Most WordPress sites do not need more plugins. They need a smaller, better chosen stack that helps the team publish faster, keeps the site secure, and avoids future rework. If you are running a business site, managing operations, or inheriting an agency-built setup, the real question is not which plugins are popular. It is which plugins reduce friction without turning the site into a maintenance project.
Below is the short list I still recommend most often, plus the guardrails I use when reviewing a live WordPress build.
Start with the job, not the plugin
Before installing anything, define the job clearly. Good reasons to add a plugin include structuring reusable content, enforcing HTTPS and security basics, handling consent requirements, or giving editors a simple way to manage a repeated interface pattern. Weak reasons include one-off styling tweaks, overlapping SEO or security suites, or adding "flexibility" with no clear owner.
As a rule, every plugin should do at least one of four things: save editor time, reduce risk, improve trust, or replace custom code you would otherwise maintain badly.
Recommended WordPress plugins I still use
Advanced Custom Fields (ACF)
ACF is still one of the most useful ways to turn WordPress into a structured business CMS. It is especially valuable for service pages, team profiles, locations, FAQs, case studies, resource libraries, and any site where non-technical editors need consistent fields instead of a blank content area.
The current plugin page still positions ACF around field groups, custom field data, and content modeling. It also supports registering custom post types and taxonomies from the interface. In practical terms, that means you can keep the editing experience clean without stacking multiple small plugins on top of each other. For agency teams, that usually leads to better handoff and less editor confusion.
Recommendation: use ACF when you have repeatable content structure. Do not use it to hide an unclear template strategy.
Really Simple Security
The old recommendation for Really Simple SSL still makes sense in principle, but the plugin has evolved. It is now called Really Simple Security, and HTTPS redirect handling is only part of the package. It also covers login protection, vulnerability checks, and WordPress hardening features.
That can be useful on smaller sites that do not already have this covered at hosting, CDN, or platform level. On more mature setups, watch out for overlap. If your host, Cloudflare, and WordPress are all trying to enforce the same redirect or header policy, you create noise and make troubleshooting harder.
Recommendation: a good fit for small and mid-sized sites that need sensible HTTPS and basic security controls in one place. Keep the scope narrow if your infrastructure already handles part of the job.
Compliance by Hu-manity.co
The old Cookie Notice recommendation is still relevant, but the plugin has changed name and positioning. It now lives as Compliance by Hu-manity.co and focuses on cookie consent and related privacy controls.
This is useful when your site genuinely needs consent management, but a banner is not a compliance strategy by itself. If analytics, embeds, ad tech, or other third-party scripts load before consent, the plugin alone does not solve the problem. Your actual script behavior, privacy policy, and consent settings need to match.
Recommendation: use it when non-essential tracking is part of the stack, and make sure the legal copy, banner setup, and script loading rules are aligned.
Helpful optional plugins
Some plugins are worth keeping because they solve a small problem cleanly. Menu icon plugins can help on account menus, service navigation, or wayfinding-heavy sites. Conditional visibility tools for menus, widgets, or blocks can also be useful for member areas, campaign pages, or role-based navigation.
The caution is simple: if a small helper plugin starts controlling too much front-end behavior, it has stopped being a helper. At that point, the site usually needs template cleanup, not another toggle panel in the dashboard.
Security and maintenance matter more than the shortlist
WordPress's own hardening guidance is still the right baseline: install plugins from trusted sources, keep them updated, and delete the ones you are not using. In live projects, most plugin problems come from neglect, duplication, or unclear ownership, not from plugins themselves.
File permissions are a good example. Standard defaults are typically 755 for directories and 644 for files, with tighter settings possible for sensitive files like wp-config.php depending on hosting. If you have shell access, the usual reset looks like this:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;Use that as a baseline, not a blind fix. If a plugin only works when files are globally writable, stop and verify why. That is usually a hosting or deployment issue, not a feature you should accept in production.
The practical review test
For business owners, operations leads, and agency teams, I recommend a simple quarterly plugin review:
- What business job does this plugin do?
- Who owns it internally?
- What breaks if we remove it?
- Is there overlap with hosting, theme code, or another plugin?
- Has it reduced work, or just moved complexity into the dashboard?
If a plugin does not pass that test, it should be on the shortlist for removal during the next maintenance cycle.
A lean WordPress stack is easier to secure, easier to hand over, and usually easier to grow. If you want a second opinion on your current setup, I can review the plugin stack, flag overlap and risk, and map out a simpler plan before the next redesign, migration, or agency handoff.
Need help with this kind of work?
Need a second opinion on your WordPress plugin stack before the next redesign, migration, or handoff? I can help simplify and document it. Get in touch with Greg.