5 WordPress Security Mistakes that Make you Vulnerable to Hackers

5 WordPress security mistakes that will get you hacked // Learn the 5 biggest security mistakes you didn't know you were making. These mistakes can leave your WordPress blog or website vulnerable to hackers. But don't worry, there are 5 quick fixes you can do today to lock down your site. Click to learn more!

You would cry too if it happened to you.

No, I’m not talking about getting dumped on your birthday. I’m talking about getting hacked.

Getting hacked sucks.

But it happens. Especially if you don’t take the proper precautions to protect your website.

The biggest problem with WordPress security is that users put themselves at risk without knowing. Seemingly innocent habits could be making you vulnerable to hackers.

Fortunately, keeping WordPress secure is not actually that difficult. It just requires a few basic tweaks to your current setup.

Today I’m sharing 5 big WordPress security mistakes you didn’t know you were making. But don’t worry, I’ve also got 5 quick fixes you can do today to lock down your site.

Make them today to keep hackers at bay. Too cheesy?

1. Using “admin” as your username

Early versions of WordPress created a default user named admin. This meant that nearly every WordPress site on the planet had an admin user. Unless you manually deleted it, it was there.

This created WordPress security issues because it made it easy to break in to your site. If a hacker wanted to break in, all he had to do was try the admin username with a bunch of password combinations. This process can be automated to try hundreds of passwords per minute until it finds a combo that works. Or until your server crashes. This is called a brute force attack.

WordPress has gotten smarter over the years, and it no longer forces users to create admin. Now you can name your primary user anything you want. But there are tons of WordPress sites created before this change took place, so it’s still the first username hackers will try.

If you still have a user named admin on your WordPress site, it’s time to get rid of it.

WordPress Security Fix #1: Delete the admin user

This is quite simple:

  1. Go to Users > Add New and create a new user. Set the role to administrator.
  2. Log in with that new user.
  3. Go to Users and delete admin

WordPress will ask if you want to delete that user’s content or re-assign it to a different user. Choose to reassign all content to your new user to avoid losing anything during this process.

WordPress Security Fix #2: Rename the admin user

You can also rename the admin with the Admin Renamer Extended plugin. Here’s how:

  1. Install and activate the Admin Renamer Extended plugin
  2. Go to Plugins > Admin Renamer Extended
  3. Type your new username into the text box and click Update

That’s it! Just three steps.

You might have to log back in to the site with your new username, but it still couldn’t be any easier.

Bonus Tip: The more obscure, the better

For added WordPress security, avoid all obvious usernames. Things like webmaster, the name of your site, and your own name can be easily guessed. The majority of the failed logins on this site try the username admin. Yet, there have also been attempts with usernames like amandaschoedel and amandaschoedel.com. Luckily, none of those usernames exist here.

2. Using weak passwords

We all know that weak passwords are a security threat. And yet, for whatever reason, we all keep using them. We know we shouldn’t it, but we can’t help ourselves.

It’s time to stop.

I get it, you love your dog. And I know, it’s so much easier to remember just one login for all your accounts. But if the password for your email, your bank account, AND your website is “Fido,” you’re doing it wrong.

[Tweet “If the password for your email, bank account, AND website is “Fido,” you’re doing it wrong.”]

Using strong passwords is one of the easiest ways to keep your website secure. And it’s not difficult to do.

WordPress has a password generator built in that will create a strong password for you. All you have to do is click a button.

WordPress Security Fix: Update your password

  1. In your WordPress dashboard, click on Users
  2. Click on your username
  3. Scroll down to the section called Account Management
  4. Click the button that says Generate Password
  5. Copy down that password somewhere safe!
  6. Scroll to the bottom of the page and click Update Profile

It’s so easy!

If you insist on creating your own password, WordPress suggests avoiding the following:

  • Variations of your name, username, business name, or your website name
  • Dictionary words
  • Short passwords
  • Passwords that are numeric-only or alphabetic-only–a mixture of both letters and numbers is best

Just remember, use this password for WordPress only.

Bonus Tip: Use LastPass to remember your passwords

If you have a hard time keeping track of your passwords, look into LastPass. It’s a password manager that remembers all your passwords so you don’t have to. The best part? The base package is FREE.

3. Not performing updates

You should always, always, ALWAYS stay on top of WordPress updates. Not just updates to the WordPress core. Plugin and theme updates are important too.

Updates are released to fix existing bugs and WordPress security issues. Performing updates as they’re released keeps your site protected.

You’re more likely to get hacked from outdated software than a weak username or password. Ignoring updates is like asking for trouble.

If you’re not already performing regular updates, why not? Is it because you’re afraid of breaking your website?

Don’t be!

Yes, sometimes WordPress updates can break your design or cause a plugin to stop working. That’s why we make backups. Backups protect us from major update catastrophes. I’ll let you in on a little secret, though: 99% of the time updates happen without a glitch.

WordPress Security Fix: Update often

WordPress makes managing updates simple. Any time a plugin, theme, or core update is available, you’ll get a notification in your toolbar. Its the one that looks like a circle with two arrows.

The number next to it tells you how many updates are pending.

Here’s what to do when you see an update notification:

  1. Make a backup of your website. If you have automatic WordPress backups scheduled, this step is already done for you.
  2. Click on the update icon to go to the updates page.
  3. Select the updates that you want to perform. WordPress will do the rest of the heavy lifting. Look for a success message to know that your update completed.

Bonus Tip: Automatic WordPress updates for the win

Once again, WordPress makes our lives easier. A couple of years back WordPress introduced automatic background updates. When possible, WordPress core updates will happen automatically. Your website will even send you an email to let you know that it happened.

There’s an up side and a down side to this.

The down side: Automatic updates are only enabled for minor updates. You’ll still have to complete major core updates, as well as plugin and theme updates, by hand.

The up side: Minor core updates are the ones that fix WordPress security issues. Major core updates are for feature releases. So, you’re covered where it counts most.

4. Keeping unused plugins, themes, and user accounts

Remember that Admin Renamer Extended plugin I told you about earlier? Delete it when you’re done. Don’t just deactivate it. Delete it.

Unless you’re using a plugin, theme, or user account, get rid of it. Unnecessary bloat doesn’t just affect your site performance–it also affects your security.

Every extra user account is another portal for brute force hackers.

Every extra plugin is another plugin that you have to update.

Every extra theme is…you get the idea.

It’s always best to keep your website as slim and trim as it can be.

WordPress Security Fix: If you don’t need it, delete it

This one’s pretty self-explanatory, right?

  1. Go through your Users. Delete any accounts you’re no longer using. Just remember to assign that user’s content to a different user so it doesn’t get deleted.
  2. Take a look at your Plugins. Are any of them deactivated? Delete those.
  3. While you’re at it, head over to Appearance > Themes. Be ruthless.

Bonus Tip: Perform a full spring cleaning

If you find yourself enjoying the cleanup, take it a step further. This won’t help harden your website, but it will keep your site tidy and running smoothly. Plus, a little decluttering is always a good idea.

  1. Delete any draft Posts that you have no intention of publishing.
  2. Get rid of unused or irrelevant Pages.
  3. Delete old post and page revisions. This can seriously reduce the size of your database.
  4. Get rid of unused Categories and Tags.
  5. Delete spam comments.
  6. Clean up your Media Library. Delete duplicate images and images that aren’t attached to a post or page.
  7. Check for broken links.

5. Not installing a security plugin

Even with the above security measures in place, stuff can still happen. That’s why it’s nice to have a WordPress security plugin in place.

A good security plugin can provide extra preventative measures to keep your site secure. It can also monitor your website and alert you when things go wrong.

Remember that: prevention and monitoring. Those are the two most important words in WordPress security.

But Amanda, there are so many WordPress security plugins! How do I know which one to choose?

Don’t worry, I’ve got you covered…

WordPress Security Fix: Install the Wordfence plugin.

I’ve mentioned before that I have two favorite security plugins. (The other is Sucuri.) But Wordfence might be my most favorite.

Wordfence has been downloaded 1 million times (literally) and has a rating of 4.9 stars. It’s safe to say that this is a good one.

Wordfence has a few great security features to keep your site on lockdown:

  • Scanning — Wordfence makes monitoring easy. It scans for known vulnerabilities and file changes that could mean you were hacked. It alerts you if it finds anything fishy.
  • Limit Logins — This is one of its best features. You can automatically block a user’s IP after too many failed login attempts. This helps prevent brute force attacks.
  • Update Notices — Wordfence notifies you by email when your website has pending updates. There’s no reason not to be on top of updates when you have this kind of heads up.

Bonus Tip: Keep an eye out

Word of advice: don’t just install it and walk away.

WordPress security plugins help keep your site safe, but they can’t do everything for you.

Whatever plugin you choose, take time to read the documentation and configure the settings. This will ensure that you’re getting the most out of it.

After it’s set up, it’s up to you to heed alerts when they come in. Security monitoring and update alerts do you no good if you let the notifications pile up in your inbox. This might seem obvious, but make sure you read them.

At the end of the day, it’s your job to be a savvy website owner.

Do you have any other tricks for keeping WordPress secure? Share them with me below!

Leave a Comment

  1. April 7, 2016 at 12:28 pm

    Excellent suggestions! You mention backups in passing, but I think it’s really important to have a plugin that creates backups automatically, on a regularly scheduled basis. This way you’re prepared for the worst.

  2. April 8, 2016 at 10:25 am

    I completely agree, Laura! I covered backups in a post a few weeks ago, but I should have emphasized that more in this one. Backups are EVERYTHING.

    Thanks for stopping by and sharing your thoughts. 🙂

  3. Max Hall
    May 4, 2016 at 10:11 am

    I will update my WordPress website immediately. I always use strong password for my users and will definitely try the Wordfence plugin on my website.

    Thanks for this nice tips.