Disclosure: Some links included in the sidebar are affiliate links, which means we receive a small commission at no cost to you if you purchase through a link.
In a recent blog post, following the release of the WordPress 5.5 update, I shared some ways to fix a WordPress website which is broken due to the update.
There’s nothing more frustrating than finding out that your website is broken due to WordPress security problems is there? It also doesn’t do your reputation any favors when your clients inform you that you have a broken website.
They say that prevention is the best medicine, so to help you be better prepared, here are 10 common WordPress security mistakes that can be easily avoided.
Before I get started, I’m going to suggest that you check out the Wordfence WordPress security plugin which I install on all client sites. I’ve highlighted various Wordfence features throughout this post to help protect your website against the dangers highlighted. Wordfence follows the common WordPress freemium model and there are both free and premium (annual fee) versions of the plugin.
Now on to the mistakes….
1) Poor Quality, Insecure Website Hosting
Before we get into the WordPress security specifics, it is important to start with your hosting. Did you know that according to a University of Maryland Study, there is a hacker attempt every 39 seconds, making the security of your website hosting of paramount importance.
Website hosting comes in all sorts of different offerings and price points. In my experience you generally get what you pay for and unfortunately website and WordPress security can easily take a back seat.
When we recently put together the hosting for our shortly to be launched WordPress managed site service we ensured that our offering included the following:-
- Top of the line enterprise grade hardware.
- A DDoS (distributed denial-of-service) protected network which is fully redundant with no single point of failure.
- Hourly site cloud backups to ensure instant recovery where necessary.
- Free SSL (encryption) certificates for all clients or the option of purchasing certificates with warranties and other additional protection.
- 24/7 local Australian support and Australian based servers.
- SFTP (secure, encrypted file transfers) instead of insecure FTP (file transfers).
- All websites are isolated and not in a shared environment.
2) Not Using Two-Factor Authentication
Two-factor authentication (often shortened to 2FA) put simply, means there are two checks in place to prove your identity when you login to your website.
One common way to do this, which you have no doubt come across is by way of a code being sent via SMS to your nominated mobile/cell phone number. As an added security measure you have a certain timeframe to enter this code and gain access.
By default, WordPress does not include 2FA but the Wordfence WordPress security plugin (option available in both free and premium versions) mentioned earlier includes this capability and is highly recommended. Wordfence will work with any authenticator app that supports Time-based One-Time Passwords (TOTP) including:-
- Google Authenticator
- Sophos Mobile Security
- FreeOTP Authenticator
- Microsoft Authenticator
3) The Use of an “admin” Login Username
The odds of your website’s WordPress security being compromised increases significantly when you use an ‘admin’ username. Many automated scripts and hacking attempts will try this username in the first instance, so you are making it easy for them.
Instead use something else which is not obvious.
4) Using Easily Compromised Passwords
Ensure that your passwords are also not something that can be easily guessed. If you need help coming up with a secure password then there are password generators available.
For example, you can randomly generate a password in the Firefox browser as shown above. Just right click on the password field as shown. You can also do the same process to create a secure username.
Make sure you safely store your password somewhere though because unless you are Albert Einstein you will struggle to remember it!
The Wordfence WordPress security plugin also includes a setting that will require all website users to use a strong password.
If you want to find out how long it would take to hack your password then check out this site and enter your password.
I think I can sleep peacefully with this result.
5) No protection against Brute Force Attack
A Brute Force Attack occurs when there are a large number of repeated attempts to gain access by guessing your username and password.
Limiting the number of login attempts allowed and blocking those who try more than a certain number of times provides a means of protection for your website.
The Wordfence WordPress security plugin (both free and premium versions) also includes functionality to prevent a Brute Force Attack.
You can see some of the settings above.
6) Poor User Role Management
I suggest that when assigning roles to site users that you go with the “principle of least privilege”. Provide them with the minimum access possible to be able to do what they need to do.
Generally speaking their access should be either Subscriber or Contributor and ensure that you do not allow open registrations on your website.
To do this, ensure that the “Anyone can register” checkbox is not checked under Membership on the Settings -> General page in the WordPress dashboard.
7) Reusing Same Passwords Over and Over
Another common cause of WordPress security issues is due to passwords being used that have been in a data breach elsewhere. Hackers can easily gain access to lists of these passwords making your website an easy target for them.
The Wordfence WordPress security plugin will also prevent the use of passwords that have been leaked in data breaches to provide further peace of mind.
8) Using Nulled Themes or Plugins
You’ve no doubt heard your share of tales of people reporting the infection of their computers due to pirated/free software being installed which has hidden malware and other malicious items. Well the same applies to offerings of WordPress themes or plugins free of charge.
They should be avoided to ensure you do not end up with unauthorised advertising occurring or other malware of hacking problems.
9) Not Keeping WordPress Updated
Keeping your WordPress core, updates and plugins up to date will help to ensure that any vulnerabilities in your themes and plugins are patched. I also suggest doing a plugin audit and removing any inactive plugins from your website.
Vulnerabilities in inactive plugins and themes can still allow your website to be compromised and they are easily missed. They may not be in use but they are still installed in your WordPress environment and can be exploited by hackers.
10) No firewall Monitoring Website Traffic
A firewall is an extremely important security requirement for your website and will monitor traffic and determine whether or not requests are genuine and should be authorised or not. Wordfence includes a firewall with many features and you can find out more about their sophisticated firewall here.
I know that the topic of security can quickly overwhelm many and there’s a lot to consider.
I hope you found the tips shared in this post helpful. Are you looking for further details on any of the suggestions made? Please let me know in the comments.
A tiny request: If you liked this post, please share this?
I know most people don’t share because they feel that we don’t need their “tiny” social share. But here’s the truth…
I built this blog piece by piece, one small share at a time, and will continue to do so. So thank you so much for your support, my reader.
A share from you would seriously help a lot.
Some great suggestions:
– Pin it!
– Share it to your favorite blog + biz Facebook group
– Tweet it!
– Share it on LinkedIn!
It won’t take more than 10 seconds of your time. The share buttons are right here. 🙂