After 14+ years of building WordPress sites — and honestly, after making every mistake in the book — I've narrowed down my plugin stack to a tight list. No bloat. No "maybe I'll need this someday" installs. Just the plugins that have proven themselves over hundreds of projects. I'm Temo, and I run WorkflowDone.com, where …
After 14+ years of building WordPress sites — and honestly, after making every mistake in the book — I’ve narrowed down my plugin stack to a tight list. No bloat. No “maybe I’ll need this someday” installs. Just the plugins that have proven themselves over hundreds of projects.
I’m Temo, and I run WorkflowDone.com, where I build and maintain WordPress sites for businesses across different industries — from dental offices in California to service companies and e-commerce stores. The sites I manage need to be fast, secure, and easy for non-technical people to understand.
This article isn’t for developers. It’s for you — the business owner who’s either hiring a developer or trying to figure out what should actually be on your site. If your developer isn’t installing at least most of these, it’s worth asking why.
Let’s get into it.
1. Wordfence — Your Site’s Security Guard
What it does: Wordfence is a security plugin that protects your site from hackers, malware, and brute force attacks. Think of it as a bouncer standing at the door of your website, checking IDs and kicking out troublemakers.
Why I chose it: I’ve tried Sucuri, iThemes Security, and a few others. Wordfence keeps winning me back because the free version alone is incredibly powerful. The firewall, the malware scanner, the login protection — it’s all there without paying a dime. And when something does go wrong, the scan results actually tell you what happened in plain English.
Real example: One of my dental office clients got hit with over 3,000 brute force login attempts in a single weekend. They had no idea. Wordfence blocked every single one and sent me an email report Monday morning. Without it, someone would have eventually guessed the password (it was “dental2023” — we changed that immediately too).
Pro tip most people miss: Enable two-factor authentication for all admin users. It takes 30 seconds to set up and makes your login basically unhackable. I’m always surprised how many developers skip this.
🔗 Get Wordfence | Free version on WordPress.org
2. Rank Math — SEO Without the Headache
What it does: Rank Math is an SEO plugin that helps your pages and posts show up on Google. It handles things like meta titles, descriptions, sitemaps, schema markup, and gives you a checklist every time you write something to make sure it’s optimized.
Why I chose it: I used Yoast for years. Everyone did. But Rank Math does everything Yoast does — and then some — while being faster and less annoying. The setup wizard practically configures itself, and the free version includes features that Yoast charges for (like multiple focus keywords and built-in schema markup).
Real example: I had a client running a local plumbing company. Their “Emergency Plumber” page was buried on page 3 of Google. After installing Rank Math, optimizing the on-page SEO using the plugin’s suggestions, and adding proper local business schema, that page climbed to position 4 on page 1 within about six weeks. No paid ads. No backlink campaigns. Just proper on-page optimization that Rank Math made dead simple.
Pro tip most people miss: Turn on the Google Search Console integration inside Rank Math. You’ll see your keyword rankings and click-through rates right inside WordPress — no need to jump between dashboards. Most business owners never set this up and miss out on incredibly useful data.
🔗 Get Rank Math | Free version on WordPress.org
3. LiteSpeed Cache or WP Rocket — Because Speed Is Money
What it does: Caching plugins create static versions of your pages so they load almost instantly instead of being rebuilt from scratch every time someone visits. They also handle things like minifying code, lazy loading images, and optimizing your database.
Why I use two (sort of): This one depends on the server. If the hosting runs on a LiteSpeed server — and many popular hosts like Hostinger, A2 Hosting, and Cloudways do — I use LiteSpeed Cache. It’s free, and because it works at the server level rather than the PHP level, it’s significantly faster than any other caching plugin. It’s not even close.
But if the server is Apache or Nginx based, LiteSpeed Cache won’t give you its full power. That’s when I reach for WP Rocket. It’s paid (starts at $49/year), but it’s the easiest caching plugin to configure and it just works out of the box. No PhD required.
Real example: A client had an e-commerce site that was loading in over 6 seconds on mobile. Customers were literally abandoning their carts because pages wouldn’t load. I installed LiteSpeed Cache (they were on a LiteSpeed server), configured the image optimization and CSS/JS minification, enabled the page cache — and the load time dropped to 1.8 seconds. Their mobile conversion rate went up about 25% the following month. Not because of a redesign. Just because the site finally loaded fast enough for people to actually use it.
Pro tip most people miss: Don’t run two caching plugins at the same time. Sounds obvious, but I’ve inherited sites with WP Super Cache AND W3 Total Cache AND a host-level cache all fighting each other. Pick one. Deactivate the rest.
🔗 LiteSpeed Cache (Free) | WP Rocket ($49/yr)
4. UpdraftPlus — Your Insurance Policy
What it does: UpdraftPlus backs up your entire WordPress site — files, database, everything — and lets you restore it with one click if something goes wrong.
Why I chose it: I’ve been burned enough times to know that backups aren’t optional. UpdraftPlus is the most reliable backup plugin I’ve used. The free version lets you schedule automatic backups and store them on Google Drive, Dropbox, or other cloud services. It’s saved my neck more times than I can count.
Real example: A client’s team member updated a plugin without testing it first. The site went completely white — the dreaded “White Screen of Death.” No error message, no admin access, nothing. Because UpdraftPlus had run an automatic backup that morning, I restored the site to its pre-update state in about 10 minutes. Without that backup? We’d have been looking at hours of troubleshooting or rebuilding from scratch.
Pro tip most people miss: Don’t just back up to your own server. If your server goes down or gets hacked, your backup goes with it. Always send backups to an external location — Google Drive is the easiest free option. And set it to run at least weekly. Daily if your site changes often.
5. WPForms — The Form Builder That Doesn’t Annoy Me
What it does: WPForms lets you create contact forms, lead capture forms, surveys, payment forms, and just about any other kind of form your website needs. Drag and drop, no code required.
Why I chose it: I’ve used Contact Form 7, Gravity Forms, Ninja Forms — all of them. Contact Form 7 is free but painful to customize without writing code. Gravity Forms is powerful but expensive. WPForms hits the sweet spot: it’s easy enough for a client to edit themselves, and powerful enough that I can build complex multi-step forms when I need to.
Real example: For one of my dental office clients, I built a multi-step new patient intake form using WPForms. Instead of one long intimidating form, patients go through it step by step — personal info, insurance details, medical history, appointment preferences. The completion rate jumped significantly compared to the old single-page form. And the office staff loved it because the submissions were organized and easy to read.
Pro tip most people miss: Use the conditional logic feature. You can show or hide form fields based on previous answers. So if someone selects “Existing Patient” from a dropdown, you skip the intake questions and go straight to scheduling. It makes forms feel smart and keeps them short.
🔗 Get WPForms | Free Lite version on WordPress.org
6. Smush — Shrink Images Without Losing Quality
What it does: Smush automatically compresses and optimizes every image you upload to WordPress. It reduces file sizes so your pages load faster, without making your images look blurry or pixelated.
Why I chose it: Images are almost always the biggest reason a WordPress site loads slowly. People upload photos straight from their phone or camera — 4MB, 5MB files — and wonder why the page takes forever. Smush handles this automatically in the background. Upload a photo, and it gets compressed on the spot. No extra steps for the client.
Real example: I took over a photography portfolio site that had over 500 uncompressed images. The homepage alone was loading over 15MB of image data. I installed Smush and ran the bulk optimization tool. It compressed all 500+ images in about 20 minutes and saved over 2GB of storage. The homepage went from 15MB to under 3MB. Same images, same visual quality — just smarter file sizes.
Pro tip most people miss: Enable lazy loading in Smush’s settings. This means images below the fold (the stuff you have to scroll down to see) don’t load until the visitor actually scrolls to them. It makes the initial page load dramatically faster, especially on image-heavy pages.
7. WP Mail SMTP — The Plugin You Don’t Know You Need
What it does: WP Mail SMTP fixes WordPress’s email delivery problem. By default, WordPress sends emails using PHP’s built-in mail function, which most servers don’t configure properly. WP Mail SMTP routes your emails through a proper SMTP server so they actually reach people’s inboxes.
Why I chose it: This is the plugin that solves the mystery of “why am I not getting any contact form submissions?” Nine times out of ten, the forms are working fine — the emails are just going to spam or not being sent at all. WP Mail SMTP fixes this by connecting WordPress to a real email service like Gmail, SendGrid, or your hosting provider’s SMTP server.
Real example: A client called me frustrated, saying their contact form had been broken for months and they were losing leads. I checked — the form was working perfectly. The problem was that WordPress was sending emails through PHP mail, and the server’s emails were getting flagged as spam by Gmail. I installed WP Mail SMTP, connected it to their Google Workspace account, and every submission started landing in their inbox within seconds. They had likely missed dozens of potential customers over those months.
Pro tip most people miss: Turn on the email logging feature. It keeps a record of every email WordPress sends, so if someone says “I filled out your form but never heard back,” you can check the log and see exactly what happened. Was it sent? Was it opened? Did it bounce? This is a game-changer for businesses that rely on form submissions for leads.
🔗 Get WP Mail SMTP | Free version on WordPress.org
8. Site Kit by Google — Analytics Without the Confusion
What it does: Site Kit is Google’s official WordPress plugin that connects your site to Google Analytics, Search Console, PageSpeed Insights, and AdSense — all accessible from a single dashboard inside WordPress.
Why I chose it: Most of my clients don’t want to learn Google Analytics. And honestly, GA4’s interface is confusing even for people who do this for a living. Site Kit solves this by showing the most important metrics — traffic, top pages, search queries, page speed scores — right inside the WordPress admin. It’s the “just tell me how my site is doing” plugin.
Real example: One of my clients used to ask me every month to pull together a traffic report. I’d log into their GA4, export data, put it into a spreadsheet, and send it over. After installing Site Kit, I just told them to click the “Site Kit” tab in their WordPress dashboard. Now they can see their own traffic, their top-performing pages, and which search terms are bringing visitors — all without needing me to play middleman. It saved both of us time.
Pro tip most people miss: Connect Search Console through Site Kit, not just Analytics. Search Console shows you which keywords people are actually using to find your site, how often you’re appearing in search results, and your average position. That data is gold for understanding what content to create next.
Bonus: What I Don’t Install (And Why It Matters)
Just as important as what goes on a site is what stays off it. Here are some common plugins I actively avoid:
Jetpack — It tries to do everything: security, performance, social sharing, analytics, backups. The problem is it does all of them in a mediocre way while adding significant bloat to your site. I’d rather use specialized plugins that each do their job well.
All-in-one “Swiss army knife” plugins — Any plugin that promises to handle SEO, caching, security, AND forms is probably doing none of them particularly well. Specialized tools almost always outperform all-in-one solutions.
Too many social sharing plugins — Those floating share bars with 12 different social icons? They slow your site down, they look dated, and most visitors don’t use them. If you need social sharing, pick one lightweight option and call it a day.
Page builder plugins on top of page builder plugins — If you’re using Elementor, you don’t also need Beaver Builder installed and deactivated in the background. Unused plugins are still a security risk. If it’s not active and useful, delete it.
My rule of thumb: every plugin on your site should have a clear job that justifies its existence. If you can’t explain in one sentence what a plugin does for your business, it probably shouldn’t be there.
Wrapping Up
That’s the stack. Nine plugins that cover the essentials every WordPress business site needs:
- Security → Wordfence
- SEO → Rank Math
- Speed → LiteSpeed Cache or WP Rocket
- Backups → UpdraftPlus
- Forms → WPForms
- Image Optimization → Smush
- Email Deliverability → WP Mail SMTP
- Analytics → Site Kit by Google
These aren’t trendy picks or flavor-of-the-month recommendations. They’re the plugins that have survived my own trial and error across hundreds of client sites. They work, they’re well-maintained, and they play nicely together.
If you’re a business owner looking at your WordPress site and wondering whether it has the right foundation, this list is a solid starting point. And if your current developer hasn’t set up at least most of these? It might be time for a conversation.
Need help getting your WordPress site properly set up? Feel free to reach out through WorkflowDone.com — I’d be happy to take a look.
Temo Berishvili
Founder of Workflowdone.com
