5 Common WordPress Security Mistakes

Howdy Friends! WordPress is the most popular CMS on the planet. That popularity comes with a downside — it’s also one of the most targeted platforms for hackers. Most successful attacks don’t exploit zero-day vulnerabilities. They exploit basic mistakes. Here are five of the most common ones.

1. Running Outdated WordPress Core, Themes, or Plugins

Outdated software is the number one attack vector for WordPress sites. When a vulnerability is discovered and patched, the details become public. Sites that haven’t updated are sitting ducks.

This applies to everything — not just WordPress core. Abandoned or rarely updated plugins are a particularly common entry point. If a plugin hasn’t been updated in over a year, treat it as a risk.

What to do: Keep WordPress core, themes, and plugins updated. Remove anything you’re not actively using.

2. Using Weak or Reused Passwords

“admin” is still one of the most common WordPress usernames. Paired with a weak password, it’s an open door. Credential stuffing attacks — where stolen username/password pairs are tested across multiple sites — are automated and constant.

What to do: Use a strong, unique password for every account. Enable two-factor authentication on your WordPress admin. Rename or delete the default “admin” user.

3. Leaving the Default Login URL Unchanged

WordPress installs at /wp-admin and /wp-login.php by default. Every bot on the internet knows this. Login pages get hammered with automated brute force attempts around the clock.

Changing the login URL won’t stop a determined attacker, but it eliminates a huge volume of low-effort automated attacks.

What to do: Use a plugin to change your login URL. Pair it with rate limiting or IP allowlisting if your situation allows.

4. Skipping SSL or Misconfiguring HTTPS

An unencrypted site sends login credentials and session cookies in plain text. On any shared or public network, that data can be intercepted. Google also flags non-HTTPS sites, which hurts trust and search rankings.

What to do: Run your site over HTTPS at all times. Make sure HTTP redirects to HTTPS and that mixed content warnings are resolved. SSL should be automatic — if your host doesn’t handle it, that’s a problem.

5. Not Having a Tested Backup

Backups aren’t a security measure until something goes wrong — then they’re everything. A compromised or corrupted site with no backup means starting from scratch. Worse, many site owners assume backups are running without ever verifying they can actually restore from them.

What to do: Automate your backups and store them offsite. Test a restore periodically. Know exactly how far back you can recover before an incident, not after.

How GR Host Helps

We address all five of these at the infrastructure level on every WordPress plan.

WordPress core is patched on a regular maintenance window. SSL is handled automatically by Caddy — no configuration needed on your end. Every node runs Fail2Ban and CrowdSec to block brute force attempts before they reach your login page. Automated backups run on every plan via Linode. And because each customer gets a dedicated VPS, a compromised site on someone else’s server is never your problem.

Good security isn’t one big thing. It’s a lot of small things done consistently. That’s exactly how we build it.

Have questions about how GR Host secures your WordPress site? Get in touch — we’re happy to walk you through it.

• 2026 11
• 2025 7
• 2024 6
• 2023 2