3 Common WordPress Security Mistakes, and How To Avoid Them

WordPress is the most widely used website/blogging platform in the world, and it’s easy to see why.

It’s very user friendly, comprehensive, and you can create almost any type of blog or website you want to with it.

But of course, making your blog or website look unique and professional with WordPress can be only one of your priorities.

Another big priority you need to have is making sure that your WordPress site or blog is secure, because if it’s not, it will be more vulnerable to hacking, which in turn can result in malicious software being installed and distributed or your personal information being stolen to be used in identity theft.

Since over 30,000 websites are hacked each and every day, hacking is indeed a very real threat that you face, and the last thing you want to do is make common mistakes that will make the threat of being hacked even worse for you.

With that in mind, here are the top WordPress security mistakes and how can avoid them:

1. You Chose A Poor Quality Web Host

One of the single most important decisions that you will make before you even begin to build your WordPress website is choosing where to host it.

There are certainly a large number of different hosting companies to choose from, but not all are created equally.

While you may be tempted to go with the most inexpensive web host you can find, this isn’t exactly the best course of action to take, and a lower quality web host will rarely if ever be worth the financial savings as it may result in a low and unsecured website vulnerable to hacking.

Fortunately, it is easy to choose a high quality web host so long as you know what to look for. The first quality to look for in a good web host will be security. At the very minimum, your web host should offer each of the following:

  • SPAM Protection
  • Automatic Backups (more on this later)
  • SSL Encryption
  • Hacking Protection
  • DDoS Protection

These kinds of security features will be even more important if you are going to be selling products or services on your WordPress site and therefore be collecting financial and personal data from your customers.

Something else you are going to need to look for in a quality web host will be the amount of bandwidth and storage that they offer. So long as your website is going to be using high resolution images and having a large amount of content, then you’re going to need more storage.

And if you plan on one day receiving a high volume of traffic (which can happen if your site ranks highly enough on the search engine results page, and it should if you know how to use SEO), then you’re going to need higher bandwidth as well. Even if the amount of traffic and downloads you’re receiving is limited now, you want to have enough room in your bandwidth for future growth and traffic spikes.

One last feature that a high quality web host will have is excellent customer support. There should be multiple ways to contact customer support (live chat, phone call, email message, etc.) and they should respond to your requests in a timely and intelligent manner.

There should also be a thorough and comprehensive frequently asked questions page on the website of your web hosting provider as well; if there’s not, that’s a major red flag.

2. You Don’t Update Your Add-Ons (Plugins, Themes, etc.)

It’s always a decent security measure to keep your WordPress plugins, themes, and other add-ons.

But besides keeping them, you also need to remember to update them in order to fix any vulnerabilities. Otherwise, your website will be incredibly easy to break into, because not only is there a vulnerability to begin with, but any news about vulnerabilities in the WordPress ecosystem tends to spread very quickly, and hackers will be on top of it.

Some WordPress site owners are afraid to update their add-ons because those add-ons won’t always be compatible with an upgraded WordPress versions.

Even though all WordPress upgrades are compatible with previous versions, sometimes add-ons such as plugins and themes will not be compatible. There are a number of reasons for why this could happen; maybe the developer too hastily released a new update, resulting in them not taking the time to make sure that the update is compatible with the previous plug-ins, for instance.

To put this into perspective, if you are using an early version of WordPress, and if you update your plugins to the latest version, this will result in your website breaking.

How will you know that your add-ons are compatible with whatever version of WordPress you are using?

The answer is simple: you need to create a duplicate site where you can test the installation and upgrades of your add-ons. You can do this using services such as BlogVault.

One more thing that is worth of note is that you shouldn’t have too many plugins in your WordPress site either. The more plugins you install on your website, the possibility increases substantially that you’ll land a plugin that doesn’t work with another part of your website.

Furthermore, the more plugins you install, the slower your website will be as well. Therefore, only install the plugins that are absolutely critical to your website’s operation.

3. You Don’t Backup Your Website (Or At Least You Don’t Do It Right)

As the most popular website platform in existence with nearly 60% of the total marketshare, it’s easy to see how thousands of WordPress sites are hacked everyday.

So let’s say that worse comes to worse and your WordPress site does end up being hacked. What are you supposed to do now? Hopefully, you’ll have a very recent backup of your website ready to go.

Failing to backup your website regularly can prove to be a very costly mistake. Should you ever lose data due to hacking or an issue with the server, a backup may be the only way to restore that data to your site. Backups are also nice to have when you need to update your plugins as well.

Think of it this way: if your WordPress site ever get hacked and your posts become deleted, you’ll lose all of that content forever unless if you can restore your website to a previous version using a backup.

Many people are aware of the importance of backing up their WordPress website, but they do it in the incorrect way. As an example, many people will backup their website in their web server. This is a poor strategy, because the server already has the burden of performing its other processes, which will slow down your website’s speed.

Furthermore, if you lose the backup that’s stored on your web server, you’ll have no longer options.

The solution here is to choose a backup service that does two things: 1. Performs automatic backups regularly (ideally once a day), and 2. Stores your website’s backup files in a remote location, as defense against server crashes and data hacks.


The security of your website or blog must be a top priority for any WordPress owner.

Choosing a poor quality web host, failing to updates add-ons such as plugins, and failing to backup your website (or at least failing to do so properly) are among the biggest security mistakes that WordPress website owners make.

Fortunately, not only do you now know why these are mistakes to begin with, you also now know how you can circumvent them as well.

Complete Setup of WP Rocket


  • Linux hosting platform (64 bit)
  • Apache 2.2+ server
  • mySQL 5.1+
  • PHP 5.3+ (64 bit)
  • WordPress 4.0+
  • suexec or SuPHP
  • PHP exec() function enabled


  • Go to WordPress > Plugins ->  Add New > Upload
  • Upload the WP Rocket plugin zip file
  • Activate the plugin


  • On Basic settings, enable LazyLoad, Mobile cache, Emoji cache, Disable embeds
  • On Static files, minify HTML files, Google Fonts, remove query strings, optimize CSS files
  • Notes

Complete Setup of Monarch Plugin


    • Install and activate Monarch plugin.
    • Go Monarch Settings > Social Sharing > Location, then select Inline
    • Go Monarch Settings > Social Sharing > Networks, then add Google, Facebook and Twitter
    • Go Monarch Settings > Social Sharing > Inline, scroll down to post type settings then select Post

    • Access Facebook for Developers account
    • Click Add New App on My Apps button
    • Add Website Title to Display Name field
    • Select approriate category
    • You’ll be redirected to the Dashboard of Apss
    • On Dashboard, click Choose Platform then select Website
    • Scroll down to the page then add Site URL
    • Go back to the App Dashboard then go to Settings > Basic
    • Add the domain to the App Domain field then save changes
    • Go to App Review then select Yes to make the app public
    • Go to Dashboard then get App ID and App Secret key
    • Go to wordpress site, Tools > Monarch Settings then add the
    • App ID and App Secret key

Facebook Authentication
Facebook Authentication
Facebook Authentication
Facebook Authentication
Facebook Authentication
Facebook Authentication
Facebook Authentication
Facebook Authentication

Complete Setup of BackupBuddy


  • Linux hosting platform (64 bit)
  • Apache 2.2+ server
  • mySQL 5.1+
  • PHP 5.3+ (64 bit)
  • WordPress 4.0+
  • suexec or SuPHP
  • PHP exec() function enabled


  • Go to WordPress > Plugins ->  Add New > Upload
  • Upload the BackupBuddy plugin zip file
  • Activate the plugin


  • Go to the Settings > General Settings and set ImportBuddy password
  • Scroll down to Local Archive Storage Limits then set the age limit number of backups to 150 days
  • Keep 4 full backups and 30 database backup
  • On Schedules Settings, schedule weekly complete backup and daily database backup

Site Migration

  1. Download the backup file & importbuddy.php: Navigate to BackupBuddy > Restore/Migrate in your dashboard and download the backup file you’d like to use for the migration and a copy of the ImportBuddy script.
  2. Upload the backup and a copy of your Importbuddy file to your chosen directory via FTP
  3. Navigate to the uploaded ImportBuddy URL: http://domain.com/importbuddy.php
  4. You’ll be prompted to Enter your ImportBuddy password to continue.
  5. Create database for the site migration
  6. Enter the database settings for the new location


Complete Setup of Google Analytics for WordPress by MonsterInsights


  • The latest version of WordPress
  • Google Analytics Account


  • Install Google Analytics for WordPress by MonsterInsights either via the WordPress.org plugin repository or by uploading the files to your server. (See instructions on how to install a WordPress plugin)
  • Activate Google Analytics for WordPress by MonsterInsights.
  • Navigate to the Insights tab in your WordPress admin menu and configure the plugin.


  • Access WordPress dashboard and install Google Analytics by MonsterInsights plugin
  • Go to Insights > Settings > General.
  • Click Authenticate with your Google account button


  • Paste Google Authentication code


  • Paste Google Authentication code
  • Select the website

Complete Setup of UpdraftPlus


  • WordPress Version 3.2


  • Log in to your site’s dashboard (e.g. http://domain.com/wp-admin)
  • On the dashboard’s left panel, click on “Plugins” and select on “Add New”.
  • Search for the plugin “UpdraftPlus WordPress Backup Plugin” by UpdraftPlus.Com, DavidAnderson
  • Click on the “Install Now” button.
  • Wait for the installation to complete, then click the “Activate” button.
  • An alternate way for installing the plugin is through downloading the zip file from the plugin’s page (https://wordpress.org/plugins/updraftplus/) and upload it by navigating through the site’s dashboard and by clicking on Plugins > Add New > Upload page.

How to Create a Scheduled backup

  • Access plugin through the left panel on the site’s dashboard by clicking on Settings> UpdraftPlus
  • Screenshot: https://www.screencast.com/t/I7Hads3kJ
  • Click on the Settings tab
  • Screenshot: https://www.screencast.com/t/07Im4Awm
  • Choose your preferred backup schedule for your files that would include WordPress themes, plugins, images and other uploads.
  • Select the backup schedule for your site’s database. (Site’s contents and settings are stored in the database.)
  • On creating your backup schedule, base it on how often changes are applied on the site.
  • Choose where you prefer to store the backups created. The preferred storage is through cloud storage. (e.g. Dropbox, Google Drive, Microsoft OneDrive, etc.)
  • Click on a preferred storage service and see the setup instructions that will appear below the selected storage service

How to manually create a backup

  • Access plugin through the left panel on the site’s dashboard by clicking on Settings> UpdraftPlus Backups and click on the “Backup Now” button
  • Screenshot: https://www.screencast.com/t/4anKEkrra1B
  • A pop up would appear which has selections on what files you would want to create a backup on. It would also let you choose if you would want to send the backup through a remote storage
  • Click on the “Backup Now” button after your selected preferences
  • Screenshot: https://www.screencast.com/t/f3xiR684N
  • Wait for backup to complete
  • Backup will also be sent through the set remote location

Restore Backups created

  • Access plugin through the left panel on the site’s dashboard by clicking on Settings > UpdraftPlus Backups page and click on Restore button.