[Mistakes #10] Five Common WordPress Security Mistakes … and How to Fix Them

Ali Luke

This is the tenth post in our Mistakes series, a guest piece from freelance writer and blogger Raspal Seni. (You’ll find his bio at the bottom of the post.) 

You just created a new WordPress blog, and are excited to publish posts. Or, you’ve had a WordPress blog for a while, but don’t know how to secure it.

Below, I talk about 5 common security mistakes bloggers make when installing and using WordPress. Check to see whether you make any of these mistakes, and fix them if you do.

Mistake #1: Not Using Strong Passwords

Creating strong passwords is the first step to make any program secure, and WordPress is no exception. If you use easily guessable passwords or the same password for everything (e-mail, forums, bank accounts, online registrations and even WordPress), your WordPress installation will be vulnerable to attack.

Fix it: Starting with version 3.7, WordPress has a smarter password strength meter. Use it to make a stronger password. You can’t remember many passwords, so use a password program like LastPass to remember them for you. It’s free, and I’ve used it for many years.


Mistake #2: Not Updating WordPress, Themes and Plugins

Do you update your WordPress installation, themes and plugins regularly?  If you have old versions of these, you risk your blog getting hacked. These programs are updated regularly to fix any security holes (in addition to adding new features and fixing other issues they may have). If you don’t already update your WordPress, themes and plugins, you should do it regularly, preferably once a week.

Fix it: Login to your WordPress Dashboard as an administrative user and update your WordPress installation if you see a message telling you to do so. On the same updates page, you can also see if your theme and plugins have updates available. If they do, update them too. It just takes a few clicks.

You can also enable WordPress to auto-update itself by editing WordPress installation details in Softaculous, or  by editing your wp-config.php. More information here.

Mistake #3: Having the ‘admin’ User and Publishing Posts by This User

delete-wordpress-userBy default, WordPress creates a user named admin (with the default password set to ‘pass’), if you don’t specify another username. Many lazy people don’t change this username and password, when installing WordPress. So, If someone can login as admin, they can do anything to your blog/website.

Create a username which people can’t easily guess. If I use a username such as raspal, anyone can easily guess it after a quick look at my blog.

A bigger mistake is to tell the world that you have a user with administrative privileges, named admin. How do you tell this? By publishing posts by this user. Instead, create another user to publish posts on your blog. Login with the administrative user only when needed (for example, to install updates).

Fix it: If you have the user named admin, login to your WordPress Dashboard with this user account. Then, create another administrative user, with a username which others can’t easily guess. Also provide a strong password for this new administrative user.

Next, logout from the Dashboard and log back in with this new administrative user. Now, create another user, but this time with editor privileges. This is the user you should use to publish posts.

Finally, remove the old administrative user named admin. When you remove this account, WordPress will give you an option to assign any posts published by this user to another user. Assign it to the user with the editor privileges, you just created.

Mistake #4: Not Removing the Default META Widget From Your Blog’s Sidebar

By default, WordPress installs a few widgets into your blog’s sidebar. The META widget is one of them. It contains links to log into and logout from your WordPress Dashboard. But, it also makes a hacker’s task easy by providing the login link.


Fix it: Login to your WordPress Dashboard with an administrative account. Click Appearance -> Widgets and delete the META widget from the primary sidebar.

Mistake #5: Not (Regularly) Backing up WordPress and Database

When was the last time you backed up your WordPress and database? Are you struggling to remember? You might think this doesn’t have much to do with WordPress security … but backing up regularly is included as one of the 4 best security practices in WordPress Security 101  at iThemes (owns the WordPress plugins named Better WP Security and BackupBuddy).

You should also automate the backup process. If you backup manually, you will certainly forget doing it.

Fix it: Use one of the following tools to backup your WordPress installation. Two good, free tools to automate WordPress backups are Softaculous and BackWPup plugin.


Have you seen any other common WordPress security mistakes? Let us know in the comments…

Raspal is a Freelance Writer and Blogger at RaspalWrites, where he has just published a follow-up post to this, 5 Additional WordPress Security Mistakes to Avoid. He enjoys helping people, is interested in technical content writing and blogging and available for hire. You can follow Raspal’s personal and business ramblings at @raspalwrites.


Browse all articles on the WordPress category

19 Responses to “[Mistakes #10] Five Common WordPress Security Mistakes … and How to Fix Them”

  • Phamtriu

    Good stuff here. The only one I hadn’t done was using storng password, and I’m going to take care of that one, as I never thought about it.

  • Ryan


    Can you tell me how we can avoid DDOS attack on wordpress blogs? I have issue with it. The end result of it is getting very high CPU usage in the hosting server.

    Your help will be much appreciated.


  • Nancy Reagan

    This is a great blog. i really like you blog. Thank you for your nice & helpful post.

  • Hadi Nugraha

    I just realized after you mention Mistake #3. I must check one of my wordpress to make sure do not go on this wrong way

  • alexran

    Nice review Ali Luke. I tell you, I’m loving your blog more each day. I definitely will be featuring you in a blog post very soon.

  • Raspal Seni

    @Shamir: Not updating so common a mistake, that’s why WordPress implemented the automatic updates. But, updating major versions is not automated. You can automate them too if you so wish as well as automate updating plugins and themes from within wp-config. How to do this is given in the link I mentioned in point #2. Not stupidity, but ignorance and laziness, or as Enstine said – just negligence – I’d say are the common factors for this mistake.

    @DK: Good tips and findings. Unfortunately, you don’t have control on what other users on your shared webhosting account do. If they don’t update their WordPress, you can’t do anything about it. Haven’t heard much about OptimizePress other than that they follow me on Twitter. I use the WP Optimize instead, to optimize the databases.

    The BackWPup backup plugin I mentioned above also has an option to optimize the database after a backup. I’d never use a plugin which is at version 1.0. Also, check before using any plugin/theme about the rating and how they answer support questions, what others are saying about it, any reviews about it. I check these things before using a plugin/theme, or I test them on my test/development blogs which is at a free webhost. Not connected to any of my blogs/websites.

    About leaving the default WordPress theme like TwentyFourteen, I’d suggest leave it there but update it regularly. I’ve read cases where another theme had a problem and there was no default theme, which created a problem.

    I use Better WP Security and have used Wordfence in the past. BPS is good too and it’s author is very helpful and active on the WP.org forums. Thanks for mentioning these.

    Thanks again for posting your findings and suggestions.

    @dhananjai: I can’t tell you exactly what the problem could be, without looking at a screenshot of the problem. You can contact me via twitter @raspalwrites or via contact form/e-mail at my blog, given in my byline above – if you wish to discuss about the problem in detail.

    @john: Yes, backup is something you should do regularly. I, like most others, learnt it the hard way.

    @Pinar: Thanks for visiting and surely go ahead and use Lastpass without a second thought. It’s very nice. Just be a little careful not to use the automated login it offers. Some sites are wary that it may pass on the login info to a different page on the same site too. Just don’t enable that option whenever saving a password/site in LastPass, and don’t worry.

    @Beldeus: I added one of those points in my followup post at my own blog. 🙂 Thanks for reminding the others, which I didn’t include. Editing .htaccess related to file/folder permissions may confuse some people so I didn’t include anything about it in either of the posts.

    @Prashant: Yes, if we fix these simple security mistakes, your WordPress is more secure than most other installations.

  • Prashant @ BlogHomie

    Tnaks for the tips , these are the most simple ones which we tend to forget

  • Beldeus

    I would add others points.

    – Change the default wp- database fields.
    – Edit .htaccess file to protect the blog/website.
    – Delete plugins inactives.

  • Pinar Tarhan

    I appreciate all the tips, but the one I needed the most is LastPass! I hate having to create complicated passwords for everything and then having to remember them!


  • John

    I think I should update and take backup on a regular basis. In fact, that’s what I am missing here.

  • dhananjai kardam

    my wordpress is not showing published post in visuel mode is show only codes so how can i repair it of improve to get my older mode for easiting my published post

  • Foto ABG Ngentot

    I think mistake #2 is kinda stupid, because there’s no reason for the admin to not upgrade to the latest version of WordPress

  • Deepak Singh

    Good stuff here. The only one I hadn’t done was using storng password, and I’m going to take care of that one, as I never thought about it.

  • DK

    A good list of the common mistakes. A couple of days back I faced a situation where there was some unwanted ads being displayed on my blog and that was something I did not install. When inspected I found that there was a lot of unwanted codes that were injected into the wordpress theme files and other main files.
    On further inspection I found out the following 3 things which were the reasons for this –
    1). Not updating the other wordpress installation, plugins and themes that are being run from the same hosting account if you are using a shared hosting.
    2). Optimizepress 1.0 is known to have a security issue and they have released an update to it. This doesn’t update in the normal updates from your wordpress dashboard. You might want to update it manually, if you haven’t done it yet.
    3). Not Cleaning and optimizing your database periodically
    4). Leaving the default themes like twentyeleven etc. as it is and not updating them. This primarily happens if you are using a different theme and these default themes just remain there.
    5). Not uninstalling plugins that haven’t been updated for a long time by its creators. These are prone to attacks.

    A couple of solutions that I found was installing plugin like Wordfence or, Bullet Proof Security or, Better WP security.

  • Marcus Romney

    Excellent tips. Have had issues in the past with wordpress security so will definitely be handy going forward. Thanks!

  • Enstine Muki

    These things are even so simple to do Ali. Some times it’s just negligence and this can lead into more bigger complications

  • Shamir Islam

    I think mistake #2 is kinda stupid, because there’s no reason for the admin to not upgrade to the latest version of WordPress, especially since WordPress 3.8 is now so much cooler.

  • Tammy Dillard

    Hi Ali, Glad I got this reminder. I have a question, do spam comments harmful to security propose in WordPress. I’ll have to figure out something to correct this.

  • Scott Bradshaw

    Thanks a bunch. Mistake #4, the META widget was sitting right there in the Sidebar, right where you said it would be. Not anymore! I had no idea. Again, Thanks!!

Comments are closed.