Having recently migrated this blog from Ghost to WordPress on a hosted platform it became apparent very quickly that there were some useful plugins I’ve ended up using and keeping to provide functionality with the site.
I’ve so far not paid for any of these plugins however may well do moving forward.
UPDATE: I paid the $99 for Wordfence and removed Jetpack
Auto Upload Images (Free/Paid)
A handy plugin especially if you’re migrating a site to WordPress, once you’ve migrated the site over it’s possible depending on the source site (Ghost CRM) that the URL to the images might not migrate and still point to the original site.
Editing a post with images and clicking on update, the plugin will download the image to the local WP server and link to the downloaded version.
Getting all your site almost set up and making a colossal mistake without a backup, or just not backing up your content is unforgivable.
With the BackupWordPress local backups can be taken. It’s worth noting that since the plugin has gone POpensource the ability to save backups to a GDrive or Dropbox account is no longer supported. However, the plugin will create a folder under wp-content on your server and in my case, I’ve mounted that folder as an NFS mount and have the backup on a NAS (which is then backed up to the cloud)
The plugin has a scheduler built-in as well which will run daily or weekly backup schedules and mail the user once done. If the backup is less than 10Mb then a copy of the backup will be mailed to the user.
Disable Comments (Free/Paid)
You will notice as I did very quickly when you put a blog up, that you start getting comments, lots and lots of comments. There are a lot of people spamming and targeting WP installs.
I’m not overly worried about comments on this blog, head over to my Reddit page if you have questions. As such installing Disable Comments makes life easy
Rather than using the inbuilt method of disabling comments per post, the plugin has the ability to put a hammer down on all comments on your WP site or on specific post types.
It’s quick, easy and does what it’s supposed to.
GA Google Analytics (Free)
While I don’t get a huge number of hits on this site, It’s nice to see how many I do get. There are plugins and ways to see this data built into WordPress. I use Google Analytics because I have other sites going in there as well and it keeps the stats centralised and consistent.
The plugin supports both the old and new method of getting stats to GA and basically just needs a tracking ID and a day or so to really pull down the information on who is using your site.
SMTP Mailer (Free)
As the name suggests, this plugin will connect using the SMTP protocol to a remote mail server and provide you with a method of sending out emails.
The mail server can be a cloud-based or local one and all the required settings are provided. Once connected the WP site will be able to send out emails as alerts.
It’s no secret that running a WordPress site means lots of Admin, the site will get hammered by every bot and script kiddie out there. The free version of this plugin was installed by default with my cloud provider’s implementation of WP and I’ll probably pay for the full version.
Wordfence has a good intuitive dashboard and you can start to firewall off some URLs, and get feedback about plugins and themes which might cause security issues as well as other possible problems.
I’ve not played a great deal with this yet, it’s still doing a scan which will take a week, however of all the plugins I would pay for, this might be it.
Wordfence also has its own 2FA for logins as well as your Wordfence account will have bots trying it for logins.
Security is all about hurdles, there isn’t a 1 size fits all answer to everything there is however strength in depth. One of the easier things you can do on any site is to enable 2FA (something you know: Password Something you have: phone) security.
Using either TOTP or MOTP became as quick as scanning the QR code with your favourite 2FA App and every login. The plugin supplies backup codes and the ability to enforce this on every login or use a whitelist if there are some accounts you don’t want 2FA on.
NOTE: the WordPress Android App has zero support for accounts locked down with 2FA, the simple concept of an app password seems to be too much here.
Jetpack is an interesting one, it’s very subscription heavy however it’s a do-everything plugin. Jetpack will handle Backups, Security Scans, and wash your dishes the lot.
I noted when I was pre 2FA playing with the WordPress App on Android it pretty much needed Jetpack installed to do anything.
As a new WordPress, I’m sure there is a myriad of good plugins out there which avoid the usual lists (like these) for getting myself set up however I feel a little bit more secure and aware of what is going on my system having installed them.