The Most Common WordPress Security Mistakes (And How to Fix Them)

After recovering hundreds of hacked WordPress sites, we see the same security mistakes over and over. Here are the most common — and how to fix each one right now.

Mistake 1: Using "admin" as Your Username

Every brute force bot on the internet tries "admin" first. If that's your administrator username, you've handed attackers half the puzzle.

Fix: Create a new admin user with a unique username. Log in with the new account and delete the old "admin" user (reassigning content to the new account).

Mistake 2: Weak or Reused Passwords

"Password123" or a password reused from another account is an open door. Credential stuffing attacks use leaked passwords from other breaches — attackers have lists of billions of real-world passwords.

Fix: Use a password manager. Generate a unique, 20+ character random password for your WordPress admin. Enforce this for all admin-level users.

Mistake 3: No Two-Factor Authentication

Even a strong password can be compromised via phishing or credential theft. 2FA means a stolen password alone isn't enough to break in.

Fix: Install a 2FA plugin (like WP 2FA or Google Authenticator) and enforce it for all administrator and editor accounts.

Mistake 4: Ignoring Plugin Updates

Every unpatched plugin is a potential entry point. Attackers run automated scans looking for sites running known-vulnerable plugin versions — often within hours of a CVE being published.

Fix: Update plugins regularly. For critical security updates, apply immediately. For other updates, test in a staging environment first, then deploy to live.

Mistake 5: Leaving Inactive Plugins & Themes Installed

Deactivated plugins still run code that can be exploited. Many users install plugins to test them, then deactivate — but not delete. Each one is a liability.

Fix: Delete any plugin or theme you're not actively using. There's no benefit to keeping them, only risk.

Mistake 6: No Backups (or Backups Stored on the Same Server)

When attackers compromise a server, they often corrupt or delete local backups. If your only backup is on the same server as your site, it's not a backup — it's a false sense of security.

Fix: Use a backup solution that stores copies offsite (Amazon S3, Google Drive, Dropbox). Run daily backups. Test restores quarterly.

Mistake 7: No Security Monitoring

Most hacked sites are infected for weeks or months before the owner notices. By then, the damage — blacklisting, SEO loss, customer exposure — is extensive.

Fix: Implement real-time malware scanning and file change monitoring. Automated alerts mean you know within minutes if something suspicious happens.