Everyone says a serious WordPress site needs at least twenty plugins to handle caching, security, backups, monitoring, and image optimisation. The advice is everywhere. Read enough listicles and you would think the WordPress dashboard is a control panel for assembling a small fleet of independent contractors, each one charging rent in CPU cycles, database queries, and attack surface.
The advice is wrong, or it is right only for sites running on shared hosting where the server itself does almost nothing. On properly managed WordPress, half of those plugins are duplicating work that the platform stack should already be doing one layer down. Each duplicate is a performance tax, a potential conflict, and a future security headache. Patchstack's State of WordPress Security 2025 report puts it bluntly: 96 percent of WordPress vulnerabilities disclosed in 2024 sat inside plugins. The same report flagged about a third of those vulnerabilities as still unpatched on the day they were publicly disclosed. Every plugin you do not need, you are better off not having.
Reviewing site audits this week I counted nine separate sites where the customer was paying premium licence fees for plugins their hosting stack made redundant. Three of those plugins were actively interfering with the host's own caching layer. Let me walk through which plugin categories you can usually drop, and why.
Caching plugins: where they came from, and why they hung around
Most caching plugins were written for one specific reason: shared hosting. On a shared host you do not have access to the web server. You cannot configure Nginx, you cannot enable Redis, you cannot touch FastCGI. So the plugin does what it can from inside WordPress. It generates static HTML files, drops them in a directory, and uses a small piece of code in WordPress itself to serve those files when a visitor arrives.
That works, after a fashion. But it has limits the plugin authors cannot escape. To serve a cached page, the request still has to reach PHP. PHP still has to load WordPress. WordPress still has to decide whether the cached file is valid. Only then does the cached HTML actually get served. The NGINX team have written about this directly and reported response times in the order of 9 milliseconds with FastCGI page cache versus around 200 milliseconds without it. Those are their numbers in their test, and yours will vary, but the gap is structural and no plugin running inside PHP can close it. The plugin cannot remove PHP from the path. The server can.
On a properly managed WordPress stack, Nginx sits in front of WordPress and intercepts every request. If a valid cache exists, Nginx serves the HTML and never wakes up PHP at all. WordPress is not even aware the visitor turned up. The caching plugin you have running on top of that is doing the same job a second time, less efficiently, and in some cases the two cache layers actively fight each other.
Three years ago I left a popular caching plugin running on top of a properly configured Nginx FastCGI cache and could not work out why one client's checkout was occasionally serving stale prices to logged-in customers. The two cache layers were arguing with each other over which version of the page was current. Removed the plugin, kept the server cache. Problem gone. Lesson learned.
What this means for the business owner is straightforward. If a customer in Donegal opens your shop on a 4G connection during their morning commute, the page should arrive faster than they can reach for their bag. The server-level cache makes that happen. The plugin layered on top of it does not, and at worst it sabotages the layer that does.
The same reasoning applies to Redis object caching, which is what makes logged-in pages, WooCommerce checkouts, and admin screens fast. Redis is not a plugin. It is a separate service running on the server. The Redis Object Cache plugin in the WordPress directory is just a thin connector that lets WordPress talk to Redis, and it only works if the host has actually installed and configured Redis in the first place. If your host has not, the plugin gives you a notification and does nothing useful. For a fuller view of how these layers interact, the layered caching stack on managed WordPress walks through it end to end.
Security plugins: blocking attackers a layer too late
Security plugins like Wordfence are well-built and they have their place, but the place they sit is the wrong layer for most of the work they claim to do. By the time a brute force attempt or a probing request reaches Wordfence, it has already loaded WordPress, run a chunk of PHP, and consumed a database connection. Multiplied across the volume of probes that hit any commercial WordPress site, that adds up. Your server is doing real work to reject every single one.
Server-level tools like fail2ban operate before any of that happens. fail2ban watches the request logs. When it sees the same IP failing logins or hammering wp-login.php, it adds that IP to the firewall and the next packet from that address gets dropped at the network layer. The attacker never reaches PHP, never touches the database, never even gets a 403 page. They are simply ignored. NGINX themselves describe this approach as standard server-level protection, and most managed WordPress hosts run something equivalent by default.
Where security plugins still earn their keep is in WordPress-specific application logic. Two-factor authentication, file integrity scanning of WordPress core files, vulnerability alerts that tell you a plugin you have installed has just been disclosed (where your hosting panel does not surface that already). Those are application concerns. fail2ban will never spot that wp-config.php has been modified by a compromised plugin, because that is not what it is built for. Use a security plugin for application-level work, but stop expecting it to do the firewall and brute-force work that should happen at the server.
The agitation here is real. While a security plugin runs its scheduled malware scan on a Friday afternoon, the site can become unresponsive for ten or fifteen minutes. That is your busiest window, the run-up to the weekend. Customers landing on a slow site at 4pm on a Friday do not wait. They go to a competitor. The plugin was supposed to protect the site, and it just cost you a sale.
Backup plugins: the redundancy that costs you money and risk
Backup plugins are popular because the marketing is easy. Install plugin, click button, get backup, sleep at night. The reality is more uncomfortable. A backup plugin runs from inside WordPress, which means it runs as the same PHP process serving your visitors. On larger sites it routinely fails halfway through because of memory limits or PHP timeouts. The backup file ends up in the same hosting account as the site, which means if the server is compromised or the hosting goes dark, your backup goes with it. And almost nobody actually verifies the restore. A backup is only a backup if a restore works. Most plugin-generated backups have never been restored, because the plugin owners do not run restore drills.
Server-level backup is a different operation entirely. The host snapshots the database and the file system from outside WordPress, on a schedule, to storage that is not in the same location as the site. A managed host worth the name verifies the backups by restoring them in test environments. If a customer rings to say their site is broken at 9am on a Monday, the support team can rollback to last night's snapshot in minutes, not hours.
Where I see this go wrong most often is small businesses paying for a premium backup plugin licence on top of hosting that already does proper backups. They are paying twice for protection they only get once. And often the plugin's backup is the one they actually rely on, because they have no idea the host has them covered. That means they are trusting the weaker copy. A sync reality check: even a server-level nightly backup means losing up to a day of changes if the worst happens at 11pm. Manual on-demand snapshots before any major deployment are how you close that gap, not another backup plugin.
Image optimisation plugins: at the wrong layer of the stack
Image optimisation plugins compress and convert your images at upload time, or in a batch job afterwards. That works, in a fashion. It is also slow, it eats CPU, and it produces files that sit on your server in WebP or AVIF format hoping the visitor's browser supports them.
A modern managed WordPress stack handles this differently. Image conversion and resizing can happen at the edge, inside the server's caching layer, generating the right format and the right size for each visitor on demand. The plugin running inside WordPress does not need to do the same job. When it does, it usually duplicates the work and creates a sprawl of WebP, AVIF, and JPEG variants in your uploads folder that nobody is actively managing.
For an accountancy firm in Limerick that posts a few blog images a month, none of this is a fire. The image plugin works fine on small volumes. But on a busy WooCommerce site with thousands of product images, the plugin's batch conversion process can lock the database for minutes at a time. You usually find out about it because staging looked fine and production fell over the moment you deployed.
Uptime monitoring plugins: monitoring the patient from inside the operating theatre
Uptime monitoring plugins are the strangest of the lot. The whole point of uptime monitoring is to know when your site is down. A plugin that runs inside your site cannot tell you when your site is down, because if your site is down, the plugin is also down. Whatever it would have reported, it cannot report.
Real uptime monitoring runs from outside your site, from independent endpoints around the world, on a schedule that is independent of your hosting. A managed host monitors uptime from its own monitoring infrastructure and from third-party services, then routes alerts to the operations team. You should not be the first person to find out your site is down, and a plugin running inside that site will never beat an external monitor to the news.
So what do these plugins actually do? Most of them log internal events: cron jobs that did not run, transients that expired oddly, plugins that triggered errors. Useful for debugging. The marketing positions them as uptime monitors. They are not. The wider context for this, including how performance and uptime fit together for business owners, is covered in the broader WordPress performance picture for business owners.
The plugins that still earn their keep
This is where I have to be honest. Some plugins are not redundant on managed hosting. They are doing genuine application-level work that the server cannot do for you, and removing them would be a mistake.
Page builders, if you actually need one. SEO plugins like Yoast or Rank Math, which work inside WordPress because the metadata they manage lives inside WordPress. Form plugins, because forms are application logic. WooCommerce and its real extensions, because eCommerce is application logic. Membership plugins, because access control is application logic. Custom post type plugins. Backup plugins for sites with very specific compliance or geographic redundancy needs that the host cannot meet.
The strategic concession matters here. If you are running a heavy WooCommerce store with custom price-by-customer logic that the standard object cache cannot handle, a tool like Object Cache Pro genuinely buys you something the platform stack does not, and the licence fee is worth it. Equally, if your business is in a regulated sector where you need backups stored under your own control in a specific jurisdiction, a backup plugin pointing to your own storage account is doing real work. The point of this article is not that all plugins are bad. It is that most plugin advice was written for shared hosting, and on properly managed WordPress the same advice produces redundancy and risk you do not need.
What this looks like in practice
A properly managed WordPress platform runs the site on Nginx with FastCGI page caching, Redis object caching, fail2ban at the firewall, automatic nightly backups verified from outside the site, free SSL via Let's Encrypt that renews itself, and uptime monitoring from a separate endpoint. Every one of those is doing the job that, on shared hosting, you would have spent money and configuration time installing plugins to approximate.
Web60 wraps that whole stack into the all-inclusive €60 a year platform: design, hosting, SSL, backups, monitoring, security, support. The full breakdown of what sits inside that is on Web60's enterprise Irish hosting infrastructure page, and the price of the entire bundle is roughly the price of one premium security plugin licence elsewhere.
What that means in practice is a leaner WordPress install. Fewer plugin updates that can break things. Fewer compatibility conflicts to debug. Fewer attack vectors for the next round of supply-chain compromises that have hit the WordPress plugin ecosystem repeatedly through 2024 and 2025. And a much higher proportion of your CPU and database time spent on actual work, serving pages, processing orders, sending forms, instead of running redundant plugins doing the same job as the server.
The before-and-after for a typical site we migrate looks roughly like this. Twenty-five active plugins drops to twelve or fourteen. PageSpeed scores tend to move up. Average response time drops by something in the order of 30 to 45 percent on the sites we have measured, although results vary depending on the original plugin stack and the presence of any unusually heavy WooCommerce queries. The site becomes easier to maintain, not because we wrote a guide, but because there is simply less of it to keep updated.
Conclusion
Plugin advice has not caught up with how managed WordPress works in 2026. Most of the canonical lists of "plugins every site needs" were written for a hosting environment where the server did almost nothing for you, and the only place to add capability was inside WordPress itself. That is no longer the world a properly hosted business site lives in.
If your site is on managed WordPress, your next plugin audit should start with one question: is this plugin doing something the server is already doing? Anything in caching, security firewalling, image conversion at the edge, backups, or external uptime monitoring is a candidate to remove. Audit one plugin at a time. Verify in staging, then deploy to production, then verify again. The site you end up with will be faster, safer, and easier to live with than the one you started from. That is the upshot, and it is the shift worth making.
Sources
Patchstack, State of WordPress Security 2025 whitepaper
Wordfence Intelligence, WordPress vulnerability database
NGINX Community Blog, Tips for improving WordPress performance with Nginx
Graeme Conkie founded SmartHost in 2020 and has spent years building hosting infrastructure for Irish businesses. He created Web60 after seeing the same problem repeatedly — Irish SMEs paying too much for hosting that underdelivers. He writes about WordPress infrastructure, server security, developer workflows, managed hosting strategy, and the real cost of hosting decisions for Irish business owners.
More by Graeme Conkie →Ready to get your business online?
Describe your business. AI builds your website in 60 seconds.
Build My Website Free →More from the blog
A Backup Is Not a Restore. Most Small Business Owners Find That Out Too Late.
Most WordPress hosts sell backups. The metric that decides whether your business survives a crash is restore time. Here's what that looks like.
The Professional Website Cost Myth That Has Kept Irish Business Owners Overpaying
Every Irish business owner has been trained to think a professional website costs thousands. In 2026, that assumption is wrong. Here is why the price-quality myth has expired.