September 20, 2018 by Samuel Bocetta | Blog

3 Most Common WordPress Security Mistakes (That Most People Are Guilty Of Making)

Shield Image

WordPress is well known for being one of the most user friendly blogging and website platforms available. It’s why it’s grown to run over a quarter of the internet today.

But as a repercussion of WordPress’s immense popularity, it’s also a prime target for cyber criminals and hackers.

Most people who run a WordPress site or blog understand the importance of securing their site against hackers, but they nonetheless don’t take any action to improve their security until after they have actually been hacked and suffered a major consequence of a result of this.

But clearly, the best strategy is to take action to prevent an attack before it happens. And since the average website is hacked by some sort of hacking method at least eight thousand times per year, you can’t tell yourself that you won’t ever be hacked at some point in the future.

In this article, we will discuss some of the most common WordPress security mistakes that most WordPress owners are fully guilty of making, and how you can avoid each of them:

1 – You Have A Weak or Given Username

Many site owners fully understand the importance of setting a strong password consisting of a variety of letters, numbers, and special characters. You may have even taken this a step further by utilizing a password manager to store and changes your passwords repeatedly, or by also requiring two factor authentication to login to your site.

But something else you won’t want to neglect is your username. Remember, hackers don’t just have to crack the password to break into your site, they have to figure out your username too.

This means that if you’re using an issued username such as ‘admin,’ you’re making a major mistake.

Hackers can then easily apply a brute force attack to try several hundred if not thousands of password combination every minute until they find the correct one.

So, if you haven’t deleted and changed your admin username yet it’s time to do so.

How To Rename Your Admin Username

To rename your ‘admin’ username, ensure you have a recent, valid backup of your WordPress site first, and then follow these steps:

  1. Head To ‘Users > Add New’
  2. Select ‘Create New User’
  3. Set Role To Administrator
  4. Login With The New Username
  5. Go to ‘Users’
  6. Delete ‘Admin’

Before you perform these steps, we highly recommend you to read this blog article here.

2 – You Keep Unused Themes and Plugins

Any themes or plugins on your WordPress site that you are not using you will want to get rid of, and by ‘getting rid of,’ I mean delete and not just deactivate.

Additional plugins and themes you’re using won’t just slow down your site speed (which hurts your SEO performance). It also makes your website more vulnerable as well.

This is because every unused theme or plugin is another theme or plugin that you will need to update, and failing to update them creates new vulnerabilities.

The good news is that fully deleting unused themes and plugins is incredibly easy, and you literally just have to go to the ‘plugins’ and ‘themes’ sections on your administrator page and delete them.

While you’re at it, you would be wise to get rid of anything else you’re not using as well, such as spam comments, unused categories, unused tags, and draft posts that you likely won’t publish in the future.

3 – You Fail To Update and Backup Your WordPress Site

Here’s a fun fact: 80% of websites that are hacked are hacked because they weren’t updated.

A new version of WordPress is always being released by developers whenever security vulnerabilities are discovered, and the vulnerabilities are often listed out when the new version is released.

Now why is this a problem?

That’s right: hackers now have a full list of every major vulnerability in any WordPress website that has yet to be updated, including your own if you don’t update it. In fact, you are more likely to be hacked as a result of not updating your website than you are by having a weak username or password.

And not only will you want to update your WordPress core, you’ll want to update your themes, plugins, and other add-ons as well.

But there’s more good news here:

Updating your WordPress site is easier and more convenient than you may think.

Whenever an update to the WordPress core or a theme, plugin, or add-on happens, you’ll receive a notification (represented by the circle icon with two arrows).

Click this icon and then you can select the updates that you manually want to perform. You’ll also be notified each time an update is completed. You can also choose a security plugin such as Shield Security that will handle automatic updates for you so you don’t have to do most of the work yourself.

As a bonus tip, each time you run an update, you’ll also want to run a backup of your site as well. This way, if a glitch in the update happens that causes your site to crash, you’ll have a very recent version of the site to restore to.

You can use the Worpdrive for this. This WordPress backup system is designed specifically to be independent of your web hosting and rely on its own infrastructure.

So if you want WordPress backup that’s ultra-reliable and works every time, choose WorpDrive.


Most owners of WordPress websites are guilty of making at least one if not more of the above mistakes we have covered, and the result is that their blogs and sites are much more exposed to attack.

Fortunately, you don’t have to make the same mistakes, and now you also know how to avoid them as well.

Hey good-lookin'!

If you're curious about ShieldPRO and would like to explore the powerful features for protecting your WordPress sites, click here to get started today. (14-day satisfaction guarantee!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and so much more.

Try ShieldPRO Today →

ShieldPRO Testimonials
@lakenjr's Gravatar @lakenjr

Definitely a useful weapon against hackers

Easy to install and use. Has identified and stopped many threats. As far as I can tell it has not interfered with any other plugin used on my sites. Try it, I don’t think you will be disappointed.

@portlandweb's Gravatar @portlandweb

My favourite security plugin

Tried this plug-in after seeing a review of it and haven’t looked back since. Great features with minimal overhead on my hosting resources.

@btrav's Gravatar @btrav

Wealth worth the price

This is a great app, and it is worth the price of $1/month. Helps you to get on top of the security of your wordpress site, and the audit trail is invaluable.

@jahdakine's Gravatar @jahdakine


Who wants to spend hours on security? Shield is easy to setup and gives me more time to do what I really want to – develop the site. Thanks so much for this awesomely useful plugin!

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese