Every WordPress installation is a unique creature as far as customization goes. Mine starts with latest WordPress installation combined with a great free theme called Suffusion. Beauty is, of course, in the eye of the beholder but I believe to be one of best themes out there. It is extremely configurable and you can find it works as well on multimedia-rich sites as on simple home pages as this.
As on all WordPress sites, plugins are plentiful and they change with seasons. Here is my list and reason for them:
Linking to other websites is path toward hell as far as I am concerned. While it seems as a good idea at first, it can lead to a lot of broken links years down the road. Sometimes nothing can be done about it - resource is simply gone - but this plugin at least makes you aware of it.
If you use CloudFlare and you love statistics, you will want to install this plugin too. Without it every user would seem to come from the same set of proxied IP addresses and all that per-country log analysis would be for nothing. :)
Simple plugin that does its job - gets your website sharing links for Facebook and Google+ have proper excepts and look decent. It is not fancy and there aren’t many things you can change but I find myself liking all defaults anyhow. I was using NGFB Open Graph+ before but with time it became annoying dealing with its advertisements for bigger Pro edition. Not only that you got a huge banner on your admin pages (sacrilege!) but they started removing features with newer editions (bait, hook & switch). I won’t use it again any time soon.
Google web crawler occasionally might need a bit of hint as what page is considered more important in your view. 99% of time everything will work properly regardless, this is just to cover all bases.
Protecting against brute-force password cracking is probably something that should be already built-in to WordPress. But this simple plugin will do to. Security must-have.
Nonsingular noindex
This is a custom plugin I built to avoid Google indexing search and category pages. As blog grew, it became annoying to see search pages in Google results higher than actual page and I had to do something about it. Since I haven’t found any plugin readily available, I decided to build one.
If you love your site, you will backup it. And you will backup it offsite. Mailing it to GMail account is perfect for me and this plugin does it without issues.
Simplest icon link
Just a simple plugin to add Apple touch icon to website. Probably there is dozen other plugins that do the same, but I decided to roll my own.
Snippet pre
Never finished plugin for source code highlighting. Since I found every syntax highlighter lacking in some way I decided to build one for myself. While I do use it for new posts, it has severely limited capabilities in its current form.
Snippet text template
One more itch I had to scratch was repeating of same phrases over and over again on multiple pages. So I built this plugin to help me with that. Unsuitable for anybody else because of hardcoding, but it does its job here.
Syntax highlighter that I stopped using because of some annoying bugs and lack of development. However, lot of older posts use it so it will stay here a while. Ultimate goal is to change all those posts to use my own highlighter (once I finish it) but lack of time will probably ensure that never happens.
Probably best caching program out there. If you are using shared hosting and there is any significant traffic, you need something like that. Lot of small options help optimize for your particular situation.
This plugin ensures that your login always goes over HTTPS instead of HTTP. Must have if you occassionaly use unknown WiFi to access your blog. Of course, you do need SSL certificate too.
If you do have SSL certificate on your domain it would be shame not to use it for WordPress login. Since WordPress sends passwords as plain-text, it would be great thing if we would be redirected to HTTPS version for every login (even if we forget to specify it).
Solution lies in adding few lines to your .htaccess file:
RewriteCond %{HTTPS} off
RewriteRule ^wordpress/wp-(login.php|admin/)(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
This code checks whether we are going to login or admin pages. If we are and https is not protocol of our choice, it will simply rewrite request.
P.S. This example was taken from my pages where I have WordPress installed in sub-directory named wordpress) If you have it installed in some other directory, adjust accordingly.
If you ever did network capture of your WordPress login procedure you would have noticed that password is sent as plain text:
[plain] POST /wordpress/wp-login.php HTTP/1.1 log=admin&pwd=mysuperpass&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1 [/plain] Anyone that can watch traffic on your network can see it as clear as day. Worse still, if you traverse some proxy server (in most of companies), your password might get dumped into a log file. Whoever has access to those log files has access to your password. Do you really trust your network admin that much?
Proper way to sort this out would be to use SSL. That way connection is encrypted end-to-end and whole plain-text issue just goes away. Unfortunately, SSL certificates usually cost some money.
Cheaper solution would be to tunnel all your traffic through SSH on trusted network (e.g. your system at home). While this would alleviate thread when you are connecting from e.g. hotel, it still means that your plain-text is traveling to server unencrypted. However, in case of SSH tunnel from home, you can count (or can you?) on your provider not keeping such a detailed log.
Last thing that you might do is to force WordPress to use CHAP protocol. That way password is still visible but only in hashed form. Brute-force attacks will be possible but at least attacker has something to do. And, if password was selected carefully, it might require months and even years of computing. Only way I found to do this is by installing Chap Secure Login plugin.
Upon activating this plugin you should log-out and log-in again (that will fail). And then log-out and log-in again (in my case this was still sending plain-text). Only upon third logout/login plugin will start working properly. Snooping system again you will see something like:
POST /wordpress/wp-login.php HTTP/1.1
log=admin&pwd=0a1dbb73659c24dd237ec254022af7daef410404665cc7f4be22b69e1e2b1845&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1
This looks much better.
[2014-10-29: I had this plugin fail with Suffusion. After its (manual) removal I was unable to log on anymore. Solution was to remove cookies.]