Starting a WordPress website can be tricky.

Ensuring your website is secure is an entirely different story altogether, so it’s going to be natural to make a few mistakes.

Odds are if you put countless hours of time and effort into a WordPress site. It’s going to be a labor of love. Naturally, you’re going to want to keep it safe and secure as you would a loved one or something of value you hold dear.

Using open sourced software like WordPress is amazing because it’s available for all to utilize. The catch 22 here is since the software is so common and readily available. So are the exploits and penetration tactics doers with ill intent will take advance of to access your data and compromise your security.

To remedy this, here are the most common security weaknesses for WordPress security that beginners make and how to fix them. Let’s get started.

1. Using Weak Login Credentials

There are many ways to protect the password.

The first, if not most common weakness on WordPress, let alone any website or app which requires a username and password is having weak login credentials.

Say you your username is the first initial and your last name followed by your birth year and your password is “password” or something like “12345678”. With that, you’re leaving yourself wide open for a cyber attack.

Sure, ignorance is bliss and you may think it could never happen to you. But when you create something, the odds are there is someone out there who wants to take it from you.

Do yourself a favor and choose a strong and unique username and a very obscure and elongated password that nobody but you could ever guess.

Another consideration is limiting those who have access to the site altogether. The more the administrators you have, the greater the avenues and backdoors for a potential breach. If you have no choice but to have personnel with access to your site. Limit their permissions so they can only access areas that they need. It’s foolish to allow someone full access who doesn’t need it.

Limiting login attempts is ideal for mitigating penetration techniques such as the man in the middle (DDoS Attacks) and other brute force methods hackers utilize to crack passwords and gain access. There are a number of plugins available that can limit attempts and lock down your site to specific IP addresses. Just be aware that there is software to mask and even change IP addresses every few seconds. So while this method is useful, it’s not perfect.

2. Neglecting to Update

One of the most common, yet unrealized errors with WordPress is failing to regularly install the proprietary software updates and patches. WordPress is updated on fairly often, often in one or two ways, major updates and minor updates. Major updates often release improved coding, new features, and security updates that keep the platform secure.

Minor updates are released to mitigate smaller. Less serious vulnerabilities that need to be addressed without a massive overhaul to the system itself.

Using an outdated version means your site will have a number of unnecessary vulnerabilities. That could others be avoided if you take the time to keep it up to date.

Often, most people negate updates out of fear of compromising all of their plugins and bonus features they have installed. Which is understandable. But plugins are usually updated as well to the current version. While ensuring that all potential vulnerabilities are patched on their part.

3. Bad Hosting Platforms

Cheap hosting goes hand in hand with cheap security.

WordPress security starts with the web hosting service. To put it in the simplest way possible, you get what you’re willing to pay for. Cheap hosting goes hand in hand with cheap security that is easily subpar to a quality host.

Bad hosts themselves are susceptible to data breaches, so all of your data will be out in the open even though your site isn’t the primary target for the would-be black hat. Plus, time and time again. Cheap web hosts aren’t as transparent. You’re more than likely going to be left to your own devices if your site’s security is compromised. Even if you’re not a fault.

Do yourself a favor and invest in quality and reputable WordPress web host with a proven track record and modern infrastructure and security measures that will keep hackers at bay.

4. Using Too Many Unused Themes, Plugins, and Accounts

It is perfectly understandable to want to download as many bells and whistles that will go a long way in making your life a little easier. But the kicker is a human weakness.

Once something new and improved comes out. It’s any person’s natural inclination to utilize it while keeping the old software dormant. The issue with this is if you don’t take the time to make sure everything is up to date, you have a number of potential weaknesses in your system due to focusing on the new toys.


Let’s face it. It flat out stinks to have your data breached and compromised. While WordPress has done a lot to boost their security in recent years. There’s still a lot that you need to do on your own as well.

All the time and effort put forth seemingly going to waste is hands down one of the worst feelings in the world. Both emotionally and financially, and once it happens, it’s extremely easy to become discouraged from starting over and trying again.

One of the best ways to make sure this doesn’t happen and to avoid total destruction is to do everything correctly the first time around and avoid being compromised altogether.

Sure, information security is a very complex discipline that is learned over time. But let this article be a Rosetta stone to follow and lend you a solid foundation to build your countermeasures by making sure your login page is secure with plugins that limit login attempts.

Avoid using shoddy web hosting platforms that neglect proper security protocols. Pay a little more for a legitimate web host who takes care of their customers.

Always make sure everything is up to date and discard all the add-ons you aren’t using. Thus giving you a good start and making sure your site can flourish for years to come.


Sam Bocetta is a former naval defense contractor and current freelance journalist specializing in writing about tech, cybersecurity, cryptography.

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.