WordPress plugins are optional, but I have yet to see a WordPress site that doesn’t have at least a couple of them. Personally, I recommend having as few plugins as possible because they:
- Can affect your site’s performance;
- Must be updated often;
- Can create conflicts with WordPress, other plugins, or your theme;
- Can contain security vulnerabilities.
So, I always try to see what plugins I can get rid of, and implement or do things manually, such as optimizing images for WordPress before uploading them.
In this post, I’m only going to recommend the essential, free WordPress plugins that every website or blog should have, especially those created by beginners. I’m not going into ones based on individual need, such as contact forms, subscription forms, memberships, and so on, just so I can have a bigger list and make money from affiliated links. There are no affiliated links here, by the way.
Before we start, here’s a useful tutorial that shows you 4 different methods to install a plugin in WordPress, in case you need it.
1. iThemes Security
WordPress, at its core (excluding themes and plugins), is very secure. But there are extra layers of security that are useful and good to have.
I’ve used the iThemes Security plugin since my WordPress beginnings, over 8 years ago. Recently, I stopped using security plugins altogether because:
- They are “heavy” plugins and can affect the site’s performance;
- They don’t actually do anything spectacular, even though they have a lot of features;
- Due to my experience, I implemented most things manually and used a couple of smaller plugins for the rest;
- I’m using a secure web host and CDN.
Until you get enough experience with WordPress and site security, plus a good web host, I recommend relying on a security plugin.
There are tons of WordPress sites hacked every year, many of them having security plugins installed. That’s because WordPress sites get hacked due to other reasons:
- A lot of websites run on older WordPress versions that contain vulnerabilities;
- Administrators don’t update quickly enough WordPress, theme, or plugin versions that contain vulnerabilities;
- Weak passwords are used that can be hacked through brute-force attacks;
- Nulled themes and plugins downloaded from unofficial sources. These can come bundled with malware.
You’ll see a lot of recommendations for the WordFence plugin. I never really liked it, mainly because it causes a lot of false positives. It will scare you a lot of times without anything serious happening. It’s like “The Boy Who Cried Wolf”.
The most important settings in iThemes Security
This is a special subsection for this WordPress plugin alone because there are some important options that I don’t want you to miss.
Once you access the Settings page, you’ll be prompted with a pop-up, asking you to implement the recommended settings and also enable the Security Check Pro. Do it.
Then, I recommend disabling the Database Backups feature. You should back up your WordPress site using other methods.
Now, this is one of the most important features. Go to Settings > Advanced (top-right link) > Hide Backend.
There, check the box next to Enable the hide backend feature and change your login slug with something that’s not basic and easy to guess, such as
By enabling this feature alone, you’ll decrease the attacks by a lot. That’s because hackers, mainly through automated ways, will check for the default WordPress login slugs, such as
If you change those, a
404 Page Not Found error will be returned instead of the login page, so there’s no login form to perform brute-force attacks on.
After you perform this change, you won’t be able to log in using
/wp-admin/ or any of the default login slugs. You’ll have to use the new one (e.g.
Looking to Buy or Sell WordPress Sites?
At ReadyShip, we offer an all-in-one WordPress solution for those looking to start a blog or site, as well as the opportunity for WordPress developers or professionals to sell their products!
This is another essential and free WordPress plugin that can drastically improve your site’s security. iThemes Security also has a feature like this, but on their Pro version. So, if you buy the Pro version, use that instead.
The Two-Factor WordPress plugin will generate a code that needs to be introduced whenever someone tries to log in. You can get the code in several ways, but I recommend using the Time Based One-Time Password option with an authentication app, such as Google Authenticator. It’s the most secure method.
3. The SEO Framework
“What??? Not Yoast SEO??? Blasphemy!”
Nope. I’ve used Yoast SEO since I began working with WordPress. It’s a great plugin, but they drove me mad with all the updates and new features that they started to push lately. And, of course, along with all the updates, a ton of bugs, some very nasty.
Every WordPress plugin has bugs, it’s normal, but they started having too many, too often because of the relentless updates. So, I said “Enough is enough!”, and I switched to The SEO Framework. And I’m very happy that I did because:
- It’s lighter;
- It’s not bloated with unnecessary features;
- It’s not updating every few days;
- The developer doesn’t have that Corporation mentality to bloat the plugin with a ton of features in order to satisfy everyone, to grow the user base, and, eventually, to sell more licenses.
Depending on the WordPress theme, I might not use an SEO plugin at all. For example, when I use a StudioPress theme based on the Genesis Framework, I already have what I need:
- Options to change the titles and meta descriptions;
- Open Graph for social media;
- Indexing and archiving;
- Settings for the document head.
And WordPress handles the rest:
- Robots.txt that you can edit;
- Canonical URLs.
And I use a small code snippet to add a noindex robots tag to the attachment pages. That’s all I need.
You can do that, too, when and if you’ll have enough experience with SEO and WordPress. Meanwhile, I recommend sticking with an SEO plugin.
4. W3 Total Cache
Caching is also an essential feature for virtually every website, WordPress or not.
In a nutshell, “caching” is a system that stores data so that the next time visitors access the site, the stored (cached) data is delivered to them, instead of making requests to the server to put the content together every time. This results in faster loading times.
With few exceptions, I think W3 Total Cache is still the best of free WordPress caching plugins. But even though it comes with default settings, it can be complicated for beginners to tweak it. But most of you should be fine with the default stuff.
Important! If and what type of caching you need, depends on your web host and server:
- Some WordPress hosting companies offer caching at a server level, which is better. Therefore, you don’t need a plugin. In most cases, the web hosts ban caching plugins altogether;
- Some web hosts offer caching at a server level but have also developed a WordPress plugin so you can have access to options for the caching system. One example is SG Optimizer for SiteGround hosting;
- Some server configurations need or work best with a certain type of caching. For example, if your WordPress site runs on a LiteSpeed server, then you should definitely use the LiteSpeed Cache plugin. That combination provides amazing results. I know that firsthand.
So, W3 Total Cache might not be a good fit for all WordPress sites. Inform yourself of what type of web hosting you use, first.
Premium but inexpensive alternatives
Since having a WordPress site that loads fast is extremely important, I’m also going to suggest a couple of premium, better alternatives.
I mentioned above that I think W3 Total Cache is the best of free WordPress caching plugins. That’s because there’s a premium one that I think it’s the best of all, and its name is WP Rocket. I happily used it for 4 years.
Even better than WP Rocket, in my opinion, is APO, which was recently launched by Cloudflare. APO is a separate and improved caching system, compared to the default one provided by their CDN (Content Delivery Network), which I also strongly recommend in case your hosting doesn’t provide one, as ReadyShip does.
Pair that with their plugin, and you’re Gucci.
It’s easy to believe that by having multiple caching systems, your WordPress site will load even faster. It won’t! It will only cause conflicts sooner or later. So, avoid using multiple caching systems! Pick one that fits your environment and stick with it.
5. Spam Destroyer
Spam Destroyer is a hidden gem. I’ve been using it since forever, and it does an awesome job at keeping out virtually all the automated spam.
The quote on their banner sums it up very well:
It’s not the most sophisticated Spam blocker I’ve tried, but it’s the only one that works!”
It doesn’t even have settings. You install it and forget it.
Look what happened when I forgot it disabled for one day when I was troubleshooting some error.
I woke up to 97 spam comments!
I also installed it on ReadyShip when I started blogging here, a couple of months ago. Not one spam comment has passed since then.
Maybe, if you start getting traffic in the hundreds of thousands or millions, you might need a more robust anti-spam plugin. Just maybe.
You’ll see the Akismet plugin recommended a lot. I’ve used in in the past but gave up on it quickly. It was causing trouble and conflicts. You also need an account, a paid plan if you have affiliate links, ads, products, etc. Bleah!
Nowadays, most WordPress hosts, such as ReadyShip, include automatic backups in their plans. But it’s best to have an extra backup yourself and store it wherever you want.
Personally, whenever I can, I perform manual backups via cPanel or whatever the web host offers, to avoid using another plugin. But for some, especially beginners, might be too complicated and annoying.
So, I recommend using UpdraftPlus, which is another essential WordPress plugin. It allows you to perform manual or automated backups, and save them on remote storage, such as Google Drive or Dropbox.
To find out more, you can read my tutorial on how to backup and restore a WordPress site with UpdraftPlus.
Bonus: WP User Avatar
If you don’t have comments enabled on your WordPress site or blog, or you’re not using the default commenting system, you don’t need this plugin.
I added WP User Avatar as a bonus on my list of essential and free WordPress plugins because this is not crucial, but it’s useful for performance, thus worth mentioning. Even so, some of you might not like the change that this plugin brings. Lately, for me, it has become a must-have.
Here’s the thing. By default, WordPress uses Gravatar to display avatars in your dashboard, comments, and whenever is needed. That’s all fine and dandy until you start getting a bunch of comments that perform external requests to Gravatar to get each avatar.
The more requests a site has, especially external, the more it impacts the loading time of the page.
WP User Avatar allows you to disable Gravatar and use your own, locally-stored avatars. WordPress users can upload their avatars, but visitors who leave comments will only have the one that you set for them globally.
Some of you might not like that. If you’re ok with it, then I strongly recommend using this plugin. It’s a good compromise, especially if you’re not using a good web host, and you have to do whatever you can to optimize your WordPress site.
Looking for an All-in-One WordPress Solution?
ReadyShip offers you ready-made WordPress sites and blogs, plus high-quality managed AWS hosting with free SSL and CDN, at no initial cost!
I hope you found this list of essential and free WordPress plugins useful. These plugins should normally be installed on any type of WordPress project, such as a blog, business website, eShop, and so on.
If you have any questions or want to pitch in, feel free to leave a comment.