Even though we do our best to secure and speed up your website, there are certain plugins you, as the site administrator, should install and configure as soon as you are up and running. Below are the ones we recommend. If you choose any others, make sure they are highly rated and well supported.
There are plenty of security plugins out there, but most use features the server already has. The best security you could have on your website is a very strong password.
Note: We cannot be responsible if you make your website unstable by poor choice of extensions! Nor can we be responsible for security issues arising from bad password choices.
UpdraftPlus Backup and Restoration
UpdraftPlus simplifies backups (and restoration). Backup into the cloud (Amazon S3 (or compatible), Dropbox, Google Drive, Rackspace Cloud, DreamObjects, FTP, Openstack Swift, UpdraftPlus Vault and email) and restore with a single click. Backups of files and database can have separate schedules.
The paid version also backs up to Microsoft OneDrive, Microsoft Azure, Copy.Com, Google Cloud Storage, SFTP, SCP, and WebDAV.
The Captcha plugin adds a captcha form into web pages. This captcha can be used for login, registration, password recovery, comments forms. It protects your website from spammers by means of math logic, easily understandable by human beings. All you need is to do one of the three basic maths actions – add, subtract and multiply.
You will not have to spend your precious time on annoying attempts to understand hard-to-read words, combinations of letters or surreal pictures. This captcha can be used for login, registration, password recovery, comments forms. There is also a premium version of the plugin, allowing compatibility with BuddyPress (Registration form, Comments form, “Create a Group” form) and Contact Form 7.
Not all WordPress Security plugins work well with nginx, but this one does. iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.
Most WordPress admins don’t know they’re vulnerable, but iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With one-click activation for most features, as well as advanced features for experienced users, this WordPress security plugin can really help harden your WordPress VPS.
W3 Total Cache
If you still don’t think your WordPress site is fast enough, it’s time to start caching. W3 Total Cache is one of the more popular solutions, and works very well with nginx (certain features). W3 Total Cache improves the user experience of your site by increasing server performance, reducing the download times and providing transparent content delivery network (CDN) integration.
Getting it to work correctly with other plugins like WooCommerce can be tricky, so be prepared to read lots of documentation!
Note: Even though it’s the best solution, W3 Total Cache still doesn’t fully work with PHP 7 (you will see errors when you enable this plugin). However, we really don’t think you need to use a caching plugin as your website will be quite fast already – it uses nginx and sits on a super fast Solid State Drive (SSD). If you really, really still want a caching plugin, use W3 Total Cache but disable all settings except those shown below. Then look at your options for CDN (content delivery network) providers or check out CloudFlare.
Future versions of this plugin will have better compatibility with PHP 7. For more information, and before you install this plugin, see our tutorial on WordPress caching.
Resize Image After Upload
One of the biggest problems with websites these days is that people upload images that are WAY too big (partially due to the fact that images from digital cameras and smartphones can now be over 10MB each due to higher megapixel counts). You really should resize an image prior to upload (PHP defaults to a max of 2MB for file upload anyway) but for a smooth, fast user experience you should also install this plugin.
Resize Image After Upload automatically resizes images (JPEG, GIF, and PNG) when they are uploaded to within a given maximum width and/or height to reduce server space usage. In addition, the plugin can force re-compression of uploaded JPEG images, regardless of whether they are resized or not. This greatly speeds up your site, and the human eye can barely detect that a photo has been compressed down to 70% – however the web page will load much, much faster!
Simple Custom CSS
After you download a theme for your WordPress site and customize as much as possible via the dashboard, there may still be changes you want to make that require some CSS modifications. Those of you savvy enough will appreciate this simple, easy to use plugin that let’s you override the default CSS for your theme!
Because it loads last, your CSS changes are always the ones used by WordPress.
Mailgun for WordPress
This one is a little more for expert users, but incredibly useful. These days, most emails from unrecognized servers are automatically sent to spam in gmail, yahoo and other popular email services. This is VERY troublesome if you are running a online shopping cart and customers are not receiving their order details! Mailgun is the email automation engine trusted by over 10,000 website and application developers for sending, receiving and tracking emails. By taking advantage of Mailgun’s powerful email APIs, developers can spend more time building awesome websites and less time fighting with email servers.
Mailgun has a free account that lets you send up to 200 emails per day, which is great for testing. Paid subscriptions are available for increased limits, and there’s a whole Developer API that supports all of the most popular languages including PHP, Ruby, Python, C# and Java. Not too easy to set up (you need additional DNS records, an API key, etc), but once done, an email from your VPS will never go to a spam folder ever again… we even use it ourselves to ensure you get the mail with details of your new VPS 🙂
SSL Insecure Content Fixer
If you are using an SSL Cert on your WordPress site, you may need to clean up your website’s HTTPS insecure content and mixed content warnings. Installing the SSL Insecure Content Fixer plugin will solve most insecure content warnings with little or no effort. The remainder can be diagnosed with a few simple tools.
When you install SSL Insecure Content Fixer, its default settings are activated and it will automatically perform some basic fixes on your website using the Simple fix level. You can select more comprehensive fix levels as needed by your website. We’ve found that the capture option is best on your VPS.