Here’s our curated list of plugins we suggest for a new WordPress site, plus a few we recommend avoiding. This list is specific to sites using our theme, which already includes many built-in modules. That’s why you won’t see content blocks, ad managers, etc. here—they’re already part of our templates.
What We Usually Install on Our Sites
Clearfy Pro
We originally built this plugin for our own projects and clients. It handles most of the essential WordPress optimizations in one place:
- Security – hides the login page, protects against brute-force attacks, closes common vulnerabilities
- SEO – removes duplicate pages, cleans up code, strips unwanted external resources
- HTML Minification – reduces page size by ~30%
- Easy-to-configure robots.txt
- URL transliteration (similar to Cyr To Lat, Rus To Lat)
- Option to disable Gutenberg and widget blocks
- Built-in redirect manager
Yoast SEO
Our go-to plugin for setting titles, meta descriptions, canonicals, and robots tags. It’s fast, reliable, and meets all our needs. We used to use All in One SEO Pack but switched due to issues.
If you’re already using another SEO plugin and your site is getting traffic, don’t rush to switch. Migrating settings can be tricky and might hurt rankings. Either take the time to do it carefully, or just keep what you have.
EWWW Image Optimizer
Great for compressing images. Alternatives like TinyPNG work too, but their free tiers have limits. Honestly, image optimization isn’t critical here—just about any plugin will do.
Antispam Bee
Simple spam protection. Alternatives are fine too. Just install and forget about it.
[wpremark preset_name=”check” icon_image=”check-circle-regular” icon_color=”#34bc58″ background_color=”#def9e5″ border_color=”#34bc58″]
That’s it. The rest depends on your specific needs. For example, for attention-grabbing blocks we use the WPRemark plugin. For richer content styling, there’s Expert Review.
[/wpremark]
If You Don’t Have Clearfy Pro
We highly recommend buying it—it’s affordable and saves you tons of time. If you don’t, you might need these alternatives:
- Cyr-To-Lat – for URL transliteration
- Login LockDown – protects against brute-force attacks
- WPS Hide Login – hides the login page
- Disable XML-RPC-API – disables xml-rpc
- Disable Emojis – turns off emoji support
- Disable REST API – disables /wp-json/ endpoints
- Remove jQuery Migrate – removes jquery-migrate.js
- And don’t forget to manually create a robots.txt file in your site’s root.
What We Don’t Install
We don’t use caching plugins. With good hosting, you can easily handle 5,000+ daily visitors without issues. None of our sites use caching plugins. Typical page load times are around 0.1–0.2 seconds.
We avoid all-in-one security plugins like Wordfence, iThemes Security, or All In One WP Security & Firewall. Security should be handled at the server level. If a bot reaches WordPress, the server’s resources have already been used to load WP and its plugins—blocking it at that point doesn’t help much.
We don’t use backup plugins. Important caveat: we do have server-level backups configured via Beget with SSH to paid Dropbox storage. This means our backups run entirely outside of WordPress. If you don’t have something similar, at the very least set up a database backup—almost any plugin will do. You don’t need to back up files as often, but it’s smart to store them somewhere off-site.
We don’t use CSS/JS bundlers like Autoptimize. If you’re using them just for higher PageSpeed scores, don’t bother—it won’t help rankings. In our experience, combining scripts often causes JS errors that can break site functionality.