners who "grew up" using WordPress the way it used to be. When they did their major revamp back in 2018 and introduced the Gutenberg block editor, some people liked it, but some of us really, really didn't. Fortunately, like-minded contributors restored the classic editor in the form of a plugin. So, if you're the kind of person who loved the way it used to work, this plugin is for you.
So, what about you? Are there any plugins that you absolutely view as mandatory for any WordPress site? Let me know in the comments!
James Parsons is the founder and CEO of Content Powered, a premier content marketing agency that leverages nearly two decades of his experience in content marketing to drive business growth. Renowned for founding and scaling multi-million dollar eCommerce businesses through strategic content marketing, James has become a trusted voice in the industry, sharing his insights in Search Engine Watch, Search Engine Journal, Forbes, Entrepreneur, Inc, and other leading publications. His background encompasses key roles across various agencies, contributing to the content strategies of major brands like eBay and Expedia. James's expertise spans SEO, conversion rate optimization, and effective content strategies, making him a pivotal figure in the industry.
Comments