Jump to content

Essential Wordpress Plugins / Tweaks I use EVERY TIME when creating a new client's website!


Recommended Posts

Hey there everyone,

My name is Joe and I'm a programmer, web developer, & graphic artist. 💯 I'm currently a Creative Director and Marketing Manager in Michigan and I've owned my own business since 2005. I am also a Certified Wordpress Expert since 2012 (88% percentile). When I install a new CMS for my client, I usually choose Wordpress and I always include a set of plugins / tweaks / tips for various reasons when I first start. I thought I'd share my list of essentials and maybe you all could comment list your essentials so we could compare. Might be fun and we could all share some niche plugins that we may not know about. Here we go!

Top 10 Must-Have Wordpress Plugins when you first install the software:

  • Yoast: optimizing on-site SEO and creating XML sitemaps.
  • Wordfence: securing the website against hacks and malware.
  • WP Rocket: caching and improving site performance.
  • Elementor, PageLayerPro, or Beaver Builder: page builder plugins for creating custom page layouts.
  • WPForms: contact forms and managing form submissions, applications, any customer interaction.
  • WooCommerce: online store and managing e-commerce transactions, tons of plugins for this too
  • UpdraftPlus: regular backups of the website and restoring them (if you dont already use cpanel backups)
  • WPML or Polylang: multilingual website and translating content.
  • Akismet: filtering out spam comments on blog posts.
  • Google Analytics: integrating Google Analytics with the WordPress dashboard to track site performance.

Here are also 10 extremely useful but lesser-known plugins:

  • Duplicate Post: Allows you to clone pages or posts, making it easier to create new content based on existing templates.
  • Redirection: For managing 301 redirects and monitoring 404 errors.
  • Better Search Replace: For bulk updating the database, useful when changing domain names or making other significant changes.
  • WP User Avatar: For allowing users to upload custom avatars instead of using the default Gravatar.
  • Simple Custom CSS and JS: For adding custom CSS or JavaScript code without modifying theme files.
  • TablePress: For creating and managing tables in posts and pages without coding.
  • Post Type Switcher: For changing the post type of existing content, such as converting a post to a page or vice versa.
  • Disable Comments: For disabling comments on your entire site or specific post types.
  • WP Mail SMTP: For configuring WordPress to send email using an SMTP server, improving email deliverability.
  • User Role Editor: For customizing user roles and capabilities, useful for creating different access levels for team members.

BONUS PLUGINS! Loginizer: helps protect your website against brute force attacks by limiting the number of login attempts from a particular IP address. It also provides features like Two Factor Authentication (2FA), reCAPTCHA, and password strength settings, further enhancing the security of your WordPress site. Buddypress: building a community or social networking features, extensions for this too make it very customizable. CMP (Coming Soon & Maintenance Plugin): Excellent 'Coming Soon' page while you get the website going. Also when you're going under Maintenence, gives a nice style and has lots of options. PopularFX:  Lots of free themes to get started. Easy pagebuilder called PagelayerPro that also has a pro version that include all the PopularFX themes. Great value and has an easy page builder to create sites with a rapid pace.

Now here are a few essential tweaks every Wordpress Expert should know and then a few more that you may not know that are very useful:

  1. Configure permalinks: Go to Settings > Permalinks and choose a URL structure that is SEO-friendly, such as "Post name," to make your URLs more readable and better optimized for search engines.

  2. Optimize images: Use an image optimization plugin, such as Smush or EWWW Image Optimizer, to compress and optimize images, reducing their file size without sacrificing quality.

  3. Set up an email delivery service: Configure a third-party email delivery service like SendGrid, Mailgun, or Amazon SES using the WP Mail SMTP plugin to ensure reliable email delivery from your WordPress site.

  4. Use a staging environment: Create a staging site to test updates, new plugins, and other changes before implementing them on your live site. Many hosting providers offer built-in staging environments.

  5. Optimize your database: Use a plugin like WP-Optimize or Advanced Database Cleaner to clean up your database by removing unnecessary data such as post revisions, transients, and spam comments, improving your site's performance.

  6. Add schema markup: Enhance your site's appearance in search engine results by adding structured data (schema markup) with a plugin like Schema & Structured Data for WP & AMP or Rank Math.

  7. Customize your login page: Personalize the appearance of your WordPress login page by using a plugin like Custom Login Page Customizer, LoginPress, or Admin Custom Login to match your branding.

  8. Implement lazy loading: Speed up your site by enabling lazy loading for images and videos with a plugin like a3 Lazy Load or Autoptimize.

  9. Use a favicon: Create and add a favicon to your site to improve branding and make it easily recognizable in browser tabs and bookmarks.

  10. Set up 301 redirects: If you have changed URLs, removed pages, or migrated your site, set up 301 redirects using a plugin like Redirection or Simple 301 Redirects to prevent broken links and preserve SEO value.

And now for the less-known tweaks that you may not know:

  1. Limit post revisions: To save storage space and optimize database performance, limit the number of post revisions stored by adding the following line to your wp-config.php file: define('WP_POST_REVISIONS', 5); (You can change the number 5 to the desired number of revisions you want to keep.)

  2. Change the default admin username: During the WordPress installation, choose a unique username instead of the default "admin" to improve your site's security. If you have already installed WordPress, create a new administrator user with a unique username and delete the original "admin" user.

  3. Customize login URL: Change the default login URL (e.g., yoursite.com/wp-admin) to a custom URL using a plugin like WPS Hide Login, making it more difficult for hackers to find your login page.

  4. Enable a Content Delivery Network (CDN): Improve your site's performance and load times for users around the world by integrating a CDN, such as Cloudflare or Amazon CloudFront, with your WordPress site.

  5. Disable XML-RPC: If you don't need XML-RPC functionality (used by some third-party applications to interact with WordPress), disable it to reduce the potential attack surface. Add the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

There are security plugins like WP Security that do all of this and more for you with a giant control panel of awesome ways to secure your website.

As a matter of fact, why don't I just show you how every htaccess file should look like when you're protecting a Wordpress website:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# Disable directory browsing
Options -Indexes

# Disable XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

# Limit Request Methods
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|PUT) [NC]
RewriteRule .* - [F,L]
</IfModule>

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

# Block suspicious request strings
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteRule ^(.*)$ - [F,L]
</IfModule>

I commented the sections to explain what each does to protect the website, however this example .htaccess file essentially includes rules to:

  • Disable directory browsing, preventing users from viewing your directory contents.
  • Disable XML-RPC, reducing the attack surface.
  • Limit allowed request methods, blocking unwanted HTTP request methods.
  • Protect wp-config.php and .htaccess files from unauthorized access.
  • Block suspicious request strings, mitigating potential attacks such as SQL injection or cross-site scripting (XSS).

There are tons more plugins as well, so I could be here all day but please note that server configurations vary, and some of these suggestions may not work as expected on all servers. Always backup your site and test changes in a staging or test environment if possible.

I recommend Namecheap.com for your domain/hosting (their business class stuff is really affordable and constantly up, super fast, and great for news and experts alike). Many times I'll need a plugin for something very specific so I'll end up just coding it up myself. I've made so many plugins, apps, websites, promo videos, and more over the years, that if any of you ever need a hand, please trust that I'm always happy to help.

Alright, that's enough for now! Don't say I never put you on game, haha! Much respect to all and good luck getting started or continuing your career. After 17+ years freelancing, I know I had plenty of luck and help along the way too but it's been 90% hard work and perseverance so I thought I'd lend a hand in any way that I could. Stay motivated. Follow your dreams.

-Joe C.

Magic Plants

  • Like 11
Link to comment
Share on other sites

Great post. I would like to know how to manage these image sizes in the right way. I optimized images using "Smush" Plugging and "Thumbnail regenerator" but I got this issue when I check the site with Google PageSpeed Insights. What should I do? Is there any source to solve this? 

Screenshot 2023-04-07 133515.png

  • Like 7
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...