10 Worst WordPress Security Mistakes That Expose Your Site to Cyberattacks

WordPress is the top-rated CMS platform globally, powering over 34% of all websites on the internet. So, no wonder WordPress websites are the center of attraction for hackers and fraudsters.
WordPress is the top-rated CMS platform globally, powering over 34% of all websites on the internet. So, no wonder WordPress websites are the center of attraction for hackers and fraudsters.

Table of Contents

Table of Contents

WordPress is the top-rated CMS platform globally, powering over 34% of all websites on the internet. So, no wonder WordPress websites are the center of attraction for hackers and fraudsters.

To protect your business website and fend off any potential security threats, you must take WordPress security very seriously.

Websites compromised by bots, hackers, spammers, or injected with malware are a nightmare to restore and can cost you a ton of money. So, the focus should be on protection and prevention to keep your website safe from hackers.

Unfortunately, many website owners commit WordPress mistakes that leave their website exposed and vulnerable to cyber-attacks.

In this article, we’ll go over the top 10 critical WordPress security mistakes and their fixes as well as ways to minimize these vulnerabilities.

1. Unsecure web hosting solution

Poor hosting choices can harm your WordPress site security. Often, business owners select a web host based solely on the cost factor. Little do they realize that choosing a low-cost web host may, in turn, create a vast security issue and put their website at risk.

Though the majority of the shared hosting environments are safe, many times there is an improper separation of user accounts. This is a considerable risk when one compromised account can affect all other websites on the server.


  • Ensure that proper separation of accounts is done by your web host and your website is secluded in shared hosting environs.
  • Remove all older sites which are non-functional and ensure that if one site is compromised, your website is unaffected.
  • Ensure that your web host has provided access logging for checking intrusions as safety precautions.
  • Check whether your web host offers an SSL/TLS certificate for securing your website.
  • Go for a web host who provides a dedicated IP address for the safety and security of your website.

One of the safest solutions is using cloud VPS hosting. It provides ample security features and a safe environment with additional backups, updates, and safeguard configurations.

what is cloud hosting

Quality managed WordPress services, like the one offered by StableWP, include hosting on super-fast cloud-based VPS servers that not only increase your website security but also improve your speed and performance.

Be sure to invest in secure hosting to avoid security breaches in the future.

The Ultimate Guide to Hiring a Web Developer

In-house, freelancer or agency. Download the guide to make the right decision for your web development project by following 3 key criteria.


2. Not backing your WordPress website

Though backups and security are not interrelated, a backup of a WordPress site taken before an attack by malware or ransomware can save your data (and life!).

Ransomware attacks are performed to make money, and hence these attacks deem your website inaccessible and leave it in a compromised state. Hackers may demand ransom to retrieve your site and give you access, but a proper detailed backup can save you time and money.

website backup


  • Schedule backups every week and go for a detailed backup on a fortnightly basis.
  • Set the backup mode to Auto for automatic backups.
  • Use reliable WordPress backup plugins like BackupBuddy, VaultPress and UpdraftPlus.


3. Use of insecure login practices

The login page is the main door of your website, and it should be locked to keep intruders away. But many cyber thieves try to force themselves to reach the website by crashing these doors.

Hence it is vital to harden the security of your login page to prevent unauthorized personnel from entering the admin area.

Few important login page security mechanisms include:

  • Avoid using admin as a username. Rename the admin by installing and activating the Admin Renamer Extended plugin which is a good option.
  • Limit the login attempts by enabling brute force protection. The path is Firewall > Options > Brute Force Protection.
  • Use strong and complex passwords with the help of a password manager.
  • Use two-factor authentication for an additional layer of security. If the hacker compromises one security layer, they still must pass another layer before reaching their target page.
  • Shift the login page to another location by using the Move Login plugin for additional security.
  • Limit login entries of IP addresses and install a WAF (Website Application Firewall).

how Website Application Firewall works


4. Not having an SSL/TLS certificate on your WordPress website

Many business owners feel that firewalls and anti-virus software give enough protection to their website. Some think that since monetary transactions are not required on their site, there is no need for SSL security. Under this myth, they seem to ignore or forget the significance of the SSL (Secure Socket Layer) certificate which provides robust 256-bit encryption security to your website.

Hackers can easily compromise any unencrypted sensitive information. This not only puts your visitors at risk of their credentials being stolen, but your site could also be compromised.

connection is not secure

Not having an SSL security measure is a big loophole in WordPress site security. This paves the way for hackers to access websites easily.


  • Many hosting providers offer a free SSL certificate (Let’s Encrypt) for your website security. Make sure to install one to secure your site. If you’re not sure how to do it yourself, reach out to us and we will be happy to help.
  • You can also purchase a low-cost SSL certificate from SSL providers, like GlobalSign, DigiCert, Sectigo, ClickSSL, that sell multiple brands of SSL certificates at enticing rates.

Key benefits of SSL certificate:

  • Encryption of confidential information (especially important for e-commerce)
  • Trust indicator
  • A rise in SEO rankings

Once an SSL certificate is installed, it encrypts username and passwords too, which secures your login area, making hacker entry near-impossible.

Sites that have an SSL certificate feature a padlock in the address bar, and HTTPS in the URL as security symbols. This improves credibility and trustworthiness which are both essential for businesses looking to sell products or generate leads online.

https with padlock


5. Use of vulnerable WordPress plugins and themes

A significant blunder is to use unprotected or poorly coded themes and plugins. Apart from decelerating the site performance, they dig a passage for the entry of malicious software too.

Not keeping your plugins and themes in check can be a big WordPress mistake and security risk.

how hacked wordpress websites were compromised

The above chart clearly shows that plugin vulnerabilities account for 55.9% of hacked WordPress sites.

Using poorly-coded WordPress themes and plugins is a risky move because they are often neglected or not patched regularly and might be vulnerable to malicious JavaScript, bugs, etc., which can ruin your website.


  • Avoid WordPress themes and plugins that haven’t been updated in some time.
  • Always get trustworthy themes and plugins from reputable WordPress marketplaces and reliable third-party vendors, which vouch for their quality. A premium theme like Divi and a plugin like Yoast SEO can be a good choice.
  • Check the ratings, reviews, and user download count before getting or buying any plugins.
  • Keep your themes and plugins updated regularly because security patches can fix the bugs and loopholes, making your site more secure.
  • Go for a test site check if possible as a precautionary measure.


6. Use of weak passwords

Passwords are the key to opening the gates of your website. Hence using weak or easy-to-guess passwords is a security hazard, and it weakens the site security too. According to a Google survey, 52% of the users tend to reuse their passwords for numerous accounts.

A survey by Verizon Data Breach Incident Report indicates that such exposed or compromised passwords are accountable for 81% of the breaches, which amounts to $4million approximately every year.

This issue cannot be ignored, and essential steps need to be taken to alleviate the risks related to weak passwords.

One of them might be taking a cybersecurity course where you will learn how to recognize a hacker’s attack and what the best practices are to stay safe online

Since hackers now have become savvier, they use dictionary attacks for breaking into WordPress websites. This attack uses all commonly used passwords to break into a WordPress website.

dictionary attacks for breaking into WordPress websites


  • Refrain from using weak or old passwords.
  • Passwords used in the past should not be repeated for security purposes.
  • Avoid passwords with personal information like date of birth or marriage anniversary etc.
  • Use a complex password with a combination of special characters and symbols, along with alphabets.
  • Create unique and different passwords for different accounts to be safe from hackers.
  • Never share your passwords unless it is of utmost priority. Later change the password to avoid future security issues.
  • Go for the iThemes Security Pro Password Requirements feature, which requires users to set a strong password, allows users to select a password expiration time, and prohibit the use of compromised or weak passwords.
  • Use 2FA (2-factor authentication) for a double layer site security.

The Ultimate Guide to Hiring a Web Developer

In-house, freelancer or agency. Download the guide to make the right decision for your web development project by following 3 key criteria.


7. Not updating WordPress

The percentage of websites getting hacked by an outdated WordPress version is even higher than by using weak passwords. So, delaying or ignoring WordPress core updates may be detrimental to your website security.

Research by Sucuri indicates that 36% of hacked WordPress sites were using outdated versions.

Any well-built software is prone to vulnerabilities, sooner or later. If these vulnerabilities are not patched up, your site is bound to be exploited by hackers.

A few common WordPress vulnerabilities include:

  • SQL Injections
  • Cross-Site Scripting
  • Backdoor Exploits
  • Phishing Attacks
  • Brute-force Attacks
  • DDoS Attacks
  • Old WP and PHP versions

updating wordpress

The only drawback of updates is that sometimes, they may fragment a design or halt a plugin. However, in the majority of the cases, updates are smoothly incorporated without any glitches.

In case you do encounter problems with updates, be sure to reach out to a professional WordPress support team to resolve any issue.

Plugins and themes must also be updated to avoid any open ends for cyber-criminals.

Updates are a way to fix security patches, fixing loopholes in security, fixing bugs, etc. Many software updates also help in patching security loopholes and outdated features, thus improving software stability and user experience.


8. Stocking unused themes, plugins, and user accounts

One of the primary blunders that most business owners do not realize is the hoarding of new themes, plugins, or user accounts. Of course, you need to keep on adding plugins as per business needs. But once you are done with a particular plugin, do not just deactivate or disable it, go ahead and remove it completely from your WordPress site.

Unnecessary stocking of unused plugins may expose your site to malware.

inactive unused plugins

Though these idle plugins do not use RAM or bandwidth, they use server space. This affects site performance, resulting in slow speed.

The same goes for themes and user accounts too. Each idle user account is a platform for brute force attacks. Brute force attacks amount to 16.1% of the compromised sites.

It is best that your website is simple and not stuffed with these unused themes and plugins. Hence to minimize the risk effectively, it is best to reduce their number.


  • Before deleting inactive user accounts, ensure to allocate the user’s content to another active user so that the content remains safe.
  • Go through all the plugins and delete all the deactivated ones.
  • The same procedure applies to themes too.
  • After completing the clean-up process, take a step further and go for a decluttering process.
  • Delete unpublished draft posts, unused pages, and other old posts for minimizing the size of your site database.
  • Delete all unused tags, categories, and spam comments.
  • Go to your media library and delete identical or unattached images.

Be merciless in deleting all idle and unnecessary stuff and keep your site healthy and risk-free.


9. Harden your wp-config.php file

Another big security risk for WordPress site owners is leaving your wp-config.php file exposed and vulnerable.

The heart of your WordPress site lies in the wp-config.php file, and hence it requires strong protection against cyber-thieves.

Wp-config.php file contains sensitive information about WordPress configuration, installation, WordPress security keys handling encryption of data stored in cookies, and details regarding WordPress database connection.

If such confidential content falls in the hands of intruders, it can put your site at enormous risk.



a) Move Wp-Config.php file

Since this file is in the root directory of WordPress, you can find it by using cPanel or an FTP Client.

You can later shift this file to an unpredictable directory for saving confidential information from cyber-thieves.

move Wp-Config.php file

Though this is a tedious and time-consuming task, you need to make necessary changes in the WP source code and upgrade them when required.

You can also generate a new file and transfer all the sensitive data of this file to the new one.

Example: Create a new file named config.php in a non-www accessible directory. Transfer all the database connection details and WordPress security keys to the new file.

Add >?PHP at the start and ?> at the end of the new file as shown in the above image.

After deleting all the confidential data from the wp-config.php file, add these below lines after <?PHP in this file for including the new file.
wp-config.php reading all the confidential information from the new location

Thus the wp-config.php is reading all the confidential information from the new location.


b) Create new WordPress security keys

WordPress Security keys help improve the encryption of the information that is stored in user cookies.

There are four different keys:


For security purposes, it is advisable to create new random keys by using the Salt Shaker plugin for WordPress, which helps with changing the salt keys on a manual or automatic basis.

WordPress security keys

Later, update the current keys which are stored in the wp-config.php file.


c) Change permissions via FTP client

Different files have additional permissions that specifically show which content is displayed, and users who can read, edit, or access the files.

FTP client permits you to set the permissions for all the directories and files located on your remote host. Some directories or files need to be hardened with strict permissions because liberties in such cases can endanger the site. Wp-config.php is one such file that needs strongly defined permission modes for security purposes.

Few Examples of Permission Modes:

Example 1)

permissions via FTP client example

Example 2)

example of permissions via FTP client

Mostly all the files located in the root directory of the WP site are set to 644, which indicates that the files can be read and written by the owner of the site. Apart from the owner, many other users in the owner’s group are also permitted to read the file.

This is risky, so to shut off other users from reading the files, it is advisable to set the permissions on the wp-config.php file to 400 or 440.

Different hosting platforms have different permissions, so reconfirm with your hosting provider about the same and secure your site.


10. Not having a security plugin

Another major WordPress mistake is not installing a security plugin on your website. You can never be too safe from attackers since hackers are always on the prowl for security loopholes. Though installing a firewall or an SSL certificate, secures your site, additional installation of a security plugin makes it more challenging and alerts you in case of emergencies.

Security monitoring, as well as attack prevention, are essential and that’s where WordPress security plugins plunge in.

There’s a multitude of security plugins on WordPress. To make your task more straightforward, the following are some of the best options:

  • Wordfence – indicates the enormous counts of blocked attacks and blacklisted malicious IP’s. Its end-protection, password protection, manual blocking of hostile networks, 2FA, etc. makes it one of the biggest and most popular security plugins with 150 million downloads in its kitty. Wordfence also can help with scanning for vulnerabilities, limiting login attempts and updates alerts.
  • Free plugins like iThemes Security are also available, which help to secure your site.

wordpress security plugin

IMPORTANT TIP: You must check the documentation and features of the security plugin before installation. Whichever plugin to decide to install, you need to read their alerts and notifications regularly to keep your site secure.


Wrapping up

Keeping your WordPress website secure doesn’t end just by implementing firewalls and security plugins. It is mainly about staying ahead of hackers and intruders.

To err is human, but some small and overlooked security measures can prove to be critical mistakes that can weaken your site security, give access to hackers, and cause a nightmare.

From unsecure hosting, unreliable themes, and plugins, use of weak passwords, and lack of backups, all these WordPress security mistakes can be avoided with discretion and caution.

So, scrutinize your defences, and check out the above solutions, for bullet-proof security of your WordPress site.

If this becomes too much for you to handle, you may need to get help from a professional WordPress support team. Feel free to reach out to us and learn how we can handle your security, maintenance, and updates.

And if you have any questions or comments, drop us a line down below. ????

Ignite your
with a free strategy

Book a free strategy session with our experts and get a custom strategy designed to maximize your digital marketing results.

Comment Section:

Leave a comment

Your email address will not be published. Required fields are marked *

Related Blog