1. I set a WordPress honeypot for brute force attacks – here’s what I learned

doing_it_wrong – 8 common WordPress mistakes

Since its initial release in 2003, WordPress has become the most popular CMS – powering an estimated 30% of all websites online.

This massive achievement has a lot to do with it’s flexibility, ease of use and amazing community of contributors.

But with the such possibilities also comes mistakes.

In this article I will discuss common WordPress mistakes and how to prevent them.

1. Installing too many plugins

Thanks to the popularity of WordPress and the massive community there are more than 50,000 plugins available for free to customise your website.

The temptation may be to install a plugin for every function or issue – but this approach comes with problems.

Often people will talk about having too many plugins will slow down your website. This isn’t necessarily true – because each plugin could be a single line or code or a mammoth bigger than WordPress itself.

But the plugins introduce complexity. 

Before installing a plugin, consider

  1. whether the functionality can be achieved easily with out it
  2. if the plugin introduces too many other unnecessary features – this typically means bloat
  3. would it be easier or more reliable to use your own custom code.

2. Editing theme code

I’ve never seen a plugin that is perfect as soon as its installed.

Many plugins let you customise colours, fonts and add widgets – but often there’s the need to add your own HTML or CSS.

If you edit the theme’s code you may get the desired result – but either you never update the theme again (BAD IDEA !!) or when you update you loose your changes.

Instead you should be creating a child theme for theme customisations. This way you can clearly see what customisations have been applied and update the main “parent” theme.

3. Not backing up

Backups are something you never want to use but you always want to have.

Backups are important – particularly before installing a new plugin or update – but also as regular weekly updates.

Don’t trust your hosts backups. I recommend using a plugin like UpdraftPlus and backing up to an external location such as a Google Drive.

4. Not updating PHP version

WordPress uses the PHP server-side scripting language.

PHP has seen some massive updates over the years – with version 7.0 and above introducing significant performance gains.

But surprisingly the majority of WordPress sites are using version 5.6 (as of December 2018).

You can (temporarily) use the Display PHP Version plugin to check which version of PHP you currently have. If it’s less than 7.0 you should check with your website host for how to update.

5. Using cheap host

The cheap hosting offer is almost always too good to be true.

Cheap hosting tends to be lack important features, have poor support and more importantly be slow -which is critical for the user experience.

The longer a page takes to load the more likely the user will give up and go elsewhere. A two second load time is a good goal – but less is definitely better.

There are many hosting options – research is important and steer away from the cheapest. The typical good entry level host will offer cPanel management and phone support.

6. Unnecessary plugins and themes

Each plugin or theme adds complexity to your website, takes up space and is  a potential security hole.

If you don’t use it any more – uninstall it. Don’t just deactivate it – even if plugin or theme is not active it may still be a security hole.

There is one exception – make sure you have a second theme installed – because if your main theme fails WordPress will roll back to the second.

7. Weak passwords

Unless you’ve implemented additional security to protect your WordPress login page (and API end points) – there will be hackers and bots attempting to guess your passwords.

I highly suggest using randomly generated passwords of 16 or more characters and a password manager such as LastPass.

8. Giving administrator access to all

If you have multiple people contributing to your website – consider giving them the least amount of access to do their job.

Not all users will need administrator access – but if they do have administrator access, they (or anyone that knows their password) can completely turn your website upside down.

Editor level access is suitable for most authors. 

Other access levels include:

  • Administrator – somebody who has access to all the administration features within a single site.
  • Editor – somebody who can publish and manage posts including the posts of other users.
  • Author – somebody who can publish and manage their own posts.
  • Contributor – somebody who can write and manage their own posts but cannot publish them.
  • Subscriber – somebody who can only manage their profile.