Originally I wrote this answer as a first draft to a question I read on Quora. Figured it’d be worth posting here as well because it’s unlikely to get much views on the question – but I still wanted to answer it anyhow 🙂
In my experience there is, honestly, no plugins required to make a successful blog. In fact, more often than not, my advice to clients is usually about removing plugins not required rather than adding more.
WordPress, right out-of-box, is an excellent platform for content management. In terms of being purely a means to share content online (like a blog, as opposed to being an online store or some other product/service provider) there is nothing that fits the bill for as many uses as WordPress does without modification. Personally I think there are a couple of shortfalls, which I’ll detail a little later in the answer, but those are easily filled by a small collection of plugins.
- Form builder/Form processor – WordPress has no form builder in core. You can certainly write the markup yourself and use sanitization and validation functions from WordPress during form processing but that’s custom code and not a feature available out the box. My recommendation is Gravity Forms (premium) but free alternatives are available. Contact Forms 7 is an excellent free plugin that works similarly.
- Caching – WordPress, on it’s own, provides an excellent base for database caching – Transients. What the Transients API provides is essentially an object cache that stores the results of certain database queries (querying the database is often one of the slowest operations of sending the end-user the page they requested) so that the query only needs run one time and the query results can be obtained with a single lookup. I see this as both a benefit and one of the shortfalls – because it stores the objects in the database! It does speed up getting the data on second request but it still needs a DB lookup all the same. The best extension to this is to put that object cache into RAM using an in-memory cache – such as MemCached. My choice of plugin for doing this (and other cache/performance related tweaks) is W3 Total Cache. The other popular choice is WP Super Cache. Both are good, and have very expansive options. WP Rocket is also an incredible caching plugin but it’s a premium plugin. Another plugin which is recommended to me by another WP developer is Simple Cache. It was described as having an on/off switch and no complicated options and can put your object cache into Redis/MemCached.
- Security – before any recommendations are made here it’s worth noting that WordPress core is extremely secure and the core team are incredibly fast acting when it comes to security exploits. When you hear about WordPress site comprises it’s rarely, if ever, the fault of WP core and almost always the fault of code that extends it – such as that in plugins or themes. When it comes to security and plugins what you’re looking at is enhancement. Things like temporarily locking an account with too many failed login attempts. Temp or perma-ban on IP addresses and hosts that repeatedly fail logins. Scanning for file changes when you haven’t changed any files. You can do these things with the free version of WordFence.
In addition to Form builder/processing, Caching and Security plugins it’s certainly a good idea to take backups. Plugins are available for backing up your site files, uploads and database. Personally I can’t make a recommendation amongst the best of bunch backup plugins because I don’t use them on my own sites. I favour a server side solution for backups because it’s usually easier to handle a restore. We all know backups aren’t about storing your data – they’re about restoring it, right?
BONUS
These 2 plugins are here in the bonus section because many people consider them to be overkill.
Jetpack is a massive plugin, offering many features. Most notably the functions it provides are simple off-site stats gathering, social publishing and a 1-click image optimization CDN. It might be said that Jetpack is overkill for these features since the plugin is so huge and offers so much more. There’s a lot of truth to that however I see Jetpack as a relatively good way to get these features easily without any need to worry about complex setup or config – a real bonus if your focus is primarily on creating content rather than spending a lot of time setting up features.
Akismet – for vetting comments and form fills to check it for potential spam. Since Akismet has such a massive database of known spam, IP addresses and identification patterns it’s one of the better choices. Some people find certain rules applied by Akismet does block legitimate comments because they look a little bit like spam according to their rules (and no rules are ever perfect).
Akismet is a large (in terms of the shear amount of code it adds) plugin for what it does and some consider this overkill. If you find it’s giving false positives on your site or want a more lightweight solution one lesser used option is Growmap Anti-Spambot Plugin. It hasn’t been updated in 2 years but I’m certain it still works. It essentially adds a honeybot type block that is able to block unsophisticated spambot (which is probably 90% of them or more).