WordPress is well known for being one of the most user friendly blogging and website platforms available. It’s why it’s grown to run over a quarter of the internet today.
But as a repercussion of WordPress’s immense popularity, it’s also a prime target for cyber criminals and hackers.
Most people who run a WordPress site or blog understand the importance of securing their site against hackers, but they nonetheless don’t take any action to improve their security until after they have actually been hacked and suffered a major consequence of a result of this.
But clearly, the best strategy is to take action to prevent an attack before it happens. And since the average website is hacked by some sort of hacking method at least eight thousand times per year, you can’t tell yourself that you won’t ever be hacked at some point in the future.
In this article, we will discuss some of the most common WordPress security mistakes that most WordPress owners are fully guilty of making, and how you can avoid each of them:
1 – You Have A Weak or Given Username
Many site owners fully understand the importance of setting a strong password consisting of a variety of letters, numbers, and special characters. You may have even taken this a step further by utilizing a password manager to store and changes your passwords repeatedly, or by also requiring two factor authentication to login to your site.
But something else you won’t want to neglect is your username. Remember, hackers don’t just have to crack the password to break into your site, they have to figure out your username too.
This means that if you’re using an issued username such as ‘admin,’ you’re making a major mistake.
Hackers can then easily apply a brute force attack to try several hundred if not thousands of password combination every minute until they find the correct one.
So, if you haven’t deleted and changed your admin username yet it’s time to do so.
How To Rename Your Admin Username
To rename your ‘admin’ username, ensure you have a recent, valid backup of your WordPress site first, and then follow these steps:
- Head To ‘Users > Add New’
- Select ‘Create New User’
- Set Role To Administrator
- Login With The New Username
- Go to ‘Users’
- Delete ‘Admin’
Before you perform these steps, we highly recommend you to read this blog article here.
2 – You Keep Unused Themes and Plugins
Any themes or plugins on your WordPress site that you are not using you will want to get rid of, and by ‘getting rid of,’ I mean delete and not just deactivate.
This is because every unused theme or plugin is another theme or plugin that you will need to update, and failing to update them creates new vulnerabilities.
The good news is that fully deleting unused themes and plugins is incredibly easy, and you literally just have to go to the ‘plugins’ and ‘themes’ sections on your administrator page and delete them.
While you’re at it, you would be wise to get rid of anything else you’re not using as well, such as spam comments, unused categories, unused tags, and draft posts that you likely won’t publish in the future.
3 – You Fail To Update and Backup Your WordPress Site
Here’s a fun fact: 80% of websites that are hacked are hacked because they weren’t updated.
A new version of WordPress is always being released by developers whenever security vulnerabilities are discovered, and the vulnerabilities are often listed out when the new version is released.
Now why is this a problem?
That’s right: hackers now have a full list of every major vulnerability in any WordPress website that has yet to be updated, including your own if you don’t update it. In fact, you are more likely to be hacked as a result of not updating your website than you are by having a weak username or password.
And not only will you want to update your WordPress core, you’ll want to update your themes, plugins, and other add-ons as well.
But there’s more good news here:
Updating your WordPress site is easier and more convenient than you may think.
Whenever an update to the WordPress core or a theme, plugin, or add-on happens, you’ll receive a notification (represented by the circle icon with two arrows).
Click this icon and then you can select the updates that you manually want to perform. You’ll also be notified each time an update is completed. You can also choose a security plugin such as Shield Security that will handle automatic updates for you so you don’t have to do most of the work yourself.
As a bonus tip, each time you run an update, you’ll also want to run a backup of your site as well. This way, if a glitch in the update happens that causes your site to crash, you’ll have a very recent version of the site to restore to.
You can use the Worpdrive for this. This WordPress backup system is designed specifically to be independent of your web hosting and rely on its own infrastructure.
So if you want WordPress backup that’s ultra-reliable and works every time, choose WorpDrive.
Most owners of WordPress websites are guilty of making at least one if not more of the above mistakes we have covered, and the result is that their blogs and sites are much more exposed to attack.
Fortunately, you don’t have to make the same mistakes, and now you also know how to avoid them as well.
Works well to help secure WP.
Installed easy, minimal set-up. Spam blocked immediately and the login protection (IP blocker) works well.
WP Simple Firewall is essential for WP Security
I have been using this plugin for over a year now and it has performed flawlessly. It certainly makes my life easier with applying WordPess security. I really like the Audit Trail Viewer and how it allows you to view login attempts and more! As a freelance developer on a…
Ottimo Grazie mille 🙂
Security is at high levels with this plugin
Impressive system, I love the login two factor authentications and the automatic plugin upgrades. Uses low resources, ideal for a shared hosting where you have to cope with sluggish bandwidth as it will not slow down your web site.