After recovering hundreds of hacked WordPress sites, we see the same security mistakes over and over. Here are the most common — and how to fix each one right now.
Mistake 1: Using "admin" as Your Username
Every brute force bot on the internet tries "admin" first. If that's your administrator username, you've handed attackers half the puzzle.
Fix: Create a new admin user with a unique username. Log in with the new account and delete the old "admin" user (reassigning content to the new account).
Mistake 2: Weak or Reused Passwords
"Password123" or a password reused from another account is an open door. Credential stuffing attacks use leaked passwords from other breaches — attackers have lists of billions of real-world passwords.
Fix: Use a password manager. Generate a unique, 20+ character random password for your WordPress admin. Enforce this for all admin-level users.
Mistake 3: No Two-Factor Authentication
Even a strong password can be compromised via phishing or credential theft. 2FA means a stolen password alone isn't enough to break in.
Fix: Install a 2FA plugin (like WP 2FA or Google Authenticator) and enforce it for all administrator and editor accounts.
Mistake 4: Ignoring Plugin Updates
Every unpatched plugin is a potential entry point. Attackers run automated scans looking for sites running known-vulnerable plugin versions — often within hours of a CVE being published.
Fix: Update plugins regularly. For critical security updates, apply immediately. For other updates, test in a staging environment first, then deploy to live.
Mistake 5: Leaving Inactive Plugins & Themes Installed
Deactivated plugins still run code that can be exploited. Many users install plugins to test them, then deactivate — but not delete. Each one is a liability.
Fix: Delete any plugin or theme you're not actively using. There's no benefit to keeping them, only risk.
Mistake 6: No Backups (or Backups Stored on the Same Server)
When attackers compromise a server, they often corrupt or delete local backups. If your only backup is on the same server as your site, it's not a backup — it's a false sense of security.
Fix: Use a backup solution that stores copies offsite (Amazon S3, Google Drive, Dropbox). Run daily backups. Test restores quarterly.
Mistake 7: No Security Monitoring
Most hacked sites are infected for weeks or months before the owner notices. By then, the damage — blacklisting, SEO loss, customer exposure — is extensive.
Fix: Implement real-time malware scanning and file change monitoring. Automated alerts mean you know within minutes if something suspicious happens.