I’ve experimented with a lot of different ways of improving websites over the years and these are the best WordPress plugins that I’ve decided to use on my own website and many others. I’ll discuss what they are for, why I use them and how relevant they are for a normal website – some of them are a little advanced for non-technical users. This is published in 2018. I’ll aim to update it occasionally.

best wordpress plugins

For me, the most essential WordPress plugins are those that are simple, require minimal setup, don’t suffer from regular security holes and are well coded so that they don’t slow sites down much. Every front-end plugin you install will add a small amount of to the time it takes to load your website. Therefore the best WordPress plugins are those you don’t install at all! Cache plugins can mitigate some of this speed hit, but consider whether you absolutely need a plugin before installing it.

Remember to have working backups before you install anything new. And preferably try things out on a test server first.

Basic essential WordPress plugins

EU Cookie Law

If you have visitors to your site from the EU, you legally require a simple Cookie Notice, to notify visitors of your tracking. This one includes the ability to add a link to your privacy policy page so they can see more details, and with GDPR being relevant for websites, this will go some way to towards your compliance. You can set the position and colour, plus modify the text it shows. It works on mobiles and doesn’t overwhelm the screen.

Definitely Allow Mobile Zooming

I did some research about how the visually impaired view websites and whilst some use screenreaders to read the text out to them, others with less serious needs are all asking “Please make sure we can pinch-to-zoom” on mobile phones. Some themes and frameworks turn this feature off. This plugin will make them happy.

Duplicate Post

WordPress already has a preview system, but if you want to make changes to a page or post, and come back later to finish them off, this is a great plugin for trying them out before making them live. It adds a sub option of “duplicate” to the normal edit button on the logged-in WordPress top-bar. It also adds similar to the page and post lists in the back-end. There are some others that I keep seeing pop-up with flaws in a daily bulletin of newly discovered security issues that arrives in my email, but this one seems to be better written.

WordPress Version Info

Normally, you can see which version of WordPress you are using in the footer. When an update to WordPress core is available, this is removed for some reason and replaced with a note saying to update. This plugin gives you this back along with some geeky stuff, useful for checking PHP version, web server type and database version.


When someone types a wrong page name after your site domain, or follows a broken link, it arrives at an unfriendly WordPress-generated “404” error page. Why not jazz it up a little? This plugin let’s your 404 page look more useful.

Contact Form 7

There are loads of contact form options out there. A bewildering array. WordPress doesn’t come with a contact form option built in, so if you want people to be able to contact you in the normal ways, you’ll need one. Some themes come with their own. I like Contact Form 7 because it works every time, loads fast and comes with a Google reCaptcha option, so that you don’t get flooded with spam emails. reCaptcha is the “I’m not a robot” button you might have seen, but there’s also an invisible honey-pot version.

The form fields and buttons do need to be styled to match your theme with a bit of CSS, so it’s not for beginners unless you want a fairly plain form. See an example of this contact form plugin in action on my site here.

Best WordPress security plugins

WP Security Audit Log

If you store any personal details on your site, or have more than one admin user, or track IP addresses in any way, you need to know if any changes were made without your knowledge (during a hack) and when they were made, again for GDPR. This plugin will log changes for you, authorised or otherwise.

iThemes Security

WordPress isn’t very secure by default. It’s only a matter of time. There are several very good security plugins out there that harden up the security. One of the ones I use is iThemes. It’s quite powerful and includes cloud based IP address banning against persistent robots. It also allows you to hide the back-end of WordPress so brute-force user/password hacking attempts, either by automated robots or real people, don’t really know where to start. It does include some features I turn off, like database backups, because I use alternative backup options.

There is also a file change detection service, so I get emails telling me if any files that I’m not expecting to change do change. There are some advanced tweaks to WordPress and the environment which will close many lines of attack, but they may cause some plugins to stop working, so best to experiment with all of this on a test instance first. Obviously no security can be 100% perfect, but keeping this sort of plugin up to date is essential.

UpdraftPlus Backup

Most web hosts will store at least one day of backups for you. So if you get something wrong, or get hacked, you can roll back to the previous version. But what happens when you get hacked but don’t notice? Or the server itself where your backups are stored dies (unusual, but could happen)? This plugin lets you fire backups to a remote storage facility, setting the number of backups you want to keep and what schedule you want to run new ones (or run them manually). This could save your online business! It backs up both files and database.

Best WordPress comment area spam plugins


WordPress comes by default with an anti-spam plugin called Askimet. It’s totally bloated and useless in my opinion, so deleting it is the first thing I do on any new WordPress install. Instead, the “Anti-spam” plugin sets a trap. Spam robots fill out all the fields on the comment form, but one is a hidden honey-pot which real people can’t see, so they are allowed through, leaving the robots out in the cold. This sorts out the vast majority of spam which is auto-generated. I installed it on a friend’s popular site and it blocked 400 robot spam attempts in the first 24hrs. Before that, he had given up on comments because Askimet wasn’t doing a decent job.

The other reason I like it is that it doesn’t create extra work for legitimate commenters, who are blissfully unaware.

Comment Link Remove

Even with the above plugin active, you’ll still get the occasional spam from a real person. Why do they do this? By default, WordPress turns the comment Author Name, displayed above the comment, into a link to a website if they fill in that field. It’s a “no follow” link, so not directly beneficial to SEO, but if they can get traffic to their site, the very fact that traffic is arriving is useful. You could force all commenters to create an account which discourages them because it takes up valuable time, so they move on to the next website on their list. Alternatively, using this plugin just removes the “website” field from the comment form completely so they just don’t bother posting in the first place. And if they persist and post anyway, but try and add a link to the comment, the link is plain-text (optional). Again, a great experience for valid commenters and very discouraging for human spammers.

Best WordPress performance plugins

WP Fastest Cache

Ok, so this is probably going to cause the most difference of opinion, mainly because there are so many excellent caching options for WordPress. So I use this one regularly because it’s super simple to set up and use. I installed it on a client’s existing site and it brought the load time down from 5 seconds to 3 seconds. Good eh? To generate a normal page or post, WordPress has to look in the database for the content and then look in a whole bunch of files for how to display the content according to whatever theme is in use. The code the pops out at the end and is sent to the use is normally the same every time though, unless you update the page content, or change the theme or plugins.

To speed things up, caching just keep track of that final code and if there have been no changes to a page or post since it was last visited, sends that instead, bypassing all the other bits of server intensive stuff. Some hosts have this built in on the server to a certain extent, but had great results using a dedicated plugin. WP Fastest Cache will deliver this feature as well as some other options like reducing the size of any scripts and code sent, although be careful here – I turn this option off, because the framework I use does this for me and applying it twice causes problems.

Finally it applies something called “browser caching”. Whilst the main part of the cache speeds things up for first time users, browser caching tags various things like scripts and images with an expiry time. So for example, if your homepage has a large image on it and someone then navigates away to a different page and finally arrives back at the homepage, that 2nd homepage load will be almost instant, because the image is stored on their own device for a few hours, rather than having to download it again. Give it a go in a minute by browsing around the menu on my site and coming back to pages or posts you have already been to.


Not for the technophobes this one. If your site sends out a lot of emails, perhaps due to membership, eCommerce, or a built in newsletter facility like MailPoet, you don’t want your own mail-server getting blacklisted. Instead, you can offload the sending of emails to Amazon’s “Simple Email Service”. Probably the biggest misnomer in the history of misnomers, this rather complicated system involves a real human at Amazon checking your website is legit before allowing any emails to go out via their service, so it’s trusted by most mail providers, e.g. gmail and hotmail.

This doesn’t mean they won’t eventually get marked as spam if you send daft emails with lots of links and ALL CAPS everywhere, but they will get delivered. Amazon gets you to agree that you will provide easy ways of unsubscribing and if too many emails get bounced because you aren’t auto-managing your email list, they will withdraw the service. This is good – if you aren’t able to comply, you shouldn’t be sending emails!

The plugin itself is quite easy to use. The Amazon set up is not.

Lazy Load for Videos

When you embed a Youtube or Vimeo video on your site (quite easy now in WordPress), it has to load the player script. This is quite intensive and if you have multiple videos on the same page, especially on a mobile phone, the page could take all day-ish to load. I had this problem whilst making a training website for a client’s business. To make it super easy to onboard new employees, I put the basic training on just 3 pages, each page with quite a few videos. After realising it was going to be hopeless on mobiles, I found this plugin which delays the loading of the player script until someone presses the thumbnail image of the video. Because the rest of the page has already loaded, the video player loads very quickly to reveal the play button.

It’s a bit clunky and the thumbnail image quality isn’t quite perfect, but faced with the alternative of 20 second page loads, I’d say this is essential in this situation.

Best WordPress SEO plugins

If you don’t know what you are doing, then Yoast is the best SEO plugin for WordPress. It holds you hand and gives you a great guide to how to modify your pages, but be aware that you can just ignore its advice if you think the page you have created is useful to your users. However, I don’t use it, because I get distracted by its omnipresence and bright colours (OCDtastic).

All In One SEO Pack

Instead I use this plugin. It assumes you already know how to make your page content properly, assign image tags correctly etc. and build internal links, preferring instead to concentrate on titles, descriptions and social meta. It also allows you to easily stop a page from appearing in the sitemap (even if a page is not linked on a menu or link, it will appear on the sitemap). You can also prevent a page from being indexed by major search engines and also prevent any of them following links out from the page. Really, Yoast is better for most people.

Contact Form 7 Google Analytics Integration

Adds a tag to the contact form plugin I mentioned earlier. With a little tinkering, this lets you track what people did all the way up to submitting the contact form, in your Google Analytics paths.

Google Analytics Dashboard for WP

Great for putting on clients’ sites, this lets them look the basics of their analytics from the WordPress Dashboard. Anyone serious would be using the phone app and web app, but for a quick glance, this is great.

Facebook Pixel

If you are running any sort of Facebook Ad campaign, you need this to track what people did after the clicked any of your ads. The results appear on Facebook analytics.


Analytics are essential, but to find out what people are actually doing on your site, but as my article shows, Smartlook records everything visitors are doing on PC or mobile on your site in real time, as well as providing heatmaps of where they pressed or clicked. Great use of big data. It lets you make decisions on which buttons are working and which parts of pages are boring. It’s also GDPR compliant, so as long as you tell your visitors what you are doing on your privacy policy page, it’s good to go.

Which WordPress plugins do you use?

Everyone has their own favourites and I’m sure there are some that I should try that I haven’t even come across yet. So please post in the comments to say which ones you use and why they are amazing.


Previous post
GDPR. Anyone heard of it? If you run a business…