Part 1, Making – Plugins and Theme


This site has gone through so many changes, I have had a personal website for nearly 25 years! While I have talked in the past about choices and how I do certain things the site in the last 6 months has had a major change in philosophy and I would like to talk about that and also the question I get asked all the time, what plugins do you use! 

This site around 2018

The last big iteration before this (2018) was all about performance, I did everything I could to load the homepage in under 200ms for all users and threw out aesthetics. The goal of that site was to showcase performance. At the time I wasn’t writing as much and the site was really just a testing playground. Analytics who needs that, it’s a waste of bytes! Markup, styling totally optional. 

Do you know what I am still proud of that site, I built the template with my terrible design skills and it worked. It looked horrible but it worked. 

Well, when I say worked, I mean from the users point of view, behind the scenes it was a pain. For example hard coding the menu saved on database calls but meant changing a menu involved code changes. This was fine, it’s not like there is a content team, it’s just me but each little barrier meant I was less likely to do something. Everytime I had to hard code something it meant opening up Atom to make the changes, commit the changes, check the changes, push the changes, clear the cache. Then I did the thing, you know the thing you should never do…

I bypassed my own version control, I can’t even remember what it was but something “needed” doing quickly and I just edited it on the live site. I can already hear the tuting, I would tut too because that moment meant everything started to fall apart. But not in a catastrophic way simply enough that it became hard to maintain so I stopped. The site is sitting on Managed WordPress Hosting so the plugins just auto-updated as did WordPress everything was fine but my tinkering stopped and I lost interest.

Back in July I wanted to write up my thoughts on a Steelcon talk, I did with my friend Glenn I had already started to think I should also learn more about Gutenberg so it was time to start afresh and consider the site.

New Site new thoughts

I am not a web developer
I am not a web designer

Tim Nash 2020

There I have said it, I know a lot about both subjects but knowing and doing are two very different principles and my strengths lie more to the backend then the front. I like pretty things but I cannot draw, that doesn’t mean I shouldn’t draw, just that perhaps I shouldn’t try to demonstrate it as a strength unless it’s to demonstrate perseverance. 

So step one, delete git repo (backing it up first) but all old assumptions were to be left at the door, this was to be a fresh site with fresh ideas. I still want it to be performant, but as much emphasis to be placed on functionality and to make things as easy for me. So the first starting point was a theme.

There are lots of great themes by hugely talented designers, and the base theme of WordPress today Twenty Twenty is one of my favourite themes right now. However Twentytwenty wasn’t available when I was looking so I did what millions of others do I looked for a theme.

My theme criteria was:

  • Look good – this is in the eye of the beholder but I wanted a clean minimal theme
  • Reputable Company/Individual – I’m putting a lot of trust into the theme designer I want to feel confident in updates. While reputation isn’t always a guarantee Hi Pipdig! It’s a good start.
  • Gutenberg ready – The theme should not just work with Gutenberg but the theme designers are on board and interested in Gutenberg.
  • Simple code base – I want to be able to follow the code and review things if needed change things.
  • Do things the WordPress Way – Similar to keeping the codebase simple, I don’t want a theme that implements its own things, this did rule out things based on Roots with blade templating and Twig based themes using timber etc.

I didn’t mind paying for a theme, if it was the right one, after all, I want to know the author is going to be there for potentially years to come and give back to them.

In the end, I chose Neve from Themeisle as theme companies go Themeisle is one of the larger companies and as such have had press good and bad but on balance the press has generally been good. They show a real willingness to not just create products but be part of the wider community. Neve itself is a functional theme, that was easy to customise, didn’t come with anything that put me off and allowed me to build something quickly. It perhaps had a few too many settings and skirted the doing things the WordPress way and Simple codebase requirements both of which were borderline.

My intention was to spin up a child theme, for the inevitable changes I would need to make to templates but the reality is I haven’t needed to yet. Their release cycles have been good and I have been updating the theme regularly and without issue. 

Overall I’m pleased with my choice, my theme is not unique but it’s customised enough that it’s mine. Over the last few months, things have been added changed for example, the footer recently made an appearance on most posts.

Plugins Galore!

So a site is the sum of the theme and its plugins and while a few plugins have always been on the site, the amount of plugins I use has changed dramatically escalated however I have been trying to keep to the keep it simple philosophy and choose:

  • Single Purpose –  Smaller plugins with a specific use case
  • Simple Choices – Simple or no configuration plugins where I don’t have a bunch of configuration changes each time.
  • Gutenberg Ready – Blocks, not shortcodes where this is important
  • Simple code base – If the plugin codebase is greater then WordPress core that is an issue.

So here are the plugins I have installed on my site currently, this list does change so might not be as is when you read it.


Most of the security is handled at the host level (By the totally excellent Managed WordPress Hosting… …at least according to their WordPress platform lead. That would be me) so I don’t make use of traditional security plugins however I still have a few plugins that enhance security on the site, all of these I would install on any site by default.


This is my default 2FA (two-factor authentication) solution. It’s a feature plugin so the goal is it will become part of WordPress core, in the meantime I use it across all sites I manage. It’s simple to install/setup and works with my hardware keys. 

Should you use it: Yes, if you have an existing 2FA solution then this might be a “Maybe” but if you do not use Two Factor or a Multi-Factor Authentication on your site, then this is the perfect plugin for you.


Default logging solution, it logs all user actions and records them in the DB, it also sends me notifications on certain actions, for example, it reports successful logins. There is plenty of auditing and application logging plugins but I like Stream as an activity monitor.

Should you use it: Maybe, You should have a plugin that does application monitoring, I like Stream but others do exist. Try to look for a plugin that doesn’t just hold its information in the database.

Tip: If using Steam, you can set up notifications, one example is I have a notification that emails me every time a new user session is created for my admin user. If someone logs in to that account that’s not me, I get an email.

Application Passwords

Application passwords, allows the generating of special passwords for users, to be used through the REST API/XML-RPC endpoints, I use it to make requests to the REST API for my custom dashboard.

Should you use it: If you need to use the REST API outside of your site, but do not need a comprehensive solution like Oauth then maybe. It also can be useful for legacy applications using XML-RPC

WP Fingerprint

File Integrity Monitor compares file hashes of individual plugin files on my server with those on and also attempts to crowdsource those not hosted on

Should you use it: If you are on Managed Hosting it comes preinstalled, there are other plugins that also do file integrity checking, if you already have one then no, otherwise all of its checks are done by crons in the background so it’s worth having on.

Content and presentation

Making things look pretty is perhaps a little beyond my remit, making things look presentable and not so bad as to upset anyone is the goal. Posts and pages should be laid out with the block editor and when introducing new content types my goal is to make it work easily with the site. I also want to make things more finable, while I was heavily involved in SEO a long long time ago, the world has changed so much, so rely on good choices by others.


While the block editor is now in core Gutenberg project lives on and continues to improve the block editor and site editor projects. With the Gutenberg project, I’m getting access to those improvements in between WordPress core releases. The WordPress core team doesn’t recommend running Gutenberg in production but for my purposes, I’m happy to run it on my live site and so far it’s caused no issues.

Should you use it: I think so, while there is always a chance of breaking changes if you are all in on the block editor, then it makes sense to run with the latest and greatest. Just a word of caution, it does have experimental features, that can wipe settings and replace themes at a click of a button so if you or a client are the just click things type one to avoid.

Atomic Blocks

Atomic Blocks is a collection of blocks, one of the first out there and it extends the blocks that already exist with new features. While I certainly don’t use every block within the library more then one is being used on this page.  

Should you use it: Well this very much depends, there are lots of block libraries, so look through the feature list, do those blocks look like the ones you might use. Finding a library which has the most synergy with your use case. If a library only has a single block of use to you may be worth avoiding unless you can’t find a similar block elsewhere. I’m looking forward to the block directory arrival. 

Gutenberg blocks and template library by Otter 

While this plugin has many similar blocks to Atomic Blocks the main reason to use this alongside Atomic blocks is it brings both CSS transitions and Custom CSS to every block, now Otter (Really ThemeIsle who also make my theme) do provide these as separate plugins and I suspect when the “block directory” comes I will move to these plugins. For now, while it breaks the single-use rule it seems that Themeisle primarily is maintaining this single plugin and not the separate ones.

Should you use this: Pretty much the same comment as Atomic Blocks, if it has the blocks you need. Though this library does come with the additional features in that it adds custom CSS option to any block and CSS animations. If you don’t need any of the blocks and just custom CSS option, maybe worth looking at their Custom CSS plugin instead.

Contact Form Block

My contact page for years just had my email address but after a few folks complained they couldn’t find the contact details I have re-added a contact form. I didn’t want anything fancy or complicated and the contact form block fitted the bill. No data is stored on the server, and integrates with RECAPTCHA.

Should you use this: It’s simple, it’s uncustomisable and has virtually no flexibility but if its fields are the ones you want, and you just want to send an email then this might be the right plugin for you otherwise there are thousands of mail and form plugins out there.

The SEO Framework

When it comes to SEO normal recommendation is Yoast and the SEO Framework comes up as choice number two. I’m not going to bash Yoast many folks there are my friends and I am in awe of the company and how it’s grown. However Yoast SEO plugin isn’t for me and I find it gets in my way, I wanted something a little lighter that focused on just the things I cared about. 

Should you use this: Chances are you use Yoast, happy with Yoast? Stick with Yoast. Not happy with Yoast worth looking at. I imagine most of the reasons you don’t like Yoast will be why you don’t like the SEO Framework either though. 

Schema & Structured Data for WP & AMP

A very recent install, but most of my posts are exceedingly long and suit the article schema markup. Schema is not about improving search results themselves but improving discoverability and understanding we all need a helping hand even Google. This is a bit of an experiment, historically I have written microformat directly into the template, this way I can play around with things and worse case remove it and wait 6 months for Google to stop being upset.

Should you use this: Want schema markup this is a relatively easy way to add it, there are a few alternatives I haven’t tried them all and went off a recommendation and it’s early days so I will let you know.

Update: Before this post was released, I disabled it due to a PHP Warning being generated that I haven’t had time to look at properly.


Make things go fast, I’m under no illusions this is the section most people come here for, but I’m going to tell you a secret, most performance is good hosting including a CDN (I use KeyCDN), sensible plugin choice and being considerate of download sizes. However, I do use a few plugins that could be considered “performance” plugins.

Classic Smilies

In part as a security cover-up, WordPress introduced emoji support which came with added markup and javascript. This removes those and returns the original emojis back. I’m not really an emoji sort of person ¯\_(ツ)_/¯

Should you use it: Do you like emojis and can’t live without them? Then this plugin is not for you if you don’t care you will save yourself a couple of JS includes. This could easily be done in your own theme tweaks.

EWWW Image Optimizer

I need to look at alternatives, and KeyCDN does a lot of image optimisation tweaks if I let it, but currently, I use EWWW I have configured it to do light changes but it could do a lot more. Images and Media optimisation is one of my big areas of improvements in 2020 for the site, so expect this to change, even if it’s just changed for a bash script.

Should you use it: I personally do not like EWWW, it’s there because it was the thing I knew and it was quick to set up with the limited presets I know work the way I want. I suspect there are much better alternatives and it’s just a matter of me spending the time researching.

Fast Velocity Minify

Concatenates and minified files and stores them in a cache, while HTTP/2 having multiple files is not as much of a performance issue, and indeed in some circumstances, lots of smaller files would be quicker over HTTP/2 there are specific speed improvements. I am significantly underselling it as this plugin does far more then I use it for.

Should you use it: There are dozens of minification and concatenation plugins out there, and over the years my recommendation for which to use has changed. If you are using one and it works then stick with it. Otherwise, Fast Velocity Minify is simple(ish) and works.

Remove Query Strings from static assets

This plugin has been in my toolbox for years, it simply removes the “?version” off static assets, meaning they actually get cached as most things won’t cache something with a query string.

Should you use it: Do you like your assets to be cached? On a production site, I wholeheartedly recommend this plugin. On a development or staging site, you probably don’t want this enabled as you will actually want your assets to not be cached assuming you are making changes to them.

WP Lazy Loading

A fairly new plugin, though again is a feature plugin, and hopefully will be in WordPress core fairly soon. It simply modifies image tags to include the lazyload attribute, browsers that support (aka Chrome) lazy loading will then lazy load the images. Quick and easy performance win, with no complicated javascript.

Should you use it: I don’t believe this brings anything but positives, the only reason not to use it is in a couple of months it will be in core and then it will be superfluous.

WP Stack CDN

Again another tiny plugin that I love, written by Mark Jaquith years ago and I suspect I might be its sole user. Allows me to swap all static asset URLs to be which points at KeyCDN.

Should you use it: No, almost certainly there is a better solution out there sorry Mark, mind you, I’m not sure Mark uses it anymore. Find a better alternative, which has at least some support and possibly even a GUI.


For the last few years I haven’t been using any analytics on the site at all and I’m not sure I have missed it too much. Google Analytics was always too much for the site and slowed the previous versions of the site enough that I was proxying the script. I wanted something in between something lightweight, privacy-conscious that gave me some basic metrics, which I could use alongside Google Webmaster Tools.

Koko Analytics

I selected Koko Analytics for a couple of reasons it’s incredibly lightweight in just showing referrer data and pages visited. It can and is set to not track via cookies, all the data stays on the server and not sent to a third party and I can control the data retention. For bonus points it’s really well written, makes use of the REST API so I can also make direct calls to the data and just generally ticks the box across the board. I have only been using it for a short time but I love it. My only fear is that as a young product, Danny the developer is under pressure to add features.

Should you use it: If you are a Google Analytics user, this will be a massive change in philosophy. If however you currently use Jetpack Stats or no analytics at all then Koko is worth looking at, it will outperform Jetpack and comes with huge benefits in privacy. 


There are a few miscellaneous plugins that don’t fit into categories that I use, a couple of these are not always active, but are always within reach.

Query Monitor

Query Monitor is one of those plugins that once you use you become addicted to. It provides debugging and performance information at the PHP/Server level for every page on the site, shows scripts loaded, the action performed and loads more. More then once Query Monitor has found that slow running weird bug and its a tool I always have available but not always active.

Should you use it: Yes, yes you should, this should be your go-to plugin the moment you hit a performance bottleneck. It’s so good I put it as my choice for the Plugins we love series on the blog.


As the same suggests, add a “invisible” captcha to comments pages in the form of an extra field. Simple and effective.

Should you use it: It’s not as effective as a tool like Akismet, but it’s simple adds no overhead and doesn’t send comments to a third party. For most people, this is a good alternative to the default choice.

Unfortunately, this plugin has recently been taken over by a new developer, in addition to somewhat obtrusive advertising for a premium version, it looks like the direction they are aiming to go in is more like Akismet with comments, being validated on their servers. So I will be looking for a new option before that happens.

Public Post Preview

This plugin creates a unique link, to allow you to share unpublished content with selected non-logged in users. It’s great for sharing previews with people and getting opinions on content choices.

Should you use: If you share drafts, this is the defacto solution so the answer is probably and when not in use you can always deactivate.

Wappu Dashboard Pet

A plugin made by my colleague Kayleigh Wappu Dashboard pet adds a Wappu to your dashboard, but if you don’t keep things up to date it gets sick. Thankfully with my site running on Managed Hosting my Wapuu spends most of his time healthy and happy!

Should you use it: I love a cute Wappu and if you are sort of person that will do something just to make a sad Wappu happy this is the plugin for you. 

Custom Plugins

I do have a few custom plugins:

  • Security Headers
  • Some theme tweaks
  • Some error tracking

These are little more than one-liners, and I do have a few other tweaks but do you know what I’m going to save till part 2, yes it’s a two-part series, who knew!

The site itself

The site itself is running on Managed WordPress Hosting just the standard £9.95 with no fiddling by me it’s a bog-standard container. If I was good at marketing I would offer you some sort of 3 month discount with a crazy code like TIMNASHWP.

I use KeyCDN to serve static resources. My DNS is managed via DNSMadeEasy and my newsletter is provided by TinyLetter. 

I’m still tweaking things and some pages like my talks page are still on the list of updating, but I’m happier with the site then I have been for years. The big difference baring the occasional grumble as Gutenberg inevitably doesn’t do the thing I want I’m enjoying writing again.

Yet having a more normal site, comes with other issues, even writing this post I was reviewing plugins and for example, discovered Anti-spam had been taken over and heading in a direction I wouldn’t want. By using more plugins I’m giving up a certain amount of control and the time saved up front doesn’t mean its time saved overall.

My site is a tool and repository, it’s enabling me to do things and that’s great, that’s the way it should be. I’m happy and capable to invest the time, now it’s in smaller manageable chunks.

Do I care about performance? Sure I do, my front page has increased from 200ms load times to around 400ms. That’s 100% increase but still far less than most peoples and I’m ok with that, I’m slowly bringing that time down again as well. 

So in part 2 of Making I’m going to look at what custom code is running, how I deploy the site and why composer fans are going to hate me.

Want to learn more?

This post is from a series called Making, here is the series so far:

Help others find this post:

This post was written by Me, Tim Nash I write and talk about WordPress, Security & Performance.
If you enjoyed it, please do share it!

Helping you and your customers stay safe

WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)