Plugins are where WordPress goes from a simple content platform to a full-blown web application. Every feature beyond writing pages and posts — contact forms, SEO, caching, shops, bookings, galleries, security, backups, analytics — comes from a plugin. The WordPress.org directory alone hosts over 60,000 free plugins, with thousands more sold commercially through developer sites and marketplaces. That abundance is both the power and the danger: the right plugin changes your site for the better in five minutes; the wrong one introduces security holes, bloats page weight or conflicts with half the theme. This guide walks through how to find, install and manage plugins safely on a smartxhosting.uk WordPress site, with UK-specific recommendations throughout.
What WordPress plugins actually are · Finding the right plugin · Installing from the WordPress repository · Uploading a premium plugin ZIP · Managing installed plugins · Managing plugins through the Plesk WordPress Toolkit · Essential plugin categories for UK sites · Plugin safety and best practices · How plugins affect performance · Frequently asked questions
A plugin is a bundle of PHP files (and sometimes JavaScript, CSS and images) that adds new behaviour to WordPress. When you activate a plugin, WordPress loads its code on every request and the plugin registers itself into the core — adding menu items, settings pages, content blocks, shortcodes, API endpoints, scheduled tasks and so on.
If WordPress is a smartphone, plugins are the apps. Each one adds a specific capability. You keep what you use and remove what you do not. A site with ten well-chosen plugins runs faster and more reliably than a site with forty half-configured ones.
Plugins live in wp-content/plugins/ on the server. They are registered in the database through the Options table and their own custom tables where needed. Removing the plugin files through FTP or File Manager does not always clean up database entries — use the dashboard's Delete action where possible so cleanup hooks run.
Ninety per cent of the time, the plugin you need already exists. Finding a well-maintained, popular one is more important than finding the "perfect" one, because maintenance quality matters more than feature parity.
Browse plugins at Plugins > Add New Plugin. You can search by keyword (contact form, SEO, calendar), or browse the Featured, Popular and Recommended tabs.
The most common path, used for all free plugins.
Plugins often add a new menu item to the left sidebar after activation (Forms, SEO, WooCommerce, etc.) where you configure settings. Some add a panel to Settings instead; a few add their settings under Tools.
Installing does not activate. You can install a plugin for later use and activate only when you are ready, which is useful if you want to prepare a site before handing it to a client.
Premium plugins from commercial developers arrive as a .zip file downloaded after purchase.
Premium plugins usually require a licence key to receive automatic updates. After activating, find the plugin's own settings screen (or Settings > Licence) and paste in the key from your purchase email. Without it, the plugin still works but stops receiving updates, which is a security risk long-term.
Do not extract the ZIP before uploading — WordPress expects a compressed archive.
Every installed plugin, active or inactive, appears at Plugins > Installed Plugins. From this screen:
Tick multiple plugins and use the Bulk Actions dropdown to activate, deactivate, update or delete many plugins at once. This is handy for site migrations, where you might bulk-deactivate every plugin before copying the site, then reactivate afterwards.
If a plugin breaks your dashboard after activation (white screen, fatal error), you can deactivate it through Plesk File Manager — rename the plugin's folder in wp-content/plugins/ and WordPress will treat it as uninstalled. Dashboard access is restored immediately.
Every smartxhosting.uk plan includes the Plesk WordPress Toolkit, which adds five plugin-management capabilities the WordPress dashboard itself does not have.
If you run several WordPress sites on one Plesk account, the Toolkit shows every installed plugin across every site in a single table. You can see at a glance which plugin versions run where and which need updating.
Update a plugin on every site that uses it with a single action. Particularly useful when a security patch is released for a widely-used plugin like Yoast SEO or WooCommerce.
Configure auto-update policies at the plan level: auto-update minor versions only, or auto-update everything. Minor-only is a sensible default — major versions sometimes include breaking changes that deserve a staged rollout.
The Toolkit's Smart Update feature clones the site to a staging subdomain, applies the update, screenshots both versions, and shows you a visual diff. If the update visibly broke anything, you see it before it touches production. If it looks clean, push to live with one click.
The Toolkit's security scanner cross-references installed plugins against a live vulnerability database (Patchstack, WPVulnDB). If one of your plugins has a known CVE, you get a red flag on the site in Plesk and a prompt to update.
Click Log in next to a site in the Toolkit and you are signed into the WordPress dashboard without entering credentials. This is handy when managing multiple client sites — no password manager fumbling.
Every UK WordPress site benefits from one plugin in each of these categories. Do not install more than one per category — they conflict.
LiteSpeed Cache is the right choice on smartxhosting.uk because our servers run the LiteSpeed web server. It handles full-page caching, image optimisation, CSS and JavaScript minification, lazy loading and automatic CDN integration. Free, officially supported by LiteSpeed, and often the single biggest performance improvement you can make.
Alternatives: WP Rocket (paid, GBP 49+/year), W3 Total Cache, WP Super Cache.
Wordfence is the most popular WordPress security plugin. It adds a firewall at the WordPress level, malware scanning, login protection (rate limiting, 2FA) and live traffic monitoring. Free tier covers most needs; Premium is GBP 99/year for real-time firewall updates.
Solid Security (formerly iThemes Security) is a lighter-weight alternative.
Worth noting: smartxhosting.uk already runs Imunify360 at the server level, which blocks most malicious traffic before it reaches WordPress. The WordPress-level plugin is defence in depth.
Yoast SEO and Rank Math are the two leading options. Both handle meta titles, meta descriptions, XML sitemaps, canonical URLs, schema markup and content analysis. Yoast is the older and more widely recognised; Rank Math is newer, more feature-packed on the free tier, and increasingly popular.
Pick one and stick with it. Running both simultaneously creates conflicts.
Contact Form 7 is the classic — free, lightweight, capable. Learning curve is small; UI is utilitarian.
WPForms Lite is the most popular drag-and-drop builder. Easier for non-technical owners; free tier covers basic forms.
Fluent Forms is newer and fast, with a generous free tier.
smartxhosting.uk runs daily server-level backups automatically. For additional off-site backups under your own control, UpdraftPlus is the industry standard — backs up to Google Drive, Dropbox, Amazon S3, FTP or email.
Site Kit by Google connects Google Analytics 4, Search Console and PageSpeed Insights to the WordPress dashboard.
For a GDPR-friendlier alternative, consider Matomo (self-hosted inside WordPress) or Plausible Analytics (lightweight, cookieless).
Plugins are the leading cause of compromised WordPress sites worldwide. Sucuri's annual Website Threat Research Report regularly attributes 50–60% of infections to outdated or vulnerable plugins. The good news: basic discipline prevents almost all of these cases.
Every active plugin is code that runs on every request. A site with 40 plugins has 40 plugins loading their CSS, JavaScript, PHP classes and database queries on every page view, whether or not they are needed on that specific page.
On smartxhosting.uk, much of what a "full-featured" plugin does can be handled at the server level: caching by LiteSpeed Cache + server LiteSpeed, Redis for object caching, Imunify360 for security. This means you can run a lean WordPress plugin list and still get enterprise performance.
How many plugins should I install?
There is no strict limit, but most well-optimised sites run 10–20 active plugins. Quality matters far more than quantity — one badly coded plugin can slow a site more than ten well-written ones. Start with the essentials, add plugins as you identify actual needs.
Are free plugins as good as paid ones?
Often, yes. Many paid plugins start as free plugins with pro add-ons. For common needs — caching, SEO, contact forms — the free versions of LiteSpeed Cache, Yoast, Rank Math, Contact Form 7 and WPForms Lite are all production-ready. Paid plugins usually make sense for specialist features: premium bookings, advanced WooCommerce extensions, enterprise SEO analytics.
Can a plugin break my site?
Yes. Buggy plugins, conflicting plugins or incompatible updates can cause the White Screen of Death or admin lockout. Mitigation: test on staging first through the Plesk Toolkit, keep a recent backup, and learn the File Manager trick of renaming the plugin folder to deactivate in an emergency.
How do I update a plugin safely?
Use the Plesk Toolkit's Smart Update — it clones the site, applies the update on staging, screenshots before and after, and flags any visible changes. If the diff looks clean, push to production. Otherwise roll back on staging and investigate.
What is a "must-use" plugin?
Must-use plugins live in wp-content/mu-plugins/ and are always active — you cannot deactivate them from the dashboard. Hosts sometimes use mu-plugins to enforce platform-specific settings. On smartxhosting.uk the Plesk Toolkit installs a small mu-plugin for SSO integration; it is harmless and necessary.
Should I enable auto-updates for all plugins?
Enable auto-updates for minor versions on all plugins to pick up security patches. For major versions, enable on safe utilities (caching, SEO, contact forms) but not on plugins you have customised or that touch critical business logic (WooCommerce, membership plugins, LMS). Test major updates on staging.
Can I install plugins through FTP?
Yes. Upload the plugin folder to wp-content/plugins/, then activate from the dashboard. This is useful if a plugin is too large to upload through the dashboard (PHP upload limits) or if the dashboard is broken.
Is it safe to install plugins from GitHub?
Sometimes, with caveats. Only if the GitHub account is the plugin author's official repository and the plugin is a legitimate open-source project. Avoid random forks and mirrors — they may have been tampered with.
What happens to my data if I delete a plugin?
Most plugins offer an "uninstall cleanup" option that removes their database tables and options when the plugin is deleted. Some do not, leaving orphaned rows in the options table. Tools like WP-Optimize or Advanced Database Cleaner can clean these up. For plugins you plan to re-install, choose "Delete" rather than a manual filesystem wipe — this triggers the plugin's own cleanup hook.
Can smartxhosting.uk support help if a plugin is causing problems?
Yes for issues related to hosting, server configuration, caching, SSL, PHP versions or database performance. Plugin-specific bugs need to go to the plugin author. Our support can help narrow down whether an issue is plugin-related or server-related so the right party handles the fix.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →