In the first part of this article I talked about how I came about this list from WPEngine and I talked about the first non-recommended WordPress plugin, Broken Link Checker. Here I will continue on with the list and suggest a couple of security plugins that you should probably use on all your WordPress sites.

disallowed plugins

WP Smush.it – Here is another tool that I like and I recommend. I even still do after reading what WPEngine had to say:

“Relies on Yahoo services and memory mapping… When Yahoo fails or memory mapping is exceeded, the plugin fails and brings down sites with it.”

This tool optimizes and compresses images on your WordPress blog helping keep things speedy. Well, if you are installing it on a fresh blog it works great to auto-optimize images as you add them to the Media Uploader. In most cases, at least for me, I’m only doing an image or two at a time. And while it does use the Yahoo! Smush.it API and rely on that site to be up, I have found that on a post-by-post basis it works just fine.

Now, if using the tool for bulk image optimization (which is in Beta) for past images that were uploaded to the Media Library, you might run into some problems. For that reason I recommend getting your images up to speed by downloading a folder at a time, “smushing” them on the web based version of the tool, then re-uploading them to your server. So, like I said, I’d keep it, but that’s completely up to you of course.

Google XML Sitemaps – Because of the lack of support for giant web sites and the WordPress Network, WPEngine has suggested using the Sitemap Index creating Better WordPress Google XML Sitemaps plugin instead. I have started switching my sites over today to this new plugin. In fact I shot a video which should make it to this site’s feed shortly if it’s not already there.

Related Posts Plugins

It is also recommended to avoid related posts plugins in general because of the nature of how they work.

“Almost all “Related Posts” plugins suffer from the same fundamental problems regarding MySQL, indexing and search. All of these problems make the plugins themselves extremely database intensive,” it says in the WPEngine blog post.

WPEngine disallows use of: Dynamic Related Posts, SEO Auto Links & Related Posts, Yet Another Related Posts Plugin, Similar Posts, and Contextual Related Posts.

Instead it is recommended to offload the important for SEO task of related posts to sites like: Reverb, nRelate (popular with big name sites), Outbrain, LinkWithin, and Contextly.

Some other non-recommended (by WPEngine) plugins that I have no personal experience with include: MyReviewPlugin, LinkMan, Fuzzy SEO Booster, WP PostViews, and Tweet Blender (this one might be just because of how it behaves with the WPEngine caching layer so don’t rule it out completely).

WP phpMyAdmin is to be avoided because of a major security issue, but who doesn’t have access to phpMyAdmin anyways? Also, it is recommended to NOT send emails direct from WordPress, with plugins like WP Mailing List and use a third party service (like AWeber or MailChimp) for that instead.

Recommended Security Plugins to Include in all WordPress Installs

Let’s conclude this article with a couple security plugins that we should be installing. WordPress is a relatively secure system but could use a little help. One common security breach that is attempted on WordPress is continuous logins until one finally works. Well, it’s smart to limit login attempts by IP Address and temporarily (or in some cases permanently) block someone’s IP if they try too many times. A plugin that WPEngine uses to handle that is Limit Login Attempts. Another plugin installed by default on sites hosted with WPEngine is Force Strong Passwords which does exactly what it says… it makes users create strong passwords so that they aren’t easy to guess. See some examples below:

Weak password: keith
Weak password: password
Strong password: You can use a sentence as a COOL password and make it very strong!
Strong password: kF*#LaNi36cL%

While we are on the topic, also don’t forget to use something other than “admin” for your username so that a would-be hacker that wants to gain access to your site would have two values to guess rather than just one.

In Conclusion

You should know that in general, any plugin is a potential back-door into your WordPress site. And they all have the potential to break things and slow things down. Therefore, I personally make it a habit to use very few plugins, keep the ones that I do use up to date, and delete all that aren’t being used. Now, besides the list of “must-haves” I also have a list of “don’t-wants” which can go a long way to keeping my WordPress sites secure, quick, and reliable. Hope you find the information uselful as well.