My 2018 WordPress Plugin Essentials, Part 2 of 2
I’m a WordPress professional, versed in design, development, plugins, education, and organizational strategies. I work to assist clients with building and maintaining high-performance, scalable WordPress websites. Today, I'll be wrapping up my coverage of 17 essential plugins guaranteed to provide value to your next WordPress project. Reach out to me directly, message me, or leave a comment if you have feedback – or ideas for new posts!
Also, if you'd like to read the full article, it's far better on my blog.
Security plugins
Minding to WordPress security is incredibly important in keeping your site working in the way you designed it. With this in mind, hosting differences for each of my various WordPress projects disqualified many valuable security plugins from this list (more context on that later). In fact, only two plugins fulfilled the 75% usage criteria.
Force Strong Passwords
Imagine, for a moment, that hackers (or, at the very least, people able to guess simple passwords) exist on Planet Spaceball. If so, they likely gained access to President Skroob’s luggage (with the ill-chosen combination of 1-2-3-4-5) a long time ago! It’s comedic, but the behavior of picking simple, easy-to-guess passwords is far more common than many site administrators are comfortable with. Like the image upload size problem described above, weak passwords are another way that a client or your client’s users can turn the whole website you toiled over into a sudden clean-up job. And the possibilities for an intruder having admin user access are far, far worse than a few slow images.
By default, WordPress will generate a complex password for new users, but the option for the user to write a new, weak password and have WordPress accept the weak password is accomplished with a checkbox. That’s where Force Strong Passwords comes in. If a user types in a weak password and hits Save… denied! Force Strong Passwords will insist that the new password be stronger. If you’d like different password enforcement options, a number of filters are available as well.
Now, if only we could install this plugin into Planet Druidia’s air shield…
Limit Login Attempts Reloaded
The Spaceballs scenario I described above is perfect for a sci-fi comedy, but it’s a use pattern that brute force attacks attempt to exploit. A large percentage of Internet novices pick easy-to-guess usernames and passwords, and the machines behind a brute force attack slam a login page with usernames and passwords often used by those novices. More sophisticated patterns of attack will include patterns from a known user’s public information. And if the brute force attack fails to gain access, there’s a chance that the attempts themselves will bring the site down due to the resources consumed by the authentication process.
Granted, using the Force Strong Passwords plugin can help a great deal, though it does not remove the issue of authentication overhead being incurred with each attack. Luckily, a simple approach to block those attacks exists, and it’s one of the features at the core of Limit Login Attempts Reloaded. Limit Login Attempts Reloaded will only allow a certain number of login attempts from a specific IP before engaging a lockout period. Each aspect of the login enforcement can be configured, from the number of allowed retries to the length of the lockout. Additionally, Limit Login Attempts Reloaded also protects against XML-RPC attacks, another common vector of attack.
Moreover, if you’ve been using the old Limit Login Attempts plugin that’s not been maintained for a few years, switching over to the Reloaded version is a snap! Simply remove the old plugin and activate the Reloaded plugin. Your settings will be transferred over.
Utility plugins
All of the following plugins provide utility that would be difficult to go without!
All in One SEO Pack / Yoast SEO
Here’s the sole plugin tossup in this post, where I either use one or the other on most of my sites. However, I do have a preferred horse in this race. Both plugins provide much of the same value – though the devil (really, more of a helpful daemon) is in the details.
Search engine optimization is not something you should ignore if you’re developing a website intended for an audience. Long gone are the days of blogrolls and curated web portals as a primary source of traffic. Nowadays, Google is the homepage of the Internet, and if you want Google to direct visitors to your artisan content, you’ve got to try to play the algorithm as best as you can. Moreover, a lack of SEO strategy can actively deter Google from indexing your content.
Of the two SEO plugins in the header, I’ve used All in One SEO Pack the longest. It’s the simpler of the two, and has a higher performance profile. Presentation-wise, it’s much more straightforward and you’ll rarely have to dig through multiple screens to find the setting you’re looking for. Generally speaking, I tend to install All in One SEO Pack for sites with content that isn’t expected to change much. This way, I can ensure that the content being offered at launch is optimized without worry for any future content optimization. All in One SEO Pack is my choice if site performance at scale is a concern, as various features offered by the plugin can easily be turned on and off. If the client has an SEO expert on staff, this is likely my plugin pick as well.
For sites with contributors that write much of their own content (like mine!), Yoast SEO is my clear favorite. For administrators that are novices in search engine optimization, Yoast SEO gently guides the user through the basic setup process. The Configuration Wizard is a good beginning to education in basic search optimization issues and techniques. For content contributors, Yoast SEO provides the invaluable Readability Analysis tool, which prompts writers on simple edits that can increase your SEO. Although depending too much on the Analysis tool can have its own problems, as long as contributors treat its suggestions as guidelines – and not dogma – stronger content is bound to occur.
Really, it’s hard to go wrong with either plugin. Both are covered in a ton of tutorials and documentation and will help enable a stronger SEO game than without.
Duplicate Post
Oddly, Duplicate Post is another plugin that provides functionality that many might assume WordPress provides by default. It allows just that – easy duplication of previously-created posts into new drafts (and it works for pages, too). There are even settings for granularity; you can choose exactly which elements of posts and pages you wish to clone. Its simplicity is such that it’s a wonder that its utility hasn’t been introduced into WordPress Core yet. Get this plugin.
Plugin Notes Plus
Likely, this simple plugin might have made a bigger impact on my task of maintaining multiple client websites than any other this year. When it comes to developing many websites, it’s completely possible to lose track of the reasons for your decision making on plugins. After six months away from a client’s site, you may scratch your head as to why it was important to keep Hello Dolly – and it’s not even a Louis Armstrong fan site!
End the guessing and get Plugin Notes Plus. This handy plugin allows you to record notes for each plugin on the Plugins admin screen. You can even record multiple notes per plugin! The option to attach different icons to each note will help you visually identify warnings, notices, and other note types.
Redirection
The need to redirect requests from deprecated URLs touches upon so many important aspects of site development. First, every 404 served to a human visitor has a great chance to be a lost traffic opportunity. Second, 404s are hard to cache – and hence, have a big impact on overall site speed. Third, migrated, un-redirected content that is lost to Google and other search engines heavily impacts SEO efficacy.
Historically, I’ve handled 301s in a variety of ways. I’ve used mod_rewrite on Apache, to writing regex redirects in wp-config.php, to using various plugins for the purpose. Most of the sites I work on have a great deal of legacy content, and it’s typical that a great deal of content will be generated in the future. With the high probability of redirects having to be created at launch and the need to manage legacy redirects, along with the likelihood that future content edits might introduce edited slugs, I typically choose Redirection to manage most of my 301s.
Now, I’ve seen too many redirect rules adversely affect a site’s performance. There’s a sinking feeling to seeing an HTTP server slow down to a crawl due to several thousand 301 rules in place. That’s why I’m grateful that Redirection records the number of hits a specific redirect rule incurs. As an example, if after a year’s traffic a specific redirect rule has only a handful of hits, it’s likely a good call to just delete it. Why incur the overhead for a seldom-used rule?
A truly essential feature of Redirection is its 404 log. Since bots can and will hit parts of your site you didn’t anticipate, sorting through the frequency of 404s can really help with writing effective 301s. The option to create a redirect to counter a logged 404 is given with each result.
Safe SVG
Those that frequent my blog might have noticed the number of SVG images I use on it. My “other job” as a webcomics artist involves a lot of Illustrator work, and SVG and Illustrator go together like sea salt on caramel ice cream. The SVG format (and its smaller, zippier form, SVGZ) have compelling benefits. SVG and SVGZ images are relatively small files, and the images easily scale due to their vector nature. Unfortunately, unlike other formats like JPEG and GIF, SVG is vulnerable to multiple types of attack, including XSS. Frighteningly, any script within an SVG will execute, so anything possible with JavaScript can run due to an unsanitized SVG image.
As may be apparent, a way to sanitize uploaded SVGs would help mitigate the security hole, and that’s where Safe SVG comes in. The free version of Safe SVG will parse your uploaded SVGs and clean out any potentially malicious code. Equally handy, Safe SVG will enable image previews of SVGs in the Media Library, which some solutions to allow SVG uploads do not enable. If you’re interested in the paid version, Safe SVG will allow you to set the user role(s) that is allowed to upload SVGs. Additionally, if you like squeezing even more performance out of your uploaded SVGs, the paid version will also run them through the SVGO optimization library, making them even faster!
SVGs will be the future of many images, and the security challenges with SVG are being actively discussed in the community. In the meantime, post them with confidence with this useful plugin!
“What? That’s it? Why didn’t you include…”
A word about managed WordPress hosting
Though many of my WordPress projects occur on simple hosting, just as many of those projects in the past few years are on managed WordPress hosting. Development environments such as those given by managed WordPress hosting platforms have many advantages. Common features offered include automated backups, page and object caching, and platform-level security, including a WAF and active malware scans. Having these sorts of features is fantastic – one reason being that these features are offered on the platform level, and are not subtractive of my website’s performance like a plugin would be. In these sorts of secure hosting situations, I usually find myself disqualifying plugins from my project that I would normally use on single server projects.
That doesn’t mean I don’t have recommendations for features like backups and page caching! Though I don’t consider the following plugins “essential” for every project, they’ll likely be useful for projects outside of managed hosting.
Backups
I still occasionally use UpdraftPlus on hosting without a backup feature. It is a freemium plugin, with options to store your backups on multiple platforms or your own external storage.
Caching
In most cases where a web server accelerator is not available (and in some cases where a web server accelerator is available but no external object cache is), I’ve used W3 Total Cache in the past to great effect. W3 Total Cache provides object caching using disk, opcode or memcache(d) memory stores.
Google Analytics
Google Analytics often comes into consideration in two ways. First, the need to insert the analytics code into the front end. Second, the ability to view analytics within the WordPress admin with a plugin.
For code insertion, I only typically rely on a plugin if for some reason editing a custom theme (or a child theme) is somehow not an option. In those cases, the Insert Headers and Footers plugin works well. Just place the code into the footer area (to avoid render-blocking JavaScript issues) and save. Keep in mind that some themes are handy enough to provide an option to insert code into the header or footer, often via the Customizer.
Some of my clients have historically used a plugin to view analytics within wp-admin. I typically recommend to them a different approach: using a browser bookmark! Indeed, any user can get the same information from viewing their analytics directly from the Google Analytics website, all without having to install a plugin. The wisdom bears repeating:
Security suites
Off of secure hosting, I’ve used both WordFence and Sucuri Security. As mentioned earlier, be sure to go through the security settings for either plugin with a fine-toothed comb, as there may be features in your hosting environment which may make a specific security plugin feature redundant. Be sure to turn off the Live Traffic Tracking feature for WordFence – it consumes a not-inconsequential amount of server resources and it can potentially break your page caching. In fact, I would disable Wordfence cookies entirely. Use Google Analytics if you want a live view of your traffic!
In closing
So why is an essential plugins list crucial? For starters, starting states! If you’re able to determine which plugins you’re most likely to use at the beginning of a project, you can create and maintain a repository that you can use as a base for each new site. You could even automate plugin and core updates to your repo, and make it even more bulletproof with visual regression against a testing instance loaded with testing data. Some managed WordPress hosting platforms also offer different solutions to developers that desire starting states for their projects.
I hope you were able to get some value from this post and I look forward to providing more working insight in future posts. Of course, I’ll never pretend to know everything about this topic, and I’m continually looking for additional knowledge and feedback. Did I miss an indispensable plugin that you couldn’t live without? Do you have a better recommendation than the ones I provided? Let me know, and I’ll likely give it a spin!
Additional resources and upcoming topics
For avid readers, here’s more contextual information on the items covered in this post. Additionally, I have in the works more posts on various, knotty WordPress challenges a developer can face.
Future posts I’ll eventually write
- Performance at scale – utilizing load testing and software analytics to deliver at truly massive scale
- Manage all the contributors! – corralling a large team of contributors will be easier, with special tools and processes that I developed while managing a global team
Articles on the web
- The nightmare that is wp-cron.php
- pantheon.io: A Quickstart Guide to WordPress Security
- wpmudev.org: How Many WordPress Plugins Is Too Many Plugins…?
Managed WordPress hosting platforms, strictly in alphabetical order
If managed WordPress hosting sounds like a favorable option for your next project, check out this list of platforms!
