Wordpress 3.* versions will cause you pain and inconvenience if you use it straight out of the box, as downloaded with no plugins: it won't scale to even modest levels of traffic, few themes make any attempt to minimize the number of HTTP requests required to render a page, and there is next to no protection against the omnipresent issues of blog spam and automated security threats.

Fortunately an energetic ecosystem of plugin development exists, and it's pretty easy for a developer to scratch their own personal itch - the bar for entry is low when it comes to WordPress development. On the one hand this means that good solutions to nearly all WordPress-related problems are out there as open source plugins, but on the other hand so are a lot of terrible solutions. It can be hard to find the few gems amid the dross, even given the presence of ratings and other feedback.

Based on my experience in setting up WordPress sites and blog migrations, here is a bare minimum set of plugins that I'd say should be installed right at the outset. They solve the most immediate functional, scaling, and spam issues without requiring all that much work on your part.

1) W3 Total Cache

Caching is very necessary to obtain even a reasonable level of performance out of WordPress. W3 Total Cache is a good all-in-one option for managing an object cache, page caching, and a few other useful items like Javascript and CSS minification. It also integrates with content delivery networks or serving static content locally.

To get a similar coverage with other modules, minus the CDN integration and some of the other frills, you might start with some combination of APC Object Cache (or Memcached Object Cache), WP Minify, and something like WP Super Cache. Your mileage may vary, but give it a try.

2) WordPress HTTPS

Web applications that interfere with the ability to redirect from an insecure to a secure connection using the web server (e.g. via mod_redirect in Apache) are a real pain. Needless to say, WordPress interferes with this sort of redirection - so you need WordPress HTTPS or a similar plugin in order to ensure that, at a minimum, the administrative back-end is always viewed securely.

3) Revision Control

An accumulation of post revisions can be a subtle gotcha in WordPress, causing horrible performance in some situations as the number of revisions grows large. Most sites have little need to keep every revision of content ever made, and this small and simple plugin allows the number of retained revisions to be kept small.

4) Spam Free WordPress

Spam, of course, will start arriving within a few minutes of setting up a vanilla WordPress installation on any hosting service. It's such a ubiquitous platform that a horde of bots target it. Fortunately, if you are not running a large and noted service then blocking the vast majority of those bots does not require a particularly advanced barrier. I've found that for most sites Spam Free WordPress does the job just fine - and doesn't require any effort on your part. Just install it and turn it on.

More sophisticated solutions tend to fail in identifying manually entered spam, which is proliferating these days, while doing little better than the strategy employed by this plugin for other forms of spam. If you are working on a large and noticeable site, however, where attackers may spend time working around whatever defenses you put in place, then you should definitely look into some kind of paid service such as Akismet or Defensio. Few WordPress installations fall into this category, however: you have to have a lot of eyeballs passing through or a very large and energetic community to attract this sort of unwanted attention.

5) Better WP Security

This is an age of roving bots that try to brute-force passwords or exploit vulnerabilities on commonly used platforms like WordPress. Installing a security plugin like Better WP Security goes a long way towards locking out this sort of attack, making common attacks like brute-forcing of passwords impractical.

Note that the SSL options in this plugin may conflict with those in WordPress HTTPS, but this can be solved by ensuring that these lines in /wp-config.php are commented or removed:

//define('FORCE_SSL_ADMIN', true);
//define('FORCE_SSL_LOGIN', true);