Disclosure: We may receive compensation from the companies whose products we review if you click through our affiliate links.

10 Avoidable Mistakes That Could Get Your WordPress Website Hacked

If you believe that your WordPress website is secure, you could be mistaken. It has been estimated that 30,000 WordPress sites get hacked every day. That equates to one WordPress Website Hacked every 21 minutes. Hackers sometimes hack websites for monetary gain. Some people hack sites for no other reason than to prove that they can.

It’s not that WordPress is any less secure than any other content management system. The number of WordPress sites hacked is high because of the platform’s prevalence. After all, there are an estimated 455 million sites built on WordPress. When you consider that number, 30,000 doesn’t seem so high.

Still, any WordPress website is a prime target for hackers. And, if your site does get hacked, it could cost you money and waste a lot of your time. So, it is advisable to avoid making these mistakes that could leave your site vulnerable to WordPress hackers.

Mistakes that can get your WordPress Website Hacked

1. Using an Insecure Host

The hosting provider you choose also plays a part in the security of your site. Consequently, it is advisable to host a WordPress website with a reputable company that takes security seriously. Look for hosts that will properly isolate your website and provide a dedicated IP address and an SSL certificate. It is generally best to go with a well-known hosting company rather than a cheap provider with no track record.

We recommend you read our Rocket.net review (our current host), and also consider Hostgator WordPress Cloud Hosting and Dreamhost (use one of our Dreamhost coupons for a discount).

For specialized hosting we’ve compiled lists for adult hosting and offshore hosting, too.

2. Not Installing a Firewall

A firewall acts as a gateway to your website, looking for and rejecting malicious attempts to gain access to the site. The first line of defense against hackers, installing a security plugin with a firewall, such as WordFence or Sucuri, should be one of the first tasks when setting up a WordPress website.

3. Using Weak Passwords

Hackers will try to access your WordPress site, and the first thing they will try is using all the well-known weak passwords, such as 1234, password, and admin. So, use strong, complex passwords to defeat this easy way to gain access to your site. It is also advisable not to reuse passwords because if your password gets compromised in one place, you will have compromised all your logins. Frequently changing passwords will also help to protect your logins.

There’s nothing worse than letting your web hosting company, customer or boss know that you got your WordPress website hacked because of weak or easily guessed password.

4. Not Changing the Admin Username

The default WordPress administration username is admin, and there is no secret about that. Consequently, hackers will attempt to use that name, along with the weak passwords mentioned above. To eliminate this vulnerability, create a new admin user with a hard-to-guess name and administrative rights, and delete the admin username. Avoid any usernames similar to admin, like administration or administrator, that would be equally easy to guess.

Index of wp-includes directory - WordPress Directory Browsing Enabled
This is not information that hackers (or anyone for that matter) should be able to access.

5. Allowing Directory Browsing

When directory browsing is enabled on a WordPress site, hackers can gain information about plugins and other WordPress site characteristics. Any information hackers can gain is another potential pathway into your web site. Even though directory browsing is generally disabled, after a recent migration we were surprised to find that somewhere along the way directory browsing had been enabled.

It is east to check if your site is at risk, and just as easy to disable directory browsing in WordPress with a few simple lines of code.

6. Lack of Control Over Logins

Giving other people admin rights to your website can pose a security risk. Therefore, it is advisable to tightly control who has access to your website and what each of those users can do. There may be occasions when you need to allow a user full access to your site. In that situation, it would be advisable to disable the login as soon as access is no longer required.

A good rule of thumb is the Principle of Least Privilege. Essentially, what this means is, every login that is created for your site should only include the necessary permissions to perform the specific WordPress tasks required. And, the login should be limited to the timeframe in which access and permissions are necessary.

WordPress Security - WordPress Login Page
Website hacked? Poor password choices mean this page may be where it all began for the intruder.

7. Not Updating WordPress

One of the most common reasons websites get hacked is outdated software. Still, WordPress updates are free, so there is no reason to make the mistake of not updating the software. Hackers sometimes find and exploit vulnerabilities in WordPress. However, the vulnerabilities are then quickly resolved by WordPress updates. So, keeping WordPress up to date reduces the risk of hackers finding their way into your site via an old security weakness in the software.

8. Not Updating Themes and Plugins

Themes and plugins are also periodically updated, and it is advisable to install updates as they become available. Updates only take a minute to install and rarely cause any issues. But they may include critical security updates, so it is best not to ignore them. It is also best practice to replace plugins and themes should support for them cease.

9. Not Protecting the Admin Folder

Hackers will sometimes attempt to access the admin folder of a WordPress website. It is best to protect the admin folder to prevent this type of attack. Restrict who has access to the folder, for example, and enable password protection. Alternatively, install a security plugin such as WP Admin to protect this area of your site.

10. Not Implementing SSL

Some people think that installing an SSL (secure sockets layer) certificate will only protect the details of users of a site. However, SSL is equally important for protecting the site against hackers. Without SSL, a hacker could see the admin login credentials when you access the site.

10. Installing Nulled Plugins and Themes

You might occasionally come across free versions of premium themes and plugins. These “nulled” versions are often riddled with malware, so they are best avoided. There are plenty of high-quality but free or low-cost themes and plugins available, so there is no real need to risk using pirated or unmaintained software. The best approach is only to install software from trusted sources.

This site uses the GeneratePress theme, currently our go-to WordPress theme. We’re impressed with how well and often it is maintained, as well as how great the support is.


Hackers will target even a relatively small website with few visitors. But, if you take the above precautions, your website should be safe. However, hackers are always looking for new ways to access sites. And sometimes, they gain the upper hand and find security vulnerabilities.

Consequently, be sure to take regular backups of your site because restoring from a backup is your last line of defense should your site be hacked.

David Green

My name is David and I am the founder and author of Zuziko. I love WordPress and have built sites, themes and plugins. I am passionate about web development and have created Zuziko as a way to share my knowledge and experience with the world. My WordPress user profile.

Leave a Comment

Share via
Copy link
Powered by Social Snap