9 Most Common WordPress Security Mistakes and How To Fix Them

9 Most Common WordPress Security Mistakes and How To Fix Them


Mistakes that I see happening on websites over and over again and you want to definitely make sure you’re not doing any of these on your site and I have tutorials walking you how to fix them most of them so make sure you check out what these 10 makes sure you’re not doing them and if you are doing them fix them and we’re getting started right now we’re gonna go through these pretty quickly because I already made tutorials showing you how to fix these things a lot of them step-by-step they’re linked in the description down below.

Tip #1: Choose a good hosting provider

the very first one is how do we press the sites to get hacked the number one way 41% of hacks happen because of poor hosting.

The host is taking care of their business which is server security server speed things like that so hosting is the number one way sites get hacked.

Tip #2: Update Plugins and Themes.


Next is not updating plugins and themes.

so make sure you update your site you should be concerned about updating because updates to plugins and themes can break your site’s.

so make sure you backup your site first or use a staging site.

if something goes wrong you can revert back to an older version and you don’t have to try to fix a broken site or have to rebuild your site.

Tip #3: Strong password.

Secure login name as well because if your login name says your domain name that’s pretty easy to guess it’s not
admin user pressed used to default to the main user.

The first user created on the side have the username of admin and that couldn’t be changed in the past but now it can be so you never use admin you never use your domain name as the user name maybe never use your name is the user name either if your name is known to whatever you’re creating.

If you’re like a personality and say up to a cooking website and it’s cooking with Bob and Bob’s username everybody can guess that user name and there’s no reason you need that username to log in.

For example the username is I create when they’re high secure I use Last Pass I go to generate password this will be my username I’ll click it again this would be my password and they’re both just crazy they’re bonkers nobody’s gonna guess that you could brute-force that if you have 20 years to try but hackers are gonna move on to the next site that’s a little hanging your fruit they’re not gonna try to hack something like this something very important relating to usernames is the login page.

so hackers will try these common passwords on a login page to brute force it if you move your login page they can no longer do that because they can’t find the login page because it’s not in the default location there’s a tutorial description down below showing you how to do that you can also have it so that if you try multiple wrong passwords in a row you get locked out tutorial download do that as well so it makes sure you have secure password secure usernames and you secure the login page itself

Tip #4: Shady plugins and themes

next is shady plugins and themes there’s a lot of us out there that want to save a few bucks and we try to find free plugins and themes but I want the paid versions so I want the free version of the paid version and that’s what’s called a nulled theme all right an old plugin plugins these days usually make a call to the developer server to make sure the plugin you have has been paid for any of a license for it and nulled plugins they prevent that call so the plug-in assumes that you paid for it because it’s not making that call and it’s not coming back as positive or negative so it doesn’t know what to do so does default to positive and it lets you win or less you use the plugin the drawback of null plugins is a lot of these novel plugin websites they include their own little malware scripts or something else some kind of backdoor so they can hack into websites not sing out.

so every single one works but that’s how a lot of them work so many in fact that you should never use an old plugin because it’s just too dangerous it’s too dangerous to have that on your site and if people get in and have hackers easily get into your site

Tip #5: Unused Plugins and themes.

Another thing is having unused plugins and themes.

so if I head over to my plugins here go to install plugins.I have currently one inactive.

If they are outdated and there is a security patch available and there’s a vulnerability that a hacker knows about they can hack into your site from a deactivated plugin and you’ll see not in this case but you’ll see updates are available for deactivated plugins because they still need to have security patches because they are still functional they’re just not running on your website.

So any deactivated plugins you have make sure you click on delete and delete them you can always add them back later.

we need them because you deactivate it you’re not using them anyway to get rid of the same for under appearance and then themes when you install a new WordPress site you get 2019 2017 2016 all pre-installed and if you are hunting around for a bunch of themes in the repository.

Best WordPress themes 2018

Tip #6:Too many plugins

The next problem I see is a lot of sites just have too many plugins. if you can stick to 10 or less that would be ideal but I see websites that have 20, 30, 50 plugins installed. if you use WordPress for a little while you probably can guess how many updates the plugins you’d have on a daily basis you probably have an update every single day at least one and that adds a giant pain and be a big security vulnerability because are you actually going to update them every single day see which plugins you actually need which plugins you could replace with some code a simple google search could help you with that, not all plugins can be replaced with code but the ones that you should replace them because it makes your site more secure and it makes it run faster because every plug-in you add to your site can potentially slow down your site’s load speed.

Tip #7: Regular Backups

Another very common mistake I see is not making regular backups,

So make sure you keep regular backups and again all these things.

Best selling plugins 2019

Tip #8: Monitor WordPress files

The next very common mistake I see is websites not having the proper file and folder formations on their server I have a tutorial for that as well link to in the description but if we head into our hosting account and we head down to file manager open the document root for our website you can do this through FTP is or if you’re more comfortable with that but file and folder permissions on are on the right-hand side and you want to make sure you have them set properly.

Tip #9: add-on domains


Next is add-on domains so in my hosting account in a lot of hosting accounts, in fact, a big draw of hosting accounts is add-on domains especially on the lower tier shared.

ones if you can get unlimited add-on domains that means you can build unlimited websites on a hosting account.

That’s awesome or is it on this side of currently have 4 add-on domains you can easily add them by going into your cPanel clicking on add-on domains and following the instructions the problem is when you have too many or if you have all your clients hosted on one account and they’re all add-on domains.

The problem is if one of them gets hacked then that hack script is on your server and you’ve potentially compromised every other site on your hosting plan.

It doesn’t matter how great your security setup is on a site if the script is on the server it can bypass whatever it wants pretty much not absolutely everything but there is a very good chance that all the rest of your sites are going to get hacked as well if not immediately then in the very near future .

so add-on domains can be dangerous if you have too many because especially if you have clients and they’re responsible for their own updates and their own security and they don’t focus on that because if you have a plumber you build the website for he’s not gonna be in his WordPress site

updating plugins every day that’s not the business he doesn’t want to do that but he also doesn’t want to pay someone to do that because he doesn’t know the value of keeping your site secure.

And so psyche attacked all the other sites on your hosting account of vulnerable and I’ve seen hosting accounts where there are 20 30 add-on domains all with functioning websites all of them hacked.

All of them have to be cleaned and re-secured and it is a giant giant pain so I’m not saying don’t use our domains I’m saying use them sparingly I’m saying if you do have our domains make sure that either you’re managing them and you take care of them and secure them or people who are running those sites they know how to manage and secure them so the rest of your sites aren’t vulnerable on that server.

Leave a Reply