This is my current “base” set of plug-ins
https://wordpress.org/plugins/wordfence/
A firewall for wordpress. Also adds 2factor auth and attack monitoring.
This is quite literally the first thing I install on a new wordpress installation.
https://wordpress.org/plugins/wordpress-seo/
Manage post meta info that search engines see. Yoast hasn’t broken during an update yet and I manage 30+ wordpress sites.
https://wordpress.org/plugins/wp-super-cache/
A fast cache plug-in from the folks that make wordpress. (Automattic)
I’ve tried a few others and I’ve experience issues during major version upgrades. This one hasn’t failed me yet.
https://wordpress.org/plugins/disable-json-api/
If your not using the REST api, lower your attack surface by disabling it.
https://wordpress.org/plugins/updraftplus/
Best backup plug-in, hands down. Does have ads for it’s premium version.
Honorable mentions
https://wordpress.org/plugins/jetpack/
This is an all-in-one package that solves a lot of problems with wordpress.
IMHO, the best feature is their analytics, which doesn’t require creating or sharing data with google.
It isn’t a lite deal. You’ll find plenty of folks who rip on it.
https://www.collectiveray.com/wordpress-jetpack-review-plugin
https://wordpress.org/plugins/genesis-blocks/
Adds many useful “blocks” which aren’t included by wordpress normally.
Note that it requires PHP > 7.2
https://wordpress.org/plugins/wp-mail-logging/
Is very useful for debugging issues sending mail with wordpress.
Keeps a log of every message sent.
One more thing
A little advice for choosing a theme or plug-in;
Look at the changelog and support forum on wordpress.org
If no recent updates or developer feed back have been provided; don’t use it. It’s a dead plug-in and will likely be a future update or security issue on your site.