WordPress is the world’s most popular CMS, powering 34% of sites on the internet.

The downside of this popularity is that there are a lot of people who have figured out how to attack WordPress sites. Hackers can learn the ins and outs of WordPress and use that knowledge against tens of millions of websites.

If you are a WordPress user looking to keep your website safe, there are three security mistakes you might be making. In this article, we’ll cover what these are and what you can do to fix them.


Mistake 1: Bottom-of-the-Barrel Web Hosting

You get what you pay for, and this is definitely true when it comes to web hosting.

Web hosting can be expensive, so those deals offering a full hosting package for just a couple of dollars (or even cents) per month might look appealing. If you are running a small, personal site, this type of hosting should be fine. However, if you have a larger site, or you’re running a site for business purposes, consider upgrading to a better package or work with a more expensive (and more secure) hosting provider.

Shared hosting is where the host places many websites on a single server with the little delineation between the individual sites — this volume is what allows the host to offer rock-bottom prices. One of the biggest threats to websites hosted on shared plans is distributed denial of service (DDoS) attacks. These attacks occur when a malicious party floods a website with traffic levels its server cannot cope with. In a shared hosting environment, such attacks bring down not just the targeted site, but its server neighbors as well — potentially thousands of sites.

Furthermore, it’s likely that shared hosting plans on a single server all share a single IP address (or series of IP addresses). In this case, your website cannot be uniquely identified via IP address. Therefore, it’s difficult for you to protect yourself from IP address spoofing, where malicious parties fake usage of your IP address to launch attacks. It doesn’t matter if the attacker was trying to act as you or your server neighbors, you’re all affected.

Conversely, if you are sharing a server with someone engaging in poor practices (eg, sending spam emails), you may find yourself penalized as well.

With that said, not everyone can afford to spring for upgraded hosting from the get-go. There are certainly shared hosting plans that offer their users increased security, but VPS hosting options or cheap dedicated servers offer the best security (though both can be pricey).

Mistake 2: Not Changing the Default Settings and Parameters

When you install WordPress, you’ll see a lot of default settings and parameters used. For example, the login page to your WordPress dashboard is probably located at your-domain.com/wp-admin, the master account username is admin, your database tables follow the WordPress convention, and so on.

Hackers and malicious parties all know this, and with this information in hand, they are one step closer to breaching your website. However, it is possible for you to change this information to improve the security of your website.

Strong Login Credentials

First, change (or delete) the admin account username (if applicable). If you are creating a new set of credentials, avoid using admin. This is so commonly used that you’re making things easy for hackers who try to gain access by making repeated guesses as to your username/password combination.

Another essential thing to remember when you create additional accounts is to use strong passwords. Many attackers have scripts that do nothing but try to access sites using various username & password combinations, hoping to land on the correct pair. By using a strong password, you can make it less likely that such scripts are successful. If you find it difficult to create and remember tough-to-crack passwords, we recommend using a password manager like 1Password, Dashlane, or LastPass.

Hide the Login Page

Second, the login page to your WordPress dashboard can normally be found at the following URL: your-domain.com/wp-admin. By changing this, you can add an additional layer of security fairly easily. Changing your admin URL is fairly easy with the WP Hardening plugin. With the WP Hardening plugin, you can secure more than 12 security areas such as hiding wp-contents, wp-includes, disabling XMLRPC, etc. in your WordPress with just a click.

WP Hardening by Astra

There are two things you need to do if you want to hide the login page. You can move it to a different place (e.g. your-domain.com/wp-admin to your-domain.com/my-login-page). Also, if you have a login link or login fields on your website, you’ll want to hide this option so that users cannot see it. Doing this may be slightly inconvenient for you, but in return, your WordPress site will be more secure.

Be sure to make note of what your new login page is; it is difficult to access your website without it.

Change Your Database Tables’ Prefix

This final tip is somewhat more advanced than the other two we recommend, but it is nevertheless one you should consider.

By default, WordPress installs several tables in your databases, and all have names starting with the prefix wp_. This means that it’s easier for hackers to find and target the information in your database.

By changing this prefix to something else (it doesn’t have to be complicated), you add an additional piece of information hackers need to figure out before they can launch a successful attack.

To do this, you must make a minor edit to your WordPress install and then change the names of the database tables. However, you can more easily do it with a WordPress plugin like Change Table Prefix.

Mistake 3: Installing Too Many Plugins and Not Uninstalling Unused Plugins

Plugins are great in that they allow you to extend your WordPress core, adding useful features and functionality that you and your users appreciate.

Over time, the number of plugins you have installed in your WordPress environment will grow. If you use all of your plugins, then the only recommendation we have for you is to make sure that all of them are kept up to date. Plugin updates include more than just new features; they sometimes come with key security fixes to close holes that leave you vulnerable to attack.

If, however, you find that you have plugins that you are no longer using, then take the time to uninstall the ones that you no longer find useful (unless you plan to begin using a plugin again, we recommend a full uninstall instead of just deactivating them because deactivated plugins can still be dangerous). There are several reasons why this is important.

The first (and most important) reason why you should uninstall unused plugins is that they can compromise the security of your website. Every plugin that you install introduces additional opportunities that can be leveraged by malicious parties to hack your website. But because the plugin offers added value, we accept these risks to some extent. Unused plugins, however, do not offer this benefit. It’s best for you to remove these and close off any opportunities for hacking.

Along with this, outdated/obsolete plugins are especially vulnerable since they are not likely to have been updated with the most recent releases or security patches. By removing these plugins, you’re eliminating threats that become bigger as time passes. You’re also reducing the amount of work you need to do to keep everything in your WordPress ecosystem up to date.

Finally, removing plugins has the benefit of improving your overall website’s performance. Your pages load faster and your backups will be smaller in size.

Wrapping Up

Because WordPress sites are so common, the ways in which they can be attacked are fairly well-known. However, if you are interested in keeping your site as secure as possible, make sure you do not make these mistakes.

Besides these three, there are other security measures that you should take to protect your site. This complete WordPress security guide shall help you here.