Security in WordPress – The 8 biggest mistakes in WordPress websites

Your business website is the hub of your online marketing. You have put a lot of work and, above all, often a lot of money into it to make the experience with your online presence optimal for your users. Therefore protect your homepage like the apple of your eye. But no matter what you do to stay safe, it will never be enough. We introduce you to the eight most common mistakes that occur when it comes to security on WordPress sites – and give tips on how to prevent them.

Mistake number 1 – a bad hosting environment

Everything stands and falls with sensible hosting. According to a study by WP Template, 41 percent of hacks are due to insecure servers. That’s almost half! It is all the more important to choose the right hoster! To find it, follow the motto: If it costs nothing, it’s nothing! If you choose a cheap hoster, you save on security and support. Consider hosting your WordPress site an investment in your business! Remember, even if your website isn’t the target of a hack, it can become collateral damage, for example on shared servers.

Mistake #2 – You’re not always up to date

WordPress is updated regularly. There are minor and major updates. The minor updates are more about security updates and minor bugs. The big updates include new features or improvements in coding. No matter how big or small, you should deploy each patch as soon as possible.

tip: Small updates have been implemented automatically since WordPress 3.7. If you go into your wp-confige.php file

define ( ’WP_AUTO_UPDATE_CORE’, true );

insert, the main updates will also be implemented automatically. Note that the major updates often cause conflicts with plugins and themes.

Clearly, what applies to WordPress updates also applies to plugins and themes. Because: Unprotected plugins and themes are responsible for 51 percent of hacked websites.

Mistake #3: You’re using insecure passwords

Inadequate access security is another popular WordPress security mistake. Because most hacks are automated. Nobody sits down and meticulously tries out combinations of usernames and passwords by hand. There are automated scripts that perform the search for the correct login data at an incredible speed. Nevertheless, many website operators still use insecure passwords. Every year, TeamsID crowns the 25 weakest passwords, from “123456” to “password” to “login”.


  • Reduce the number of people who have administration rights: You can assign different roles to users in WordPress. Not every user has to be able to do everything on your site.
  • Never use “admin” as username: “Admin” is the default user in WordPress. If your current website uses this username, change it now!
  • Use strong passwords: WordPress has had a password strength generator for some time. Use it! Or use a password security program like Keypass. In addition, this plugin forces users of your site to use a strong password.
  • Limit login attempts: The best way to avoid brute force attacks is to limit the number of access attempts. Many security plugins offer this feature. You can also use WP Limit Login Attempts
  • Hide the login page: If you want to be even more secure, use the Move Login plugin to create a new access URL for your login page instead of the usual login URL, such as https: //

Mistake #4: Implementing themes and plugins from unsafe sources

The popularity of WordPress has made it one of the favorite hacker targets. But the site is not always attacked from the outside, but the site owner is the source of the error himself. Most often this happens when installing free WordPress themes and plugins. A practical study by CodienWP found that many free templates have bugs, a tricky JAVA script and many other problems. Therefore, you would do well to use themes and plugins from trustworthy sources, first and foremost There you will find themes and plugins, all of which have been thoroughly tested. In addition, Google is constantly working to improve its search results.

Tip: There are third parties that you can trust. In this list you will definitely find a provider for your next theme.

Mistake number 5: Horde unused plugins, themes and accounts

Even non-harmful WordPress accessories can, if used incorrectly, pose a security risk if you do not update plugins and the like regularly. To further minimize the risk, it is best to delete any tools that you are not actively using. This also includes unused user accounts. Because every account is a gateway for hackers. The fewer accounts, the better.

Mistake number 6: No regular backups

Even if you take all precautions – nothing is 100% secure. Therefore you should update your page regularly! This way, if anything goes wrong, you can always revert to the last working version of your website.

If you use a quality host, backups are made every day. To be on the safe side, you should implement your own backup solution, such as Duplicator, or UpdraftPlus.


Store your backups regularly on a separate system, eg on an external hard drive or a backup storage product.

Mistake number 7: Do not rely solely on WordPress internal security measures

Although WordPress puts a premium on security, there is still room for improvement. For example, WordPress uses the wp_ database prefix. Since this prefix is ​​known, these standard designations make your website vulnerable. Better you change these to random names that are not easy to crack. The best way to do this is during installation or, if your site is already online, with the iThemes Security plugin. Anyone who is a professional can carry out this measure manually.

Mistake #8: Not using a security plugin

We know: It is not so little that you have to consider everything in terms of security with WordPress. That’s why it’s best to use a security plugin before doing nothing. There are some tools that will bulletproof your site even without technical know-how, such as BulletProof Security, Sucuri Security, iThemes Security and Wordfence. These plugins do all of the above security jobs for the non-professional.

Security with WordPress – conclusion

If your website gets hacked, it’s a disaster. All the work, time and often a lot of money seems to have disappeared, what a nightmare! The good news: You have the power to get the common WordPress security mistakes under control right from the start.


Has your WordPress website been hacked? What to do? We show you the most important steps.


TORQUE: 8 Common WordPress Security Mistakes That Could Cost You Dearly

More articles on the topic:

Jana Behr is an IT specialist editor, PR consultant and blogger from Cologne and is passionate about all things IT, telecommunications and digitization.

Previous post WordPress and HTTPS: This is how the website becomes secure
Next post 7 tips for your website