The 10 Plugins I Install on Every New WordPress Site

Every WordPress developer eventually builds a reflex: the same handful of plugins go onto a fresh install before a single line of client work begins. Not the "best" plugin in each category in some abstract sense, but the dependable baseline you'd trust on a site you have to support for three years. This is mine. The order matters here, because a few of these change the rules for everything installed after them, and I'll explain why as we go.

Before anything else: the two plugins that change the playing field

1. WP Mail SMTP (or FluentSMTP) — install this first

Counterintuitive, but it goes on before security, before caching, before SEO. The moment you build a contact form, run a password reset, or send a WooCommerce receipt, WordPress falls back to PHP's mail() function, which on shared hosting is either rate-limited, silently dropped, or flagged as spam. You won't notice until a lead's "I emailed you twice" complaint a month later. Wiring SMTP through a real provider — Gmail/Google Workspace, Microsoft 365, SendGrid, Mailgun, Postmark, or Amazon SES — on day one means every later test sends through the production path.

I lean toward FluentSMTP now because it's genuinely free with no provider paywall and includes email logging, which WP Mail SMTP gates behind its Pro tier ($49/year). WP Mail SMTP is still the smoother first-run wizard if a non-technical client will ever touch it. Either way: do not ship a site whose email deliverability you haven't actually verified by sending one.

2. The cache plugin that matches your host

This is the second decision because it dictates how you measure everything else. There is no single right caching plugin — there's the right one for your stack:

• LiteSpeed servers (Hostinger, NameHero, ChemiCloud, A2 Turbo, most current Bluehost): use LiteSpeed Cache. It's free and it caches at the server level via LSCWP, which application-level PHP caches structurally can't match. It also bundles image optimization, CSS/JS minification, and CDN hooks, so it quietly replaces two other plugins.
• Nginx or Apache hosts: WP Rocket ($59/year) is worth the money for its sane defaults — lazy loading, deferred JS, and database cleanup that don't break layouts out of the box.
• Managed hosts like Kinsta, WP Engine, or Cloudways already run server-side caching; here a page-cache plugin fights the host. Drop to FlyingPress or WP Rocket purely for asset optimization, or skip it.

Why second? Because your Core Web Vitals numbers — the target is LCP under 2.5s, INP under 200ms, CLS under 0.1 — are meaningless to chase until caching is correct. Set this, then measure.

The protection layer

3. UpdraftPlus — backups that actually restore

The free tier handles scheduled offsite backups to Google Drive, Dropbox, or S3 with retention rules, which is all most sites need. The reason it wins isn't features — it's that its restore works under pressure. I've watched backup plugins produce archives that won't reimport when you need them at 2am, and a backup you can't restore is theater. If you're running e-commerce where restore speed and incremental backups matter, BlogVault ($89/year) is the upgrade, but for a brochure or blog site UpdraftPlus is the honest default.

4. Wordfence (or Solid Security) — the firewall

A WordPress site gets probed by bots within hours of going live; the threat is almost never a targeted hacker and almost always automated scanning for known plugin vulnerabilities. Wordfence's web application firewall, login rate-limiting, and two-factor auth cover the overwhelming majority of that. The free tier's only real compromise is a 30-day delay on the newest firewall rules — acceptable for a typical site, less so for high-traffic commerce, where the $119/year premium tier's real-time rules earn their keep. Solid Security (formerly iThemes) is the lighter-weight alternative if Wordfence's dashboard feels heavy. Whichever you pick, the actual win is forcing 2FA on admin accounts and killing XML-RPC if nothing needs it.

The functional baseline every site uses

5. Rank Math — SEO, schema, sitemaps, redirects in one

Rank Math's free tier folds in jobs that used to take three plugins: meta and Open Graph control, an XML sitemap, schema markup (Article, FAQ, Product, LocalBusiness — broader in the free tier than Yoast offers), and a redirect manager. That last point matters: it means you don't add a separate Redirection plugin later. Yoast is still excellent and arguably more conservative, but Rank Math gives more away for free, and the schema breadth helps with both Google rich results and how AI answer engines parse your pages.

6. An image optimizer — and a real opinion about which

Images are where page weight goes to die; an unoptimized hero can be 2–4MB on its own, and that's your LCP element. The non-negotiable feature in 2026 is serving WebP or AVIF, not just JPEG compression. ShortPixel and Imagify both convert and compress aggressively on a credits model; EWWW can optimize locally with no per-image cost. I'd steer away from relying on Smush's free tier alone here, since WebP conversion sits behind its paid plan — and WebP is the part that actually moves the needle. If your cache plugin is LiteSpeed Cache, note it already does image optimization, so this slot may already be filled.

7. A forms plugin — keep it light unless you need more

For a single contact form, the heavyweight builders are overkill and add JavaScript you don't need. Fluent Forms is my current default: fast, no aggressive upsells, and it scales to multi-step and payment forms if the project grows. WPForms Lite remains the friendliest for clients who'll edit forms themselves. Contact Form 7 is free and featherweight but its UX has aged badly and styling it is a chore. Match the plugin to who maintains it after you leave.

Analytics, comments, and the safety net

8. Site Kit by Google (or skip the plugin entirely)

This is where I diverge from the usual advice. I now reach for Site Kit by Google — it's free, connects GA4 and Search Console directly, and there's no third party sitting between your data and Google. The setup wizard is clunkier than MonsterInsights, but MonsterInsights gates meaningful event tracking behind a $199/year Pro tier. Honestly, on many sites I add the GA4 tag through Google Tag Manager and install no analytics plugin at all — fewer plugins, full control. Pick based on whether a client needs an in-dashboard report.

9. Akismet — only if comments are on

Conditional, but when it applies nothing competes. If a site allows comments, the spam volume is relentless, and Akismet's signature database dwarfs every alternative. It ships with WordPress; personal use is free, commercial use starts around $10/month. Antispam Bee is the fully-free fallback and catches a respectable share, but on a real commercial site Akismet is the one I trust. If the site has comments disabled — which plenty of brochure sites should — skip this entirely rather than carry a plugin doing nothing.

10. Health Check & Troubleshooting — the one you forget you have

Built by the WordPress core team, used maybe twice a year, and irreplaceable on those days. Its troubleshooting mode disables all plugins and swaps to a default theme for your session only, so live visitors see the normal site while you isolate which plugin is causing the white screen. There is genuinely no substitute for this specific trick, which is why it's the one "set it and forget it" entry on the list.

The category I deliberately leave off

No page builder. Whether a project wants Elementor, Bricks, or no builder at all is a per-site decision, not a baseline one — a blog needs none, a marketing site usually does, and committing to one in your starter set bakes a heavy dependency into projects that don't need it. The same logic applies to membership, LMS, and e-commerce plugins: they belong to the brief, not the boilerplate.

What this actually costs you

Counted honestly, several of these are conditional (Akismet, the SMTP choice, the analytics decision), so a typical site lands around seven to ten active plugins from this set. The combined code is a few megabytes, and on a host with caching configured correctly the runtime overhead is small — well under the threshold where it shows up against a TTFB target of roughly 200ms. The point of a starter set was never minimalism for its own sake; it's that you stop re-deciding solved problems on every build and spend that attention on the work that's actually unique to the client.