WordPress is well known for being one of the most user friendly blogging and website platforms available. It’s why it’s grown to run over a quarter of the internet today.
But as a repercussion of WordPress’s immense popularity, it’s also a prime target for cyber criminals and hackers.
Most people who run a WordPress site or blog understand the importance of securing their site against hackers, but they nonetheless don’t take any action to improve their security until after they have actually been hacked and suffered a major consequence of a result of this.
But clearly, the best strategy is to take action to prevent an attack before it happens. And since the average website is hacked by some sort of hacking method at least eight thousand times per year, you can’t tell yourself that you won’t ever be hacked at some point in the future.
In this article, we will discuss some of the most common WordPress security mistakes that most WordPress owners are fully guilty of making, and how you can avoid each of them:
1 – You Have A Weak or Given Username
Many site owners fully understand the importance of setting a strong password consisting of a variety of letters, numbers, and special characters. You may have even taken this a step further by utilizing a password manager to store and changes your passwords repeatedly, or by also requiring two factor authentication to login to your site.
But something else you won’t want to neglect is your username. Remember, hackers don’t just have to crack the password to break into your site, they have to figure out your username too.
This means that if you’re using an issued username such as ‘admin,’ you’re making a major mistake.
Hackers can then easily apply a brute force attack to try several hundred if not thousands of password combination every minute until they find the correct one.
So, if you haven’t deleted and changed your admin username yet it’s time to do so.
How To Rename Your Admin Username
To rename your ‘admin’ username, ensure you have a recent, valid backup of your WordPress site first, and then follow these steps:
- Head To ‘Users > Add New’
- Select ‘Create New User’
- Set Role To Administrator
- Login With The New Username
- Go to ‘Users’
- Delete ‘Admin’
Before you perform these steps, we highly recommend you to read this blog article here.
2 – You Keep Unused Themes and Plugins
Any themes or plugins on your WordPress site that you are not using you will want to get rid of, and by ‘getting rid of,’ I mean delete and not just deactivate.
This is because every unused theme or plugin is another theme or plugin that you will need to update, and failing to update them creates new vulnerabilities.
The good news is that fully deleting unused themes and plugins is incredibly easy, and you literally just have to go to the ‘plugins’ and ‘themes’ sections on your administrator page and delete them.
While you’re at it, you would be wise to get rid of anything else you’re not using as well, such as spam comments, unused categories, unused tags, and draft posts that you likely won’t publish in the future.
3 – You Fail To Update and Backup Your WordPress Site
Here’s a fun fact: 80% of websites that are hacked are hacked because they weren’t updated.
A new version of WordPress is always being released by developers whenever security vulnerabilities are discovered, and the vulnerabilities are often listed out when the new version is released.
Now why is this a problem?
That’s right: hackers now have a full list of every major vulnerability in any WordPress website that has yet to be updated, including your own if you don’t update it. In fact, you are more likely to be hacked as a result of not updating your website than you are by having a weak username or password.
And not only will you want to update your WordPress core, you’ll want to update your themes, plugins, and other add-ons as well.
But there’s more good news here:
Updating your WordPress site is easier and more convenient than you may think.
Whenever an update to the WordPress core or a theme, plugin, or add-on happens, you’ll receive a notification (represented by the circle icon with two arrows).
Click this icon and then you can select the updates that you manually want to perform. You’ll also be notified each time an update is completed. You can also choose a security plugin such as Shield Security that will handle automatic updates for you so you don’t have to do most of the work yourself.
As a bonus tip, each time you run an update, you’ll also want to run a backup of your site as well. This way, if a glitch in the update happens that causes your site to crash, you’ll have a very recent version of the site to restore to.
You can use the Worpdrive for this. This WordPress backup system is designed specifically to be independent of your web hosting and rely on its own infrastructure.
So if you want WordPress backup that’s ultra-reliable and works every time, choose WorpDrive.
Most owners of WordPress websites are guilty of making at least one if not more of the above mistakes we have covered, and the result is that their blogs and sites are much more exposed to attack.
Fortunately, you don’t have to make the same mistakes, and now you also know how to avoid them as well.
Follow Up on Previous Review
Great Job! I was very critical about the lack of clear notes in the change log in my first review. I’m happy to say that crystal clear, point by point updates have been logged fully for more than a month now. Could not be happier with a security plugin! Definitely…
Ottimo Grazie mille 🙂
Amazing plugin, amazing support
We have investigated a ton of plugins and we have chosen this one because of Audit Trails. We have been in contact with their support which is supper fast and on top! I strongly recommend this plugin!
Great plugin and team
Use it for a number of sites. Do not have any security issues nor problems with plugin itself. Tech support is great, documentation is also made clear. Developers really work on the user interface as well, improving it’s comfort and usability. Quite happy with it! Great job!