Most Common WordPress Security Mistakes to Avoid

When starting a website, maybe the last concern of every webmaster is security. Most of focus on design, functionality, layouts, conversions, but forget that all these are highly dependent on the security of the website. If you can’t keep your website safe, you will be losing business and all your hard effort can be ruined in just a second.

WordPress is very popular software, which powers millions of website worldwide. The development team of WordPress is constantly maintain and updating the software to improve and fix all security issues. With all this great effort and time that is dedicated to WordPress, there are still lots of mistakes that webmasters commit. In this article we will present you the most common security mistakes that make your website a victim in this endless ocean of cyber-crime.

Use of default admin and generic password

This is the most common mistake that is exploited by hackers. In many cases, WordPress sites are developed offline, and because the developers don’t want to spend much time on website setup and can easy forget complicated password, the choose to go with the simple admin/123456 combination. After the project is finished, it will be transferred online, everyone is happy that the website is finished and works as the client wants but nobody cares about changing the login information. Now, anyone who access your website and have a clue that you are running wordpress, can access the login page and try to login with the admin user and some generic password. If you forget about it, a bad person can easily ruin all your hard work.

Another common mistake is when users use their birth day date, name family member names as password, because it is easy to remember. They also link their website to their public facebook profile, where all this information is available. Guess what will happen next.

To be safe, you should change the default admin user and if you can’t come up with a strong password, use an online password generator that will create a unique password for you. Do not use the same password on all of your websites, social or email account. This way if one of your accounts get compromised, all others will be safe.

Outdated core and plugins

WordPress is very well built and tested software, however there are some versions where is a tiny security hole in the source code that can represent a high risk for many websites. You should pay attention to the back-end of your wordpress site, and whenever there is any news about security update of the core software you should perform and update right away.

It is also important to keep an eye on the plugins as well. These can also represent a risk to your website if any of them has a vulnerable code. If there is a new version available for any of the installed plugins, do not hesitate to update. These updates will usually take couple of seconds only.

Malicious plugins and themes

It is phenomenal, that WordPress has so many contributors and that there are so many people out there who are willing to spend their time to develop free plugins and themes. There are, however, many cases when developers abuse the system and they insert “features” to the add-ons that are actually bad for the user. For instance there are theme provider websites, that force links into the themes and you cannot remove them. Having links on your website is all right, however if you have unrelated links in the footer of your page, could result in a penalty from Google. To avoid this you should always download wordpress themes from trusted websites. Plugins are also abused, there are cases when a plugin opens a back-door to hackers to access your website, in other cases a plugin will insert ads on your site or even change your ads. If you are downloading free plugins, always use plugins from because these plugins are verified and tested.

Bad web hosting provider

I know that I keep repeating myself when I affirm that hosting is the base of any website. If you are using WordPress you should pay extra attention to the web hosting provider you choose. On this page you can find more information on what to expect from a wordpress host.

If you choose an unreliable hosting provider, most likely you will end up switching to a new host after you go through a lot of problems. If the people who are behind the hosting company do not have the necessary experience and knowledge to secure and optimize their servers, even if your site is running on latest version, it can still be hacked. Another problem that comes with poor hosting is that your website will always be slow, due to poorly optimized and configured servers and old hardware, and website visitors will never return to a slow site. So make sure that you pick a hosting provider that supports wordpress and has all the necessary tools to help you with installation, security and updates.

Why would a hacker want your website?

Now you may ask, why would somebody hack your small business website? Let’s suppose that you have a small site, which is targeting local clients, and is receiving few thousand visitors each month. Why would somebody even care about your site?

You should note that if you go online, you are a target, it does not matter how big or small you are. Often you can hear news about very big sites getting hacked; probably small sites do not get on the news but thousands of them are compromised on daily basis.

What hackers can do with your site, even if it is a small one? They can use your server to send out spam emails. If emails are sent out from your server, you will be responsible for this action. Sure you can prove that your server was compromised, and actually someone else did it, but it is still a bad experience. They can steal your clients’ data: name, phone numbers, email addresses, etc. If you also store credit card information, and your site gets compromised, most likely your customers will never trust you again. A bad person can use your client’s information in many ways, for instance it can be sold to your competition; the hacker can send phishing emails to your customers, in your name and destroy completely your business.

There are many other reasons why someone will try to hack your site, but will talk about these in another article.

Recommendation on how to keep your wordpress site secure

To the above list of recommendations I would add few more that will provide an extra protection to your website.

Use of security plugins: install a security plugin to your website. For example Wordfence, is one of the best security plugins for wordpress, which not only will scan your website but will also provide protection against bots, malicious activity and hackers. It will also make your site run faster. is a globally recognized company in terms of website security. This service can be easily integrated to any wordpress site, by installing their plugin. The Sucuri service provides lots of security features to your site: security activity auditing, malware scanning, blacklist monitoring, post-hack security actions, security notifications and firewall as well.

Two factor authentication: these types of plugins are also a great defense against brute force attack. While you login to the wordpress admin area, you will receive an email with a link to verify your identity. Once you are verified, you can login to your wordpress site by only entering your password next time. However if you try to login from another device, you will again go through the verification process.

Captcha authentication: using a captcha plugin for the admin login area will prevent brute force attacks. This is the most common type of hacking; it is usually done by a software, which tries to login to your site with different usernames and passwords.

Remove version and generator name: by adding two lines of code to the function.php of your theme, you can remove the wordpress version number from the source code, and even the generator name. Hiding these information, hackers will find it more difficulty to figure out what software and what version you are using for your site.

Wrapping up!

So to summarize all the above information, to keep your wordpress site secure you should always use custom admin username and password, always make sure that your website and plugins are using the latest version and if there is a security release, make sure you instantly update, use themes and plugins from trusted websites, find a good, and reliable hosting provider who can help you out with wordpress related issues and use plugins which will protect your site from brute force attacks. In case I forgot something, please leave your thoughts in the comment section. Hope it was a good reading!



David Cross

David is the chief editor at WebHostingMedia right from the beginning. He has a great passion for building and managing websites and creating helpful content. He is also interested in programming - currently learning python.