THE PLUGIN DIET

Every plugin you install is a small commitment of operational care: a security surface, a performance cost, an update obligation, a future migration friction. The right number of plugins is as few as possible, all chosen deliberately, all from reputable maintainers.

Forty-plugin sites are a red flag every single time. The cumulative debt from them becomes the dominant maintenance cost on the site, and the team that runs the site is fighting plugin conflicts more than they are shipping value.

On a fresh client site I install:

SEO: Yoast SEO or Rank Math (one, never both). Both are mature; pick on team familiarity. Caching: WP Rocket, or whatever the host bundles (most managed hosts include caching). Backups: a managed-host-bundled backup if available, otherwise UpdraftPlus to S3. Security: Wordfence or Sucuri for daily scanning. Email: WP Mail SMTP for reliable transactional email delivery. Forms: WPForms or Gravity Forms for contact and lead capture. Custom fields: Advanced Custom Fields (Pro) for any custom content modelling. Page builder (only if the client genuinely uses one): Elementor or Bricks.

That is six to ten plugins on a typical brochure site, ten to fifteen on a WooCommerce site. Fewer than ten is the goal; above fifteen is a sign to audit.

Duplicates: if the site has Yoast AND Rank Math, pick one and remove the other. Same for caching, security, contact forms.

Plugins from unmaintained authors: anything not updated in 18+ months is a security risk regardless of its current functionality.

Page builders the client no longer uses: builders carry significant CSS and JS overhead. If the team has moved to block themes, retire the builder and convert the affected pages.

Jetpack, when not actively using a specific Jetpack feature: Jetpack is a useful tool but only when you actually use it. Most Jetpack installs we audit are inherited from a setup checklist three years prior.

Anything labelled "ultimate", "boost", "magic", or "mega": these tend to be quality red flags from less-reputable plugin marketplaces.

Three questions before installing any new plugin:

Is the maintainer active in the last six months? Check the WordPress.org repository or GitHub for recent commits. Active maintainers ship security patches fast; abandoned ones do not.

Does the plugin do one thing or ten? Single-purpose plugins age better than swiss-army-knife plugins. The more surface a plugin has, the more chances something inside it breaks.

What does the plugin add to the public-facing render? Plugins that add scripts, styles, or DOM to every page hurt performance. Plugins that only run in admin do not. Audit the network tab on a fresh install.