I installed WordPress on a client’s site last month and counted the plugins their previous agency had left behind. Forty-three. Forty-three plugins for a 5-page brochure site. One of them was a slider they never used. Three were different caching solutions (fighting each other). Two were abandoned plugins that hadn’t been updated since 2022.

The site took 8.7 seconds to load. A disaster for Core Web Vitals.

How it gets this bad

It starts innocently. You need a contact form, install a plugin. Want social sharing buttons, plugin. Cookie banner, plugin. Backup, plugin. Security, plugin. And every agency that touches the site installs their favorites without removing the old ones.

Each plugin adds CSS, JavaScript, database queries, and HTTP requests. Individually? Barely noticeable. Thirty of them together? Your site now makes 140 HTTP requests and loads 2.8MB of assets just to display a page with three paragraphs of text.

The plugins you actually need

For a typical small business WordPress site, here’s what I install:

A security plugin (Wordfence or Sucuri, not both). A caching plugin (WP Fastest Cache or WP Super Cache, one). A backup solution (UpdraftPlus). A contact form (CF7 or WPForms Lite). An SEO plugin (Yoast or Rank Math, never both). That’s five. Maybe add one for image optimization if you upload a lot of photos.

Six plugins. Seven max. That’s it for 90% of small business sites.

But what about all those features?

You don’t need a plugin for related posts, write better internal links. You don’t need a plugin for custom fonts, enqueue them in your theme. You don’t need a plugin for social media icons, that’s literally five lines of HTML. You definitely don’t need a plugin that adds a snowfall effect in December.

Every plugin is a dependency. A piece of code written by someone you don’t know, maintained on a schedule you can’t control, with access to your entire site. Each one is a potential security hole and a performance hit.

The performance check you should do right now

Go to your WordPress admin. Click Plugins. Count them. If you have more than 15, you have a problem. If you have more than 25, your site is almost certainly slower than it needs to be.

Now check the last updated date on each one. Anything not updated in over a year is either abandoned or a ticking time bomb. Deactivate it, check if anything breaks, and delete it.

A fast WordPress site isn’t about having the right hosting (though that helps). It’s about not loading code you don’t need. Less plugins, faster site, happier visitors, better Google rankings. It’s that simple.

The Security Risk Nobody Talks About

Every WordPress plugin you install is another door into your website. Some of those doors have good locks. Many don’t. And a few are left wide open with a welcome mat for hackers.

This isn’t theoretical. Revolution Slider, a plugin that came bundled with hundreds of premium themes, had a critical vulnerability that let attackers download your wp-config.php file, which contains your database password. Millions of sites were compromised. TimThumb, an image resizing script used by countless plugins, had a remote code execution flaw that turned infected sites into spam cannons. These weren’t obscure plugins, they were installed on millions of websites.

The maths is simple: every plugin adds code to your site that you didn’t write and probably haven’t reviewed. That code gets updated on the developer’s schedule, not yours. If a developer abandons a plugin, and this happens constantly, you’re running unpatched code with known vulnerabilities. I’ve seen sites on the Costa del Sol running plugins that haven’t been updated in three years. That’s not a website, that’s an invitation.

Fewer plugins means a smaller attack surface. Period. When I take over a client’s WordPress site, the first thing I do is audit the plugin list. I typically remove 40% to 60% of them on day one. Most were installed years ago to solve a problem that either no longer exists or has a simpler solution. Some are doing literally nothing, activated but not actually used anywhere on the site.

If you’re running more than 15 plugins, you probably have at least three that could be eliminated today without any visible change to your website. If you’re running more than 25, something has gone wrong. Proper managed hosting includes regular security audits specifically to catch these issues before they become breaches.

What We Use Instead of Plugins

When I tell people we run most client sites with 8 to 12 plugins, they ask how. The answer is that most things people use plugins for can be done with a few lines of code, and that code runs faster, doesn’t need updates, and doesn’t add security risks.

Related posts. Most people install a plugin for this, YARPP, Related Posts, Jetpack’s related posts module. All of them add database queries, JavaScript, and CSS. Instead, we use a simple WordPress query in the template: pull three posts from the same category. About 10 lines of PHP. Faster, no external dependencies, and it does exactly the same thing.

Social sharing icons. Plugins like Social Warfare or AddToAny load external JavaScript, track your visitors, and add 200KB to your page weight. We use plain HTML links, five anchor tags with SVG icons pointing to share URLs. Five lines of HTML. No JavaScript, no tracking, no performance hit. The buttons look better too because we style them to match the site.

Custom fonts. Plugins like Easy Google Fonts or Custom Fonts add a settings page, extra database queries, and sometimes a third-party API call. We load Google Fonts directly in functions.php with wp_enqueue_style. Three lines of code. The fonts load faster because there’s no plugin overhead between your site and the font file.

Redirects. Redirection plugin is popular but adds database tables and an admin interface for something that your server already handles. We manage redirects in nginx configuration, one line per redirect. They execute at the server level before WordPress even loads, which makes them essentially instant. For sites on our managed hosting, this is standard.

The pattern is always the same: the plugin provides a nice admin interface for something that takes a few lines of code to do directly. That admin interface comes with overhead, database queries, JavaScript files, CSS files, update mechanisms, compatibility layers. For a properly built website, that overhead isn’t worth it.

Not everything should be custom code. WooCommerce, Yoast SEO, ACF, these are complex tools that would take hundreds of hours to replicate. The goal isn’t zero plugins. The goal is zero unnecessary plugins. If you’re not sure which of yours are necessary, a speed audit will tell you exactly which plugins are slowing you down and which are earning their keep.

Frequently Asked Questions

How many plugins is too many for WordPress?

There’s no magic number, but in practice, most well-built WordPress sites run well with 8 to 15 quality plugins. If you’re above 20, you almost certainly have redundancies and unnecessary plugins. The issue isn’t the count itself, it’s that each plugin adds code, database queries, and potential security vulnerabilities. A site with 10 well-maintained plugins will outperform one with 30 mediocre ones every time.

Do plugins really slow down WordPress?

Yes, but not equally. A lightweight plugin that adds a small function might have zero noticeable impact. A plugin that loads JavaScript and CSS on every page, makes external API calls, or runs complex database queries can add seconds to your load time. The worst offenders are social sharing plugins, slider plugins, page builders, and analytics plugins that duplicate what Google Analytics already does.

How do I check if a WordPress plugin is safe?

Check four things: when was it last updated (avoid anything not updated in over 12 months), how many active installations it has (more users means more eyes on the code), what the reviews say (look for mentions of security issues or conflicts), and who the developer is (established companies or developers with multiple well-maintained plugins are safer bets). Also check the plugin’s changelog, regular, meaningful updates are a good sign.

Can WordPress work without any plugins?

Technically yes, but practically no. WordPress core handles content management, but you’ll need plugins for essential functions like SEO, security, backups, and caching. The goal isn’t zero plugins, it’s zero unnecessary plugins. Replace what you can with clean custom code, keep the plugins that provide genuine complex functionality, and remove everything else.