MU (Must-Use) Plugins are a special type of WordPress plugin that:
- Always active - Cannot be deactivated from the WordPress admin
- Load automatically - No activation required
- Load early - Before regular plugins and themes
- No updates - Must be manually updated (no auto-updates)
- Single files only - Each plugin must be a single PHP file (no subdirectories)
DO NOT blindly copy all these plugins to your site. Each plugin modifies WordPress behavior in specific ways. You should:
- Understand what each plugin does before installing it
- Only use plugins that solve problems you actually have
- Test on a staging site first before deploying to production
- Consider your specific use case - what works for one site may break another
Zero configuration required - the autoloader loads ALL PHP files from ALL subdirectories. Simply delete any plugins or folders you don't need.
- The autoloader scans all subdirectories
- Loads every
.phpfile it finds - No configuration needed
Don't want a plugin? Delete it. Don't want a category? Delete the folder.
| Plugin Name | Description | Version | WP | PHP |
|---|---|---|---|---|
| 404 Logger | Logs 404 errors to a file for security monitoring and broken link detection. IP addresses are anonymized (last octet masked) for GDPR compliance. | 1.0.0 | 6.6+ | 7.4+ |
| Add Footer Signature | Adds a developer signature comment to the website footer for attribution and contact purposes. | 1.0.0 | 6.6+ | 7.4+ |
| Admin Color Scheme Lockdown | Forces a single admin colour scheme for all users. Useful for white-label admin panels. Set MU_ADMIN_COLOR_SCHEME to any built-in slug (default, light, blue, coffee, ectoplasm, midnight, ocean, sunrise). | 1.0.0 | 6.6+ | 7.4+ |
| Admin Footer Info | Shows PHP version, MySQL version, WordPress version, and memory usage in the admin footer. | 1.0.0 | 6.6+ | 7.4+ |
| Admin Session Timeout | Automatically logs out inactive admin users. Default timeout is 60 minutes. Override with the 'mu_session_timeout' filter (value in seconds). | 1.0.0 | 6.6+ | 7.4+ |
| Auto-Deactivate on Error | Tracks which plugin is being activated via a short-lived transient. If a fatal error prevents wp_loaded from firing, the next admin request detects the stale transient and deactivates the offending plugin. | 1.0.0 | 6.6+ | 7.4+ |
| Auto-Delete Unattached Media | Weekly cron job that permanently deletes media library items with no parent post older than a configurable number of days. Prevents library bloat from orphaned uploads. Override age with 'mu_unattached_media_age_days' filter (default 30). | 1.0.0 | 6.6+ | 7.4+ |
| Auto-Rotate JPEG on Upload | Reads EXIF orientation metadata from uploaded JPEG files and rotates the image to the correct orientation before thumbnails are generated. Fixes sideways photos from mobile cameras. | 1.0.0 | 6.6+ | 7.4+ |
| AVIF Support | Add AVIF image format support for uploads and display (next-generation image format, better compression than WebP) | 1.0.0 | N/A+ | N/A+ |
| Clean Head Output | Removes unnecessary tags from the frontend : wlwmanifest, RSD, shortlink, adjacent-posts links, generator meta, REST API link, and feed links. | 1.0.0 | 6.6+ | 7.4+ |
| Cleanup Old Revisions | Automatically removes old post revisions older than 30 days and limits revisions to 5 per post. | 1.0.0 | 6.6+ | 7.4+ |
| Cron Monitor | Records the timestamp of the last WordPress cron execution. | 1.1.0 | 6.6+ | 7.4+ |
| Custom Login Logo | Replaces the WordPress logo on the login page with your site logo, icon, or name. Links to your homepage instead of wordpress.org. | 1.0.0 | 6.6+ | 7.4+ |
| Defer Non-Critical Scripts | Adds the defer attribute to enqueued scripts not in the exclude list. Improves Time to Interactive without editing theme files. Extend the exclude list via the 'mu_defer_exclude_handles' filter. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Admin Email Confirmation | Disables the periodic admin email confirmation prompt that WordPress shows every 6 months. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Admin New User Email | Prevents admin from receiving email notifications when new users register. Users still receive their welcome email. | 1.0.0 | 6.6+ | 7.4+ |
| Disable AI Crawlers | Blocks all known AI crawlers and bots from accessing your site content via robots.txt. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Application Passwords | Disables the Application Passwords feature introduced in WP 5.6 to reduce attack surface for sites not using it. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Autosave | Disables WordPress autosave functionality to improve performance and prevent unwanted draft saves. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Block Library CSS | Removes Gutenberg block library CSS from frontend if not using blocks, reducing page weight. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Block Notes | Disables the collaboration notes feature in the block editor introduced in WordPress 6.9. | 1.0.0 | 6.9+ | 7.4+ |
| Disable Command Palette | Disables the Command Palette (Ctrl+K / Cmd+K) feature in the WordPress admin. | 1.0.0 | 6.3+ | 7.4+ |
| Disable Comments Globally | Completely disables comments, trackbacks, and pingbacks across the entire site. Removes all comment-related functionality from admin. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Core XML Sitemap | Disables the auto-generated /sitemap.xml introduced in WordPress 5.5 to prevent duplicate sitemaps when Rank Math, Yoast SEO, or another sitemap plugin is active. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Dashicons Frontend | Remove Dashicons CSS from frontend for non-logged-in users to improve performance (saves ~40KB) | 1.0.0 | N/A+ | N/A+ |
| Disable Emoji Support | A utility plugin to disable emoji support. | 1.0.0. | 6.6+ | 7.4+ |
| Disable File Editing | Prevents editing of theme/plugin files from admin | 1.0.0 | N/A+ | N/A+ |
| Disable FloC | A utility plugin to disable FLoC. | 1.0.0. | 6.6+ | 7.4+ |
| Disable Google Fonts | Dequeues all Google Fonts stylesheets and removes preconnect hints to fonts.googleapis.com. EU courts have ruled that loading Google Fonts without prior consent violates GDPR. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Heartbeat API | Disables or limits the Heartbeat API to reduce server load. Keeps it active only in the post editor where it's needed. | 1.0.0 | 6.6+ | 7.4+ |
| Disable oEmbed | Disables WordPress oEmbed functionality to reduce HTTP requests and improve performance. Use if you don't embed external content. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Pattern Directory | Prevents the block editor from fetching block patterns from api.wordpress.org on every editor load. Eliminates the external HTTP request and brief pattern-loading delay. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Pingback | Disables pingback XML-RPC method to prevent IP disclosure attacks behind firewalls/proxies. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Plugin Update Checks | Disables automatic plugin update checks to reduce server load. Useful for managed/frozen environments where updates are controlled manually. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Post by Email | Disables WordPress post-by-email functionality to improve security and reduce attack surface. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Query String Versioning | Strips ?ver= query strings from enqueued script and style URLs so CDN and proxy caches can cache assets without per-version cache misses. | 1.0.0 | 6.6+ | 7.4+ |
| Disable REST API for Guests | Blocks REST API access for unauthenticated users. Whitelisted routes (oEmbed) remain public. Use the 'mu_rest_guest_whitelist' filter to customise. | 1.0.0 | 6.6+ | 7.4+ |
| Disable RSS Feeds | Redirects all RSS and Atom feed URLs to the homepage. Use only on sites that have no blog or do not need syndication. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Scaled Image Generation | Prevents WordPress from creating a -scaled copy of large images (added in WP 5.3). Keeps original dimensions intact for sites that do not require server-side downscaling. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Site Health | Removes the Site Health admin page, dashboard widget, and its background cron check. For production sites managed externally where Site Health output is noise rather than signal. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Theme Update Checks | Prevents WordPress from checking for theme updates on wordpress.org. For fully managed environments where themes are updated via CI/CD. Complements the existing plugin update disabler. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Theme Update Notices | Hides "new version available" notices on the Themes screen for environments where the theme is deployed via CI/CD rather than updated through the admin. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Unnecessary Link Headers | A utility plugin to disable Unnecessary Link Headers. | 1.0.0. | 6.6+ | 7.4+ |
| Disable User Enumeration | Prevents user enumeration via author archives and REST API to protect usernames from discovery. | 1.0.0 | 6.6+ | 7.4+ |
| Disable User Registration | Completely disables user registration via wp-login.php, REST API, and all registration endpoints | 1.0.0 | N/A+ | N/A+ |
| Disable WC Coupon Field | Hides the coupon field on cart and checkout pages. Prevents customers from abandoning checkout to search for discount codes on stores that don't use coupons. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WC Guest Checkout | Forces account registration at checkout. Required for subscription or membership stores where an account is needed to manage orders. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WC Product Reviews | Disables the WooCommerce review system on products. Unlike the generic disable-comments plugin, this targets the WooCommerce review tab and rating option specifically. | 1.0.0 | 6.6+ | 7.4+ |
| Disable Welcome Panel | Removes the welcome panel from the WordPress dashboard for a cleaner admin experience. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WooCommerce Cart Fragments | Prevents WooCommerce from enqueuing the cart-fragments AJAX script on pages where no cart interaction is possible, reducing unnecessary AJAX requests on every page load. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WooCommerce Marketing Hub | Removes the WooCommerce Marketing admin menu and disables marketing-related background cron events and HTTP calls to woocommerce.com. For stores that do not use Mailchimp or other WooCommerce marketing integrations. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WooCommerce Status Dashboard Widget | Removes the WooCommerce status dashboard widget from the WordPress admin dashboard, reducing noise for sites that use WooCommerce Analytics or a custom overview instead. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WordPress Search | Redirects /?s= search queries to the homepage, eliminating unnecessary database queries on sites without search functionality. | 1.0.0 | 6.6+ | 7.4+ |
| Disable WP Version | Remove WordPress version | 1.0.0. | 6.6+ | 7.4+ |
| Disable XML-RPC | A utility plugin to disable XML-RPC. | 1.0.0. | 6.6+ | 7.4+ |
| Disallow Weak Usernames | Blocks creation of accounts with usernames commonly targeted by credential-stuffing attacks (admin, test, wordpress, etc.). | 1.0.0 | 6.6+ | 7.4+ |
| Enable SVG Upload | Enables SVG file uploads with security sanitization to prevent XSS attacks. Adds media library preview support. | 1.1.0 | 6.6+ | 7.4+ |
| Environment Indicator | Displays a visual indicator in the admin bar showing the current environment (Development/Staging/Production) to prevent editing the wrong site. | 1.0.0 | 6.6+ | 7.4+ |
| Force Strong Passwords | Rejects passwords shorter than 12 characters or missing uppercase, lowercase, number, and special character. Applied to profile updates and registration. | 1.0.0 | 6.6+ | 7.4+ |
| Force WooCommerce Strong Passwords | Applies password strength validation to WooCommerce registration and checkout forms. WooCommerce skips WordPress's default strength rules for customers; this closes that gap. | 1.0.0 | 6.6+ | 7.4+ |
| Hosting Disallowed Plugins | Disallows plugins known to cause issues on managed hosting platforms. Based on popular hosting platforms. | 1.1.0 | 6.6+ | 7.4+ |
| Lazy Load Gravatars | Defers loading of Gravatar images until they're needed, reducing initial page load time and external HTTP requests. | 1.0.0 | 6.6+ | 7.4+ |
| Lazy Load Iframes | Adds loading="lazy" to iframes in post content (YouTube embeds, maps, etc.), deferring off-screen requests until the user scrolls near them. | 1.0.0 | 6.6+ | 7.4+ |
| Limit Autoload Bloat | Runs daily to detect wp_options rows with autoload=yes that exceed a configurable byte threshold. Logs offenders and optionally sets them to autoload=no. Configure threshold via 'mu_autoload_size_threshold' filter (default 10 000 bytes). | 1.0.0 | 6.6+ | 7.4+ |
| Limit Cron Concurrency | Uses a transient-based lock to prevent multiple simultaneous wp-cron.php processes from running the same scheduled hook, reducing database contention on busy sites. | 1.0.0 | 6.6+ | 7.4+ |
| Limit Image Sizes | Removes unnecessary intermediate image sizes (medium_large, 1536x1536, 2048x2048) that WordPress generates by default. Reduces disk usage and upload processing time. Keep list via 'mu_allowed_image_sizes' filter. | 1.0.0 | 6.6+ | 7.4+ |
| Limit Login Attempts | Blocks IP addresses after 4 failed login attempts for 24 hours to prevent brute force attacks. | 1.0.0 | 6.6+ | 7.4+ |
| Limit Post Revisions | Limits the number of post revisions stored in the database to reduce bloat and improve performance. | 1.0.0 | 6.6+ | 7.4+ |
| Limit Upload Size by Role | Sets different maximum upload file size limits for different user roles to prevent large uploads from non-admin users. | 1.0.0 | 6.6+ | 7.4+ |
| OpenWP Club Core | Core functionality and branding for OpenWP Club managed WordPress sites. | 1.0.0 | 6.6+ | 7.4+ |
| Optimize Database Tables | Runs OPTIMIZE TABLE weekly on core WordPress tables to reclaim fragmented space and maintain query performance. | 1.0.0 | 6.6+ | 7.4+ |
| Optimize WooCommerce Assets | Only loads WooCommerce scripts and styles on shop-related pages to improve site performance. | 1.0.0 | 6.6+ | 7.4+ |
| Orphaned Post Meta Cleaner | Weekly cron job that deletes wp_postmeta rows whose post_id no longer exists in wp_posts. Reclaims space after posts are permanently deleted. | 1.0.0 | 6.6+ | 7.4+ |
| Preconnect Resource Hints | Outputs tags for configurable external origins. Reduces round-trip latency before the first byte of external resources. Configure via the 'mu_preconnect_origins' filter. | 1.0.0 | 6.6+ | 7.4+ |
| Remove Author Metabox | Removes the author meta box from post and page edit screens in WordPress admin. | 1.0.0 | 6.6+ | 7.4+ |
| Remove H1 Editor | Removes H1 heading option from both Classic Editor (TinyMCE) and Block Editor (Gutenberg) to improve SEO structure. | 1.1.0 | 6.6+ | 7.4+ |
| Remove jQuery Migrate | Removes jQuery Migrate script from WordPress to reduce page weight. Only use if your theme and plugins don't require legacy jQuery support. | 1.0.0 | 6.6+ | 7.4+ |
| Remove Plugin Bloat | Removes admin bar items and source code footprints from popular plugins like WP Rocket, Redis Cache, etc. | 1.0.0 | 6.6+ | 7.4+ |
| Remove Unused Admin Menus | Removes admin menu items defined in MU_REMOVE_ADMIN_MENUS. Useful for client sites where certain sections are irrelevant. | 1.0.0 | 6.6+ | 7.4+ |
| Remove WordPress Branding | Removes WordPress logo, admin footer text, and blocks access to WordPress about pages for white-label admin experience. | 1.0.0 | 6.6+ | 7.4+ |
| Remove WP Embed | Remove WordPress embed script from frontend to improve performance. | 1.0.0 | 6.6+ | 7.4+ |
| REST API Rate Limiting | Limits REST API requests per IP to prevent abuse. 60 requests/minute for guests, 200 for authenticated users. | 1.1.0 | 6.6+ | 7.4+ |
| Restrict REST API Blocks | Limits access to block-related REST API endpoints to authenticated users only. | 1.0.0 | 6.6+ | 7.4+ |
| Sanitize File Name | Automatically removes accents and special characters from uploaded file names for better compatibility. | 1.0.0 | 6.6+ | 7.4+ |
| Scheduled Maintenance Window | Shows a maintenance page automatically during a recurring time window. Define MU_MAINTENANCE_WINDOWS as an array of windows with 'start', 'end' (HH:MM), and optional 'days' (array of day names). Uses server time. | 1.0.0 | 6.6+ | 7.4+ |
| Simple Maintenance Mode | Simple maintenance mode that shows a branded page. Toggle by creating/deleting .maintenance file in wp-content. | 1.0.0 | 6.6+ | 7.4+ |
| Staging Robots Noindex | Outputs X-Robots-Tag: noindex HTTP header and adds noindex to wp_robots on any environment that is not 'production'. Prevents staging or local sites from being indexed without editing wp-config.php. | 1.0.0 | 6.6+ | 7.4+ |
| Strip EXIF Metadata | Removes GPS coordinates, camera model, and other EXIF data from uploaded JPEG images at save time using GD, reducing privacy exposure. | 1.0.0 | 6.6+ | 7.4+ |
| Transient Cleaner | Runs a daily WP-Cron job to delete expired transients from wp_options. Keeps the database tidy on sites that accumulate plugin transients over time. | 1.0.0 | 6.6+ | 7.4+ |
| Trusted IP Allowlist | Blocks access to wp-admin and wp-login.php for IPs not in the allowlist. Define MU_TRUSTED_IPS as an array of allowed CIDR ranges or exact IPs. Only use on sites with a static management IP. | 1.0.0 | 6.6+ | 7.4+ |
| Two-Factor Email OTP | Adds a second authentication step after a successful password login. A 6-digit code is emailed to the user; the session is not created until the code is verified. | 1.0.0 | 6.6+ | 7.4+ |
| WooCommerce Order Auto-Complete | Automatically transitions orders containing only virtual or downloadable products from 'processing' to 'completed' immediately after payment. Eliminates manual order management for digital-goods stores. | 1.0.0 | 6.6+ | 7.4+ |
| WooCommerce Order Data Retention | Monthly cron job that permanently deletes WooCommerce orders older than a configurable number of days in terminal statuses (completed, cancelled, refunded). Supports both HPOS and legacy post-based orders. Override age via 'mu_wc_order_retention_days' filter (default 730 = ~2 years). | 1.0.0 | 6.6+ | 7.4+ |
| WooCommerce Store Manager Mode | Provides a simplified "Store Manager" view for WooCommerce users. Toggle between full WordPress admin and a decluttered, WooCommerce-focused interface via the admin bar. | 1.1.0 | 6.6+ | 7.4+ |