“There’s a plugin for that” is a long-time notion in the global WordPress community. It’s a very positive example of the flexibility of WordPress, but over time it has created a mind-set of “everything should be solved using plugins”. We know slow WordPress plugins are one of the biggest performance killers in the WordPress ecosystem.
WordPress is not slow. It’s what we add to WordPress that makes it slow. For example, bloated themes and bloated plugins.
Before adding any plugin to WordPress, there are a few very important questions you need to ask yourself.
- Do I really need this plugin?
- Is the plugin a “must have” or just a “nice to have”?
- Can it be solved server-side or some other way outside of WordPress?
Many features found in WordPress plugins can easily be added through small code snippets in your theme’s
functions.php file, or as a small plugin. So, if you just need one feature, you usually should not install a large plugin.
Every line of code you add to WordPress will increase your loading times. And all plugins slow down your site.
Just like 1000-in-1 themes, another important thing is to avoid using plugins that do it all. They tend to do a lot of things not that well and add bloat. It’s much better to add small, specialized plugins.
Plugins that perform scheduled tasks should of course be setup with server based CRON. WordPress CRON is a major performance killer.
Security plugins don’t add that much security to WordPress. Instead, they tend to give a false sense of security. If you want to stay safe and secure with WordPress, the most important thing is to update WordPress with plugins and themes properly. When WordPress is hacked, it’s almost always due to an insecure plugin.
A firewall with your hosting provider or an application firewall with a provider such as Cloudflare is great for protection as well. They protect websites from known attacks (based on a database with vulnerabilities) even before the attacks hit your website.
- WordFence Security
- Sucuri Security
- iThemes Security (Better WP Security)
- All in One WP Security & Firewall
- Firewall with your hosting provider
- Deactivate XML-RPC
- Update plugins, themes and core regularly
- Use & enforce safe passwords
Page builders can be both a blessing and a curse. Sometimes, they tend to make things a whole lot easier, but they also add a lot of bloated functions and unnecessary code. Especially in the front-end, such as unnecessary HTML elements or a lot of inline CSS styles. With the introduction of the block editor (Gutenberg), several page builders have become better, but they’re still far from good.
- WPBakery (Visual Composer)
- Beaver Builder
- WordPress Block Editor (Gutenberg)
- Advanced Custom Fields – Flexible Content Fields
The one thing that usually takes up most space in a website is the images. So it’s a very good idea to optimize the images, to reduce their size and loading time. Unfortunately, many users just install an image optimization plugin and think they’re good. But they’re really not.
If you have to use a plugin, it’s better to use plugins that off-load the optimization to a third-party provider or to a server app or resize them manually (if possible) before upload.
- EWWW Image Optimizer
- Smush Image Compression & Optimization
- Various “resize” plugins
- Server-based image optimization
- Optimize images locally before upload
wp media regenerate(WP-CLI)
- ShortPixel Image Optimizer
Broken Links & Related Posts
These are plugins with scheduled tasks that benefit hugely from a proper CRON setup, as mentioned above. Best of all though is to use specialized external services, like the Google Search Console and Moz or Screaming Frog.
- Broken Link Checker
- WP Broken Link Status Checker
- Yet Another Related Posts Plugin
- Google Search Console
- Moz, Screaming Frog, Sitebulb etc.
Backups can be really difficult to set up. We’ve seen many cases where backup plugins have completely “frozen” websites, causing them to not respond at all. The best way to do backups is always server-side, if it’s done in a way that doesn’t affect the web- and database services.
Traditional server-side programs like
rsync are built for performance.
- Updraft/Updraft Plus
- Backups by hosting provider
wp db export/
wp db import(WP-CLI)
Cache & Optimization
It’s much better to focus on the code rather than the cache.
Cache plugins speed up the requests that are cached, but slow down the requests that are not cached. Since a regular cache hit rate is somewhere between 10 and 25%, a cache plugin will slow down the site for 75-90% of your visitors.
If you still need cache, use a server-based cache solution. Another good alternative for caching of static resources (images, scripts and similar) is Cloudflare. And for optimization of database and scripts, use the proper server-side tools instead of adding more code to WordPress.
- WP Super Cache, W3 Total Cache (+others)
- Minification plugins
- Server based cache
- Cloudflare Edge Cache
Really Unnecessary Plugins
Don’t use the Revolution Slider plugin if you want performance with WordPress.
Don’t use the Jetpack plugin if you want performance with WordPress.
The same thing applies with Really Simple SSL (which only is necessary for broken WordPress installations). It’s more than enough to update the Site URL and Home URL, and do a search replace of
Instead, find smaller, more specialized plugins for each feature you require.
If possible, and within your knowledge or budget, use
functions.php for your theme, or set up a child theme, or make a custom plugin. That’s how custom PHP or custom features are supposed to be managed with WordPress.