A beginner blog needs about nine plugins, all free, and you can cheerfully ignore the other sixty thousand. Plugins are how non-coders add features to WordPress without touching a single line of code, which is the only reason any of my websites exist at all.
The trap is installing too many. Every plugin is a little more weight on your site and a little more that can break or get hacked. So we install on a strict need-to-have basis, and nothing else.
The short version: your starter stack
| Job | Plugin | Free? |
|---|---|---|
| SEO | RankMath | Yes |
| Speed | Autoptimize | Yes |
| Security | Wordfence | Yes |
| Backups | UpdraftPlus | Yes |
| Spam comments | Antispam Bee | Yes |
| Cookie consent | CookieYes | Yes |
| Page building | GenerateBlocks | Yes |
| Email forms | Kit | Yes |
| Comments (optional) | WPDiscuz | Yes |
Nine plugins. All free. That is the whole list.
What is a WordPress plugin, and how many do you need?
A plugin is a small add-on that gives WordPress a new ability it didn’t have out of the box. You only need about nine to start, and “just in case” installs are how you quietly wreck your site speed. Think of them like apps on a phone: a few good ones make life easier, and a screen full of junk you never open just drains the battery.
It can be so tempting to get a plugin to do one tiny job to help you get your site looking like you want BUT over time they all start draining page speed a bit at a time. Keep your back end lean (as it were)!
Which plugins should a beginner install?
Here’s the stack, grouped by the job each one does.
SEO: RankMath
RankMath guides your on-page SEO: titles, meta descriptions, sitemaps, the lot. The free version is plenty for years. One thing: don’t chase its green-light scoring too hard. It nags you to cram in exact-match keywords that modern Google doesn’t need, and ignoring that nagging is fine.
Speed: Autoptimize
Autoptimize tidies up the code that loads on each page so your site runs leaner. Install it, run the basic settings, leave it be.
Security: Wordfence
Wordfence is a free firewall and malware scanner. Get the free one. It quietly guards your site so you don’t have to think about it.
You can opt in to be updated on bot attacks. I actually hate those emails, because I have no idea what to do about them. Is that a good enough reason to opt out? Probably not, but in my experience ignorance is bliss (I’ll update when something bad happens 😂).
Oh – small tip: Wordfence will send you an activation email. Don’t be me and open it on your phone when you’re doing the set up on your computer. It won’t work.
Backups: UpdraftPlus
UpdraftPlus backs up your whole site automatically so a disaster is a shrug, not a heart attack. Set it once and forget it. I run fortnightly backups of both files and database, sent straight to Google Drive.
Spam: Antispam Bee
Antispam Bee blocks spam comments without you lifting a finger, and without an account or a paid tier. Install, activate, done.
Cookie consent: CookieYes
CookieYes adds the cookie-consent banner the law expects you to have. The free version covers a starter blog. (I’m not a lawyer, so do check what applies to you.)
Page building: GenerateBlocks
GenerateBlocks lets you build tidy layouts right inside the WordPress editor, and it pairs with your GeneratePress theme. Free, light, and enough for everything a new blog needs.
Email forms: Kit
Kit (formerly ConvertKit) is the easiest way to add email opt-in forms to your blog, so you can start building your list from day one. The plugin drops your forms straight into WordPress, and if you want them to match your branding you can add your own CSS, either in WordPress or inside Kit itself. The free tier is plenty to start collecting subscribers.
Even if you’ve nothing to send yet, getting the form up now means you’re capturing subscribers from your very first visitor. Future you will be grateful.
Comments (optional): WPDiscuz
Comments are optional, and plenty of bloggers turn them off entirely. I keep mine, for one specific reason: WPDiscuz can email a commenter when you reply, whereas WordPress’s built-in comments don’t. So if a reader asks a question, they actually find out you answered.
Standard advice is to ditch comments, because they do lead to spam BUT I love the community aspect and I want people to feel like they can ask questions and get a response. If that doesn’t fit your niche, turn off comments – you can always encourage people to reach out to you on your social platform of choice.
Which plugins should you avoid?
Any plugin you can’t give a clear reason for. Every one you add is more weight and more risk, so the bar is “do I actually need this,” not “ooh, that looks handy.” Delete the random plugins your host bundles in by default, and don’t go installing things that duplicate what your theme or host already does.
Frequently asked questions
Do plugins slow down your website?
Some do, which is exactly why we keep the list short. A lean stack of nine good plugins won’t hurt you; thirty random ones will.
Are free plugins safe?
The ones above are reputable and widely used. Keep them updated and you’re in good shape.
How many plugins is too many?
There’s no magic number, but more plugins means more to maintain, update and break. Only install what you’ll actually use.
Do I need a separate cache plugin?
Probably not to start. Your host likely caches your site already, and Autoptimize handles a good chunk of the rest. On my pothos build I stuck with Autoptimize plus the host’s own caching and didn’t add a separate cache plugin.
Should I let people comment on my blog?
It’s optional. Comments build community but need moderating. If you want them, WPDiscuz; if you don’t, leave them switched off.
What next?
Nine plugins in, all free, your site still lean and fast. Next we give it some structure: your menu and the key pages every blog needs, like your about page and privacy policy.