WPCandy, my favorite website for WordPress news, started a post series called, "Behind the Site." Pretty self-explanatory: they showcase a nice site built with WordPress, then talk about how it was made.
The highlight for me is when they reveal which plugins they use. It's fun to discover cool plugins I never knew about before.
To kick things off, WPCandy did a profile of itself. I have to say, that is the longest list of plugins I've seen anywhere. They have a good reason, though. WPCandy is actually 5 websites: a blog, a forum, a professional directory, a podcast, and a video site. Did I miss one? By taking on so many roles, WPCandy can't help but use a ton of plugins.
I'm curious, what are your policies on installing plugins?
Some of my criteria:
--A well-known developer, e.g. Yoast. Reputation goes a long way.
--Recommended by a WordPress blog I trust, e.g. WPCandy.
--100,000 downloads or more. The more widely it's used, the more likely it will keep being updated.
--Updated within the last year. Matt Mullenweg announced in his 2011 "State of the Word" that any plugins that haven't been updated in 2 years would be hidden from search results. An elegant, simple solution to what could have been a complex problem.
--If the plugin page has a video tutorial of how to install and use it. This is a bonus, since it's not that common. A good example is Admin Management Xtended. The description doesn't capture how cool and useful it is, but the video does.
Developer reputation is a huge factor for me.
Track record, documentation and developer responsiveness go a long way as well.
Manual code review for any plugins users can directly interact with is a must. XSS and SQL injection are still all too common when it comes to plugins, templates and themes.
I sometimes avoid plugins that shy from using a well documented WP API, especially the DB API. One trick I'll occasionally use is to see how many depreciated functions and features are used within a plugin. This can help you avoid soon-to-be and already obsolete plugins.