Technical
The Three WordPress Plugins That Survived Two Years
I have installed dozens of WordPress plugins across client sites and deleted most of them. Three have survived every audit. They share a common quality: they do one thing, do it without drama, and update on a predictable cadence. Here is what they are and why they lasted.
The Three
- Wordfence Security (or the equivalent of your choice)
- UpdraftPlus (or equivalent for backups)
- A single SEO plugin (Yoast or Rank Math, pick one)
That is it. Three plugins, covering security, backups, and SEO. Everything else gets deleted at the first audit it fails.
Why These Three
Each one owns a category clients cannot fake. Security, backups, and SEO are not optional and not easily custom-built. Outsourcing them to a well-maintained plugin is usually better than rolling your own for a small site.
The Deletion Candidates
Plugins I routinely delete during audits:
- Page builders (slow, version-locked, usually replaceable)
- Contact form plugins (Formspree or a custom endpoint works better)
- Analytics plugins (direct GA or Plausible install is lighter)
- Social sharing plugins (native buttons or none at all)
- Any plugin whose last update was more than a year ago
Each removal made the site faster and safer. None of them made the client unhappy.
The Update Cadence
I update plugins monthly on a specific day, not as notifications come in. Batching updates catches compatibility issues in one session rather than spreading them across the month. Monthly is enough for security patches to land without rushing.
The Backup Reality
UpdraftPlus with offsite storage (S3 or Google Drive) runs weekly, tested monthly. The monthly test is the whole game. A backup you have never restored is a prayer, not a backup.
The Security Reality
Most security breaches come through outdated plugins, weak passwords, or unsecured admin endpoints. The three-plugin stack plus strong passwords plus Cloudflare fronting catches 95 percent of real attacks. I have not had a client site compromised in two years on this stack.
The SEO Reality
SEO plugins used to matter more. Now most of their value is structured data output and sitemap generation. Either Yoast or Rank Math is fine; switching between them is a waste of time. Pick one and stop thinking about it.
What I Tell Clients
Less is more on WordPress. Every plugin is a future vulnerability. Three is not a poverty number. It is enough.
See the official WordPress plugin guidelines for the baseline quality expectations.
RELATED READING
The Consulting Shift I Am Making In Year Two
After a year of writing and building, my consulting practice is changing shape. Shorter engagements. Sharper outcomes.
ReadThe Frontend Shift: Shipping Less JavaScript In Year Two
A year ago I reached for Next.js for everything. This year I often reach for nothing.
ReadThe Serverless Lesson I Would Write On A Sticky Note
After a year of shipping serverless projects, one rule explains most of the wins and all of the losses.
Read