Jitendra Vaswani

10 Common WordPress Security Mistakes You Are Making Right Now!

Concerned about the WordPress security mistakes that you might be making in 2022? Well, read this guide further.

I know you want to ask me why you should be concerned about security when your blog has nothing that would be of interest to a hacker (or so you think).

Why should every blogger be concerned about the security of their WordPress blog, whether the blog is big or small?

WordPress is one of the most used blogging platforms. Users make 70 Million New Posts and 77 Million New Comments each month.

Here are 10 important WordPress security mistakes you are probably making right now.

WARNING: Before tinkering with your WordPress codes, it is wise to make a backup of your blog. That said,

Mistake Number 1: Updating WordPress Only When You are Sure it is Stable

WordPress Security Mistakes: Updating WordPress Only When You are Sure it is Stable

When was the last time you updated WordPress?

For some bloggers, the fear of updating is the beginning of wisdom especially when they consider the serious Caveat from WordPress that you should complete a backup of your WordPress site before updating.

I used to feel that way. In time, though, I learned better before I could come to serious harm.

Why is it critical to update WordPress as soon as you get an update notification?

Well, the update notification was not sent to just your dashboard alone. As soon as the bad guys get the notification, they get busy looking for automated ways of exploiting the bugs listed in the changelogs.

If you are slow in updating to the latest version of WordPress, you may be recommending your blog for a ‘hacktival’.

I know a lot of you may be jittery over running an update for fear that it may mess up your theme or there may be some incompatibility with some fancy plugins you are using. Instead of getting paralysed with that fear, don’t you think it would be better if you rather review your theme and plugins strategy?

If you are using a theme or plugin that is not updated frequently, then you are wise if you reconsider its continued usage on your site. What is unwise is not updating WordPress because of fears that it may mess up your installed plugins.

You cannot sacrifice your whole blog to protect a few plugins.

Are you looking for a VPN provider to access blocked websites? Then make sure to read this article about the best VyprVPN Coupons and discounts.

Mistake Number 2: Setting Your Password to Something Easy To Remember

Setting Your Password to Something Easy To Remember

It may sound like a joke, but it’s been shown that ‘password’ and ‘123456’ are the top two most common passwords for WordPress out there!

Using one of them?

If for any reason your password is a word that can be found in a dictionary or a sequence of numbers, do yourself a favor and change it.

The tool at Strong Password Generator does a good job. Just make sure to store your new password in a secure place. You don’t want to end up with a password so strong you lose access to your account, now, do you?

If I were to give a prize for WordPress security mistakes, this one should get it! 🙂

Mistake Number 3: Advertising Your WordPress Version to the World

By default, WordPress sites publish the version of WordPress they are running, inadvertently making it easier for people to determine if you are running an outdated non-patched version of WordPress.

This information tips would be hackers on the exploits they should use based on the version of WordPress you are broadcasting.

To completely remove the version number from the WordPress header, add this line to your functions.php file in the WordPress themes folder.

remove_action(‘wp_head’, ‘wp_generator’);
function blank_version() {
return ”;

After removing WordPress version information from your header, there is one more task you need to do.

Go to your WordPress installation directory and delete the readme.html file as it also contains your WordPress version information.

Mistake Number 4: Ignoring login activity on your WordPress server

How many failed login attempts do you get on your blog per day?

If you do not know the answer to that question, you are playing with fire.

To motivate you: Copy Blogger receives between 50,000-180,000 unauthorized login attempts every single day. Sure, your numbers may not be as large as that, but you get the picture.

I recommend you install the plugin Limit Login Attempts which will make it much more difficult for brute force techniques to work on your blog.

Limit Login Attempts block an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

Mistake Number 5: Allowing Readers to Browse Your WordPress Directories

When a user types in a directory on your blog in the address bar, what happens?

If the directory opens up, then you are in trouble.

The last thing you want is for every Peeping Tom to be able to nose through directories and see the content of directories that are missing an index file.

WordPress Security Mistakes : how to use wordpress

Open the .htaccess file in your WordPress root directory and add the following line at the top.

Options All –Indexes

What this does is provide a blank index page for any directory that does not have an index.

That puts a brick wall before directory snoopers.

On my blog, attempting to browse directories will land you in a page with a single text “0″ 🙂 .

Mistake Number 6: Allowing Your Plugins and Themes in their Default Location

With WordPress 2.6 and later, you can place the wp-content folder anywhere on your web server.

If you decide to move the wp-content folder to another location, change the relevant path in the wp-config.php file:

define(‘WP_CONTENT_DIR’, ‘http://www.probloggertips.com/resources/wp-content’);

That should keep most would-be hackers moving around in circles.

Mistake Number 7: Not Backing Up Your WordPress Site

Backing Up Your WordPress Site

Of course, no site on the internet is fully protected. Even Godaddy and Mastercard websites have been compromised at one time or the other.

If a hacker compromises your website and you do not have a recent backup of your site, it would be a real headache to restore your site to its original state.

Trust me, that is not a position you ever want to find yourself in.

I use Backup Buddy, which it is a paid service.

If you want free options, WordPress lists backup plugins here. Whatever you do, it is important that you have a backup schedule set up for your blog.

Mistake Number 8: Failing to Delete Unused Themes and Plugins

Plugins are excellent gateways for hackers as they contain vulnerabilities that hackers and malicious code are known to exploit.

That means the more plugins you use, the more exposed you are to hacking attacks.

If it is not absolutely necessary, do not use a plugin. When a plugin or theme is no longer in use, be quick to deactivate and delete them.

Yes, even deactivated plugins and themes can be used as back-doors to gain entry into your site.

So look through your themes and plugin directories. Can you find any inactive plugin or theme?

Completely delete them!

Mistake Number 9: Allowing your wp-config.php File in Its Default Location

Your wp-config.php file contains your database connection info as well as other sensitive data meant for your eyes only. From WordPress 2.6 you can easily move this file from root folder location.

To implement this tip, move your wp-config.php file to up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

With this done, only persons with FTP or SSH access will be able to access your config file.

Mistake Number 10: Thinking No One Would Want To Hack Your Small Blog

One of the commonest WordPress security mistakes out there is the assumption that since your blog is a small one, no one in their right mind would want to hack it.


Have you nursed those thoughts before?

Most hacking attempts are automated, without any personal or malicious motive involved. What that means is that, it is all about the money.

You may be thinking, what do I have on my site that a hacker would dedicate resources to crack?

If you have nothing else, you have server resources.

Possible ways sites can be exploited:

  • Insertion of spam links in your content to boost SEO for other sites
  • Malware infections of your visitors computers, e.g. to steal their financial information
  • Redirecting your traffic to other sites.

Well, I told You So!

If there is one thing I don’t want, it is to have to tell you: “Well, I told you so”.

Quick Links 


Having advanced information on what can make your blog vulnerable gives you the responsibility to take action and protect it.

It is better that you do all you can to protect your blog now you can, instead of only crying in the blogosphere after your blog has been compromised and defaced.

A word, they say, is enough for the wise.

Have I missed a tip here? What other security steps have you taken to fortify your blog?

Note: All images credit to pixabay.com

Leave a Comment