Skip to main content
(02) 4948 8139 0421 647 317

10 Common WordPress Security Mistakes

In a follow up to our blog published last month, ‘WordPress Version 5.5 – The Importance of Auto-Updates’, we now take a look at 10 common WordPress security mistakes that website owners often make.

Often important security decisions are simply overlooked or forgotten about, so it’s always a good idea to revisit your WordPress site and check on its current security position.

1: Not updating core software, themes or plugins.

Practice good habits in maintaining the WordPress installation. We recommend updating your plugins, themes, and core software as soon as a security patch is released. You should regularly login to check the status of your site, and also consider using the new aut0-updates option, as detailed in our blog last month, although you should consider which updates to automate and which to prevent happening in case there could be an impact on your site.

2: Using weak passwords.

Passwords should consist of more than 10 characters, with at least one number, one symbol, and one uppercase character. You can generate complex passwords within WordPress and possibly change these on a regular basis.

3: Reusing passwords.

WordPress users often use the same password for their hosting account, WordPress website, and FTP account. Of course, if one account gets compromised, all the accounts get compromised.

4: Using “admin” as your WordPress administrative username.

The simplest way to change your default administrative username is by going directly to the database using phpMyAdmin from the hosting account, or similar database management tool, and updating the username in the *_users table.

5: Poor user access management.

User registrations and the default roles assigned to those users can lead to compromise when done haphazardly. We recommend considering the following practices:

  • Grant users minimal access.
  • Disable user registration unless it is required
  • Enforce strong passwords.
  • Require 2-factor authentication for administrators and publishers.

6: Changing the WordPress login URL.

WordPress login URLs can easily be detected and bypassed by most attackers. Therefore, changing it is not the best technique to limit login attempts and potential attacks. Instead of changing the login URL, we recommend:

  • Enabling brute force protections.
  • Using strong passwords.
  • Adding .htpasswd protection to the wp-admin area
  • Using two-factor authentication.

7: Not using SSL/TLS certificates on your WordPress site.

They are vital to protect the confidentiality of the data in transit from your site visitors’ browsers to your webserver. (They also have an impact on the site’s search rankings as Google favours sites using SSL).

8: Insecure hosting choices

Poor hosting choices can have detrimental security consequences on your WordPress site.

9: Using nulled themes or plugins.

“Nulled” offering sites often look illegitimate and offer premium plugins and themes as “free,” “nulled” or “unlocked.” “Nulled” themes and plugins almost universally contain malicious code that will infect your site, and any other sites hosted in the same account, as soon as they are installed. So, always source your plugins and themes from the original developers, a reputable marketplace, or the directory.

10: Not using a Web Application Firewall.

Using a firewall as an extra level of security – such as from Wordfence, MalCare or other providers – is important because it blocks malicious attacks, like an attacker attempting to exploit a vulnerable plugin, and ultimately protect the site from getting compromised.


Important security decisions can easily be overlooked or forgotten about, so it’s always a good idea to have a security plan and schedule for your site, to create regular backups, and to revisit your WordPress site and check on its current security status.

If you want more information about this issue, or how we can help the management of your WordPress site, please get in touch.