Top 5 Mistakes for your WordPress Website Security

Written by Jean Galea
Written by Jean Galea
Website security has become a major subject nowadays, as the web is fast becoming the preferred way for attackers to spread malware, steal credit card details or carry out other illegal activities. Due to the wide variety of open source tools and Content Management System (CMS) software available, more and more websites and blogs are being easily created every day.

Partner Sponsors


Full disclosure: If you purchase through a link on our site, we may earn a commission. Learn more.

Website security has become a major subject nowadays, as the web is fast becoming the preferred way for attackers to spread malware, steal credit card details or carry out other illegal activities. Due to the wide variety of open source tools and Content Management System (CMS) software available, more and more websites and blogs are being easily created every day.

According to a survey conducted by, one of the most popular and free open source CMS platforms, 14.7% of the top million websites in the world are based on WordPress. There are over 19,000 plugins available for WordPress and according to the founder, Matt Mullenweg, 200 million plugins had been downloaded at the time of the study in August 2011.

With such a large number of open source plugins, you can easily develop a powerful website with advanced features and functionality. Furthermore, many of these plugins are free so that you can keep your expenses at minimum. Creating websites or blogs using WordPress is easy and, contrary to other CMS systems available today, no technical knowledge is required. As most of the great achievements in technology involve risks, websites get frequently exposed to malware or hacker activity.

Even though WordPress had a number of serious security vulnerability issues in the past, nowadays it is very robust. However, if not administrated properly, your website can be an easy target for hackers. Here are the most common mistakes which can compromise your website:

1. WordPress Installation is not Updated to the Latest Version

Every time a newer version of WordPress is released, it addresses bug fixes and security issues reported in the previous versions. If you are not using the latest version, a hacker can gain access to your website by simply exploiting vulnerabilities that the old version is known to have. WebsiteDefender notifies you via email if you are using an older version of WordPress.

2. Plugins or Themes are not Updated to the Latest Version

Same as with the WordPress versions, plugins and themes are also updated from time to time to address bugs and security issues. If you do not update your plugins and themes to the latest versions, there’s a chance your website could be exposed to hackers as new plugin and theme versions address previous security threats. When WebsiteDefender scans your WordPress website, it will alert you if there is a newer version available for any of your installed plugins or themes.

3. Downloading Unsafe Plugins and Themes

As WordPress plugins and themes are open source, some of them can contain vulnerabilities or even worse, a hacker can create a plugin or theme designed to inject malware or rootkits. Once installed, these plugins and themes infect your website or give the hacker access to your files. Hackers can also redirect some of your traffic to other phishing sites in order to steal sensitive customer information such as credit card details, or to gain better a ranking for their own websites. WebsiteDefender scans your installed plugins and themes for malware and vulnerabilities and alerts you if any suspicious under the hood hacker activity is detected.

4. Insecure Permissions for WordPress Directories

Tightening up your WordPress files and directory permissions is a must. One of the most common mistakes is that users allow write access to their web folders. If a hacker gets access to your website files and directories, he/ she can upload his own scripts and steal traffic or customer information or even distribute illegal content on your site. WebsiteDefender alerts you if your files and directories permissions are insecure and instructs you on how to resolve the issue.

5. Insecure Account Credentials:

One major security issue with WordPress, like with any other CMS, is that weak passwords and user names are assigned once a new account is created. If such passwords or usernames are not changed, or they are not strong enough, it is very easy for a malicious user to launch a brute force attack against your WordPress installation and guess such credentials. To make things worse, if you have weak credentials and an old version of WordPress, once a hacker gains access to a user account, he/she can escalate permissions and gain administrative privileges to your entire website.

Ensure WordPress installation security for your website by signing up for your WebsiteDefender account today. WebsiteDefender requires no technical background or maintenance and gives you clear instructions on how to fix detected issues.

If you enjoyed this post, make sure to subscribe to WPMayor’s RSS feed.

This article was filed in our archives.
Written by Jean Galea
Jean Galea is an investor, entrepreneur, and blogger. He is the founder of WP Mayor, the plugins WP RSS Aggregator and Spotlight, as well as the podcast. His personal blog can be found at

In this article

Discover More

One Response

  1. Hi Adriana,

    Indeed a great list of common WordPress security mistakes.

    A couple of days back I faced a situation where there was some unwanted ads being displayed on my blog and that was something I did not install. When inspected I found that there was a lot of unwanted codes that were injected into the WordPress theme files and other main files.

    On further inspection I found out the following 3 things which were the reasons for this:

    1). Not updating the other WordPress installation, plugins and themes that are being run from the same hosting account if you are using a shared hosting
    2). Optimizepress 1.0 is known to have a security issue and they have released an update to it. This doesn’t update in the normal updates from your wordpress dashboard. You might want to update it manually, if you haven’t done it yet.

    3). Not Cleaning and optimizing your database periodically

    4). Leaving the default themes like twentyeleven etc. as it is and not updating them. This primarily happens if you are using a different theme and these default themes just remain there.

    5). Not uninstalling plugins that haven’t been updated for a long time by its creators.

    These are prone to attacks. A couple of solutions that I found was installing plugin like Wordfence or, Bullet Proof Security or, Better WP security.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

New discoveries, every week.
Join thousands of designers, developers, and builders that come to WP Mayor to find the best guides, tools, and services for their next website. One email, once a week.
WP Mayor Newsletter

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored just for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.

What's missing?