Filed in:

10 Common WordPress Security Mistakes (and How to Fix Them)

Updated on: June 6, 2024

Table of Contents

WordPress Security Mistakes | Closed laptop on desk with chairs

Let’s work through WordPress security mistakes and how to make sure your site is secure.

I’m often asked how safe is WordPress? My answer is that WordPress itself is actually pretty secure; however, your website may have vulnerabilities from outdated software, backdoors in plugins and themes, user errors, or other issues. 

The biggest mistake you can make as a website owner is thinking you won’t be targeted. It doesn’t matter how small your website is; malicious bots and hackers will find it through web scraping, scanning IP ranges, crawling website directories, and other methods.

Once your website is discovered, it will be scanned for vulnerabilities and scraped for email addresses and other data.

So, what can you do? Luckily, the fixes are pretty easy! Let’s work through the top 10 security mistakes you might be making so you can secure your website.

Mistake 1: Using Weak Passwords

Weak passwords are one of the most common ways hackers gain access to websites. 

Here are some examples of how easily different passwords can be cracked.

1. A password that is 8 characters long using only lowercase letters can be cracked almost instantly.

2. A password that is 8 characters long and has mixed case letters with numbers can be cracked in about 28 seconds.

3. A password that is 12 characters long and includes a mix of uppercase letters, lowercase letters, numbers, and special characters can take about 226 years to crack.

WordPress security mistakes | Chart showing the time it takes a hacker to brute force your password
Source: Hive Systems

The Fix 

Choose a unique password that’s at least 12 characters long and includes a combination of mixed-case letters, numbers, and special characters. 

Avoid using easily guessable information, like your name or birth date. Enable two-factor authentication (2FA) with a security plugin for an extra layer of protection.

Pro Tip: Use a passphrase instead of a password. Phrases like “I love hiking in the mountains!” are easier to remember than complex passwords. Be sure to mix in numbers and special characters. Check out this passphrase generator for inspiration.

Mistake 2. Not Limiting Login Attempts

By default, WordPress allows users to enter an unlimited number of login attempts, making it easy for hackers to guess your password with brute force attacks. 

The Fix 

Limit login attempts with a plugin like Wordfence. These plugins will block users after a certain number of failed attempts, making it more difficult for hackers to gain access to your site.

You can set the blocked time limit to 2 hours, so if you accidentally lock yourself out you’ll be able to get back to the login screen after a short time.

Mistake 3. Using Admin as Your Username

The ‘admin’ username is a common target for hackers and is often used in brute-force attacks.

The Fix 

Change all ‘admin’ usernames to something more unique. You can take it a step further and instantly block any IPs that try to guess your password with the ‘admin’ username. 

Mistake 4. Not Hiding Your Usernames

Unfortunately, it is very easy to find all the usernames registered on your site by adding ‘/?author=1’ to the end of your URL. The page reloads with your username visible in the browser bar. 

Knowing your username is half the battle for hackers. Once they have your username, all they need to do is launch a brute-force attack to find your password.

The Fix

To stop this from happening, you can install a security plugin like Wordfence to hide usernames from being harvested by hackers.

Mistake 5. Not Backing Up Your Site

If your site gets hacked, having a recent backup can save you a lot of trouble. Not to mention, having backups is a best practice for all website owners. Technical issues will happen! Save yourself from the stress of having to re-create your website from scratch.

The Fix

Regularly back up your site with a plugin like UpdraftPlus. Save your backups to an off-site location like Google Cloud. Additionally, keep a recent backup on an external device as an extra layer of security.

If you haven’t made a backup of your entire website yet, including the database files, I’m begging you – please do it ASAP. Future you will thank you :).

Test your backups to make sure they are working correctly. A backup is only useful if it can be successfully restored.

Pro Tip: Set up automated backups through your hosting provider’s control panel. Many hosting companies offer built-in backup solutions that can automatically back up your website files and databases.

Mistake 6. Using HTTP instead of HTTPS

An SSL certificate encrypts data between your site and your users, protecting it from being intercepted.

The Fix

Install an SSL certificate on your site. They are usually free through your hosting provider. Once you have obtained the certificate, you can configure your website to use HTTPS instead of HTTP.

Mistake 7. Not Protecting Against Spam Comments and Emails

Spam comments and emails are not only incredibly annoying but they also pose a security risk. Spam comments often contain malicious links or scripts that can compromise your website’s security. 

Additionally, spam emails may try to trick you into revealing sensitive information or installing malware.

The Fix

To protect against spam comments, consider using a spam filtering plugin like Akismet. Additionally, use the built-in comment moderation feature in WordPress. 

Navigate to the WordPress dashboard > Settings > Discussion. In the options area, check ‘Email me when a comment is held for moderation’ and ‘Comment must be manually approved‘. 

Lastly, go to the ‘Disallowed Comment Keys’ area and add all the words you are seeing in the spam comments. For example, lately, I’ve been seeing a lot of comments using ‘pharmacy’. I added that to my list and now they go straight to the trash bin saving me time moderating them.

When it comes to email security, make sure to use a reliable email service provider that has a good spam filter. Be cautious of suspicious emails and avoid clicking on unknown links or downloading attachments.

Pro Tip: Keep your email from being scraped with obfuscation methods. Instead of using ‘hello@yoursite.com’ use hello[at]yoursite[dot]com. If you’d rather keep your email address clickable, then use a service like Cloudflare to obfuscate your email.

Website Security Mistakes | Laptop on table with glass of water and vase

What’s your WordPress security IQ?

Take the quiz to find out!

Mistake 8. Not Keeping WordPress, Plugins, and Themes Updated 

Outdated WordPress core, plugins, and themes are a common security risk. They can have vulnerabilities that hackers exploit.

According to Wordfence, in 2023, the number of vulnerabilities discovered in the WordPress ecosystem nearly doubled from the previous year. These vulnerabilities were found in around 4,000 different plugins, themes, and WordPress core files.

Luckily, these issues are typically addressed quickly with patches; however, not all plugin and theme developers stay on top of their programs. So, it is up to you to regularly review your software and ensure your site stays secure for your visitors.

The Fix 

Regularly check for updates and apply them as soon as they’re available.

To check for updates, go to your WordPress dashboard and click on “Updates” in the sidebar. If there is a new version available for WordPress, plugins, or your theme, you will see a notification on the page. Click on “Update Now” to install the latest version.

You can enable automatic updates for your WordPress core, plugins, and themes to help stay on top of managing your site. This ensures that you receive the latest security patches as soon as they are released. However, technical issues happen, so make sure you have backups ready to go if an update breaks your site! Check your website often to make sure everything is working as expected.

In addition to updating, it is important to remove any outdated or unused plugins and themes. Unused themes and plugins can pose a security risk to your WordPress website, even if they are not actively being used. Outdated or unused themes and plugins may contain vulnerabilities that can be exploited by hackers.

Lastly, be wary of nulled themes and plugins. They could contain malware or other malicious code. Additionally, because the software is pirated, they aren’t eligible for updates that contain security patches.

Mistake 9. Not Monitoring Your Website

If you’re not monitoring your site, you might not notice your site’s been compromised until it’s too late.

The Fix

Use a security plugin like Wordfence or Succuri to monitor your site for suspicious activity.

Check your website’s access logs, file changes, and user activity. A security plugin will monitor your website for malware, Google block lists, and other security issues. It also includes a website firewall and malware removal service.

Decide on a simple weekly routine to check the health of your site. It could be every Monday morning or Friday afternoon, for example.

Here are some simple monitoring tips that you can follow:

  1. Check for Unusual Activity: Keep an eye on your dashboard for any unexpected changes (like alerts or new plugins that you didn’t install) or new user accounts that you didn’t create.
  2. Keep Tabs on Your Site’s Availability: Use a simple uptime monitoring service like Uptime Robot, which can email you if your site goes down, so you can act quickly.
  3. Watch Your Website Speed: Notice if your site suddenly becomes slow, as it could indicate a problem. A tool like Pingdom can monitor this for you and report back.
  4. Regularly Visit Your Site: Regularly browse your website as a visitor would. Check for anything that looks out of place or doesn’t work as it should.
  5. Review your access logs: Check with your hosting provider to find out how to view the logs of your website. Find out how long error and access logs are stored by your host and review then regularly.

Pro Tip: Set up Google Analytics alerts to monitor your website’s traffic and detect unusual activity.

Mistake 10. Not Having a Response Plan in Place

Despite taking all precautions, some type of problem will occur with your website. Maybe it will be a security issue like malware or a technical issue like a plugin conflict. Either way, something will happen. 

The Fix

Prepare for the worst-case scenarios so you can act quickly and restore your site with minimal downtime. Have a response plan in place so you know exactly what to do when problems occur.

Final Thoughts

Securing your WordPress website should be a top priority to protect both your visitors and your business. By implementing these fixes, you can significantly reduce the risk of security breaches and ensure the long-term security of your website.

Let me know what you think in the comments! Do you have a response plan in place?

Table of Contents


Browse by Category

Leave a Reply

Your email address will not be published. Required fields are marked *