After 200+ WordPress sites, my plugin stack has converged to the same 9 plugins. Every time.
Not because I'm lazy. Because I've tried the alternatives, broken things in production, dealt with plugin conflicts at 2am, and slowly eliminated everything that wasn't essential.
This is the stack I install on every site I build — including the ones generated by Megify, the AI platform I'm building. Every plugin here earns its place. If it doesn't solve a real problem, it's not on the list.
The rules
Before the list, the rules I follow:
- Fewer plugins = fewer problems. Every plugin is a potential security hole, a performance hit, and a compatibility risk. If I can do it without a plugin, I do.
- No plugin does two jobs. SEO plugin does SEO. Cache plugin does caching. I don't want an "all-in-one" plugin that does 17 things badly.
- Free tier must be usable. If the free version is crippled to the point of uselessness, the plugin is a sales funnel, not a tool.
- Active maintenance. If the last update was 6 months ago, it's dead. WordPress core updates break unmaintained plugins.
1. Rank Math (SEO)
What it does: Meta titles, descriptions, schema markup, sitemap, redirects.
Why not Yoast: I used Yoast for years. Rank Math does the same things with a cleaner UI, better schema markup options, and the free version includes features that Yoast locks behind premium (redirects, multiple keyword tracking, schema types).
The setup I use: Enable only the modules you need. I typically turn on: SEO Analysis, Sitemap, Schema, Redirections, and 404 Monitor. Everything else stays off. Rank Math with all 15 modules enabled is bloated. With 5, it's lean.
One thing people miss: The "Instant Indexing" module. It pings Google via the Indexing API when you publish or update content. Pages get indexed in minutes instead of days. You need a Google API key, but it's free and takes 10 minutes to set up.
2. WP Rocket (Caching + Performance)
What it does: Page caching, browser caching, GZIP compression, CSS/JS minification, lazy loading, database optimization.
Why it's worth paying for: This is the one paid plugin on my list (€59/year for a single site). I've tried every free caching plugin — W3 Total Cache, WP Super Cache, LiteSpeed Cache. They all work. But WP Rocket works out of the box with zero configuration. Install, activate, done. No 47 settings tabs, no breaking your site because you enabled the wrong option.
The setting most people miss: "Preload Cache" — it crawls your site and generates cached versions of every page in advance. First-time visitors get a cached page instead of waiting for PHP to render. Combined with "Preload Links" (prefetches pages on hover), navigation feels instant.
If you can't afford it: LiteSpeed Cache if your host supports LiteSpeed (many do now). Otherwise WP Super Cache — ugly interface, reliable caching.
3. Wordfence (Security)
What it does: Firewall, malware scanner, login security, brute force protection, real-time threat intelligence.
Why it matters: WordPress is 40% of the web. That makes it target #1 for automated attacks. Without a security plugin, you're relying on hope. Wordfence's firewall blocks most attacks before they reach your site.
The free version is enough. Premium adds real-time firewall rules (free users get them 30 days later) and real-time malware signatures. For most sites, the free version with 30-day delayed rules is perfectly adequate.
The settings I change:
- Enable 2FA for all admin accounts. Non-negotiable.
- Set "Lock out after how many login failures" to 5.
- Enable "Rate Limit" for crawlers and humans.
- Disable XML-RPC in the firewall settings (it's an attack vector nobody needs in 2026).
4. UpdraftPlus (Backups)
What it does: Automated backups to remote storage (Google Drive, Dropbox, S3).
Why it's critical: Your hosting provider probably does backups. But can you access them easily? Can you restore a specific page from 3 weeks ago? Can you download a full backup to your local machine? With UpdraftPlus, yes to all.
My setup: Full backup every week to Google Drive. Database-only backup daily. Keep the last 4 weekly backups and 7 daily database backups. This means I can restore to any day in the last week, or any week in the last month.
The mistake I see constantly: People install a backup plugin but never test a restore. A backup you can't restore is not a backup. Every 3 months, download a backup, spin up a local WordPress, and restore it. Make sure it works.
5. WPForms Lite (Forms)
What it does: Contact forms, with drag-and-drop builder.
Why this and not Contact Form 7: CF7 works. I used it for a decade. But every time I set up a form with CF7, I spend 20 minutes fighting with the markup and the mail configuration. WPForms Lite lets me build a contact form in 2 minutes with a visual builder. For a contact form — which is all most sites need — the speed difference matters when you're building sites at scale.
The limitation of the free version: No payment forms, no multi-step forms, no conditional logic. If you need any of these, you need Pro. But for a standard "Name, Email, Message, Send" form, Lite is all you need.
Alternative: Fluent Forms free version if you need more fields without paying.
6. Imagify (Image Optimization)
What it does: Compresses images on upload. Supports WebP conversion.
Why it matters: Images are typically 60-80% of a page's weight. An unoptimized 3MB hero image kills your Core Web Vitals, your Lighthouse score, and your user experience on mobile. Imagify compresses images on upload with no visible quality loss.
The setting that saves bandwidth: Enable WebP conversion. WebP images are 25-35% smaller than JPEG at equivalent quality. All modern browsers support WebP. Imagify creates the WebP version and serves it automatically — no code changes needed.
Free tier: 20MB/month of image optimization. For a small site with occasional uploads, it's enough. For an ecommerce with hundreds of product images, you'll need the paid plan.
Alternative: ShortPixel does the same thing with a similar free tier.
7. Redirection (URL Management)
What it does: Manages 301 redirects and tracks 404 errors.
Why you need it: Every time you change a URL, delete a page, or restructure your site, old URLs break. That's lost SEO value and a bad user experience. Redirection catches 404s and lets you redirect them to the right page with two clicks.
The thing most people don't know: Redirection can automatically create a redirect when you change a post's permalink. Enable "Monitor permalink changes" in settings. Now you never have to worry about changing a URL — the redirect is created automatically.
This is free. Fully featured, no premium version, no upsells. One of the best free plugins in the WordPress ecosystem.
8. WooCommerce (When Needed)
What it does: Turns WordPress into a full ecommerce platform.
When I install it: Only when the site needs to sell something — physical products, digital downloads, services, bookings. I don't install it "just in case." WooCommerce adds significant database tables and admin complexity. If you don't need it, don't install it.
The configuration that matters most: Stripe as primary payment gateway (lowest fees for European cards: 1.4% + €0.25), PayPal as secondary (some customers don't want to enter card details). Shipping zones configured correctly for the target market. Tax settings using a tax plugin or manual rates.
The plugin I add to WooCommerce: Just one — a shipping plugin specific to the client's country (for Italy, I typically use one that integrates with BRT or GLS rates). Everything else WooCommerce does natively.
9. Elementor (Page Builder)
What it does: Visual drag-and-drop page editing.
Why: Because clients need to edit their pages. And "edit in Gutenberg" still means "learn a block editor that changes every WordPress update." Elementor's interface is stable, visual, and understood by millions of users. When I hand off a site, the client can edit text, swap images, and rearrange sections without calling me.
Free vs Pro: The free version handles most landing pages and basic sites. Pro (€59/year) adds theme builder, popup builder, WooCommerce widgets, and custom fonts. For a business site, Pro is usually worth it. For a simple site, free is fine.
The performance concern: Yes, Elementor adds weight — extra CSS, JS, and DOM elements. But with WP Rocket's minification and a good hosting setup, the impact is manageable. A well-built Elementor site scores 85-90 on Lighthouse. Not perfect, but good enough for a business site where editability matters more than a 100 Lighthouse score.
What I don't install
This list is as important as what I install:
No "all-in-one" plugins. Jetpack does 30 things. I need 0 of them badly enough to install a plugin that big. Same for plugins that combine security + performance + SEO. Do one thing well.
No social sharing plugins. They add bloat for minimal value. If someone wants to share, they'll copy the URL. The share buttons with counters showing "0 shares" do more harm than good.
No analytics plugins. Google Analytics is a script tag, not a plugin. Adding a plugin to insert one script tag is unnecessary. I add the GA4 tag via Google Tag Manager, which is also a single script tag. If the client needs a dashboard in WordPress, I use Site Kit by Google — but only if they ask.
No maintenance mode plugins. A maintenance.html file and an .htaccess rule does the same thing without a plugin.
No database optimization plugins. WP Rocket includes database cleanup. Adding another plugin for the same job is redundant.
The stack in production
This is the exact stack running on the sites generated by Megify. When the AI creates a WordPress site, these plugins are pre-installed and pre-configured with the settings described above. The user gets a site that's fast, secure, SEO-ready, and backed up — without installing or configuring anything.
It's not the most exciting part of the platform. But it's the part that keeps sites running reliably at 3am when nobody's watching.
What's your WordPress plugin stack? I'm always curious about what other developers have converged on after years of trial and error.
Top comments (0)