The incredible popularity of WordPress gives hackers an incentive to go after it. Once they find a way in, they can replicate the attack across thousands or even millions of sites. One of the most prominent ways that the CMS has been attacked most recently is through a content-injection weakness that was identified early this year and patched by WordPress 4.7.2. Regardless of the patch, 1.5 million sites were defaced by February 10, according to Threatpost. It is one of the worst points of WordPress compromise to ever develop, according to WP security plugin maker WordFence. The problem (an issue with a REST API endpoint that led to unauthenticated privilege escalation) was patched by WordPress 4.7.2 on January the 26th – although news of the patch didn’t emerge right away. One of the core developers noted that the CMS organization waited to let people know about the vulnerability until people were able to make the update and clear themselves from potential exploit.
Since hacking is devastating to businesses (with one report indicating that 3 in 5 hacked businesses go bankrupt within six months), it is important to focus on that particular element. However, we will not neglect various other ways that companies can, well, screw up with WordPress when they’re getting started. Let’s look at some of the most frequently occurring mistakes so that you can avoid them.
10 WordPress mistakes that you can avoid
How can you get the most out of WordPress? Well, one of the easiest methods is process of elimination. Here are 10 common mistakes to avoid:
#1 – Forgetting to update WordPress
To return to the above discussion, what can we learn? Takeaway: stay updated. It is often a good idea to set up the CMS to update automatically. One way or another, keep it at the latest version. As noted by Sue Anne Dunlevie of Successful Blogging, software used by attackers scans the Internet looking for installations that have not been properly updated – so don’t let that be you.
#2 – Failing to make a backup
You certainly need to know that your WordPress is being backed up regularly. Failure to create a backup may seem like a rookie mistake to those who perform those backups standardly – but it’s something easy not to prioritize. Plugins such as BackWPup, VaultPress, and BackupBuddy are recommended by WPBeginner. You can also use a managed WordPress hosting plan that comes with free backups (with both those options recommended for an additional layer of protection).
#3 – Retaining the default admin username
The username admin is created when you install WordPress. That account has administrative privileges. Hackers know that. It is straightforward for someone who wants unauthorized access to your site to run a brute-force attack targeting the admin username. To be clear, since this user’s privileges are so substantial, it’s especially important that it not continue to display the generic title that comes out-of-the-box.
Internet marketing thought leader Jeff Bullas notes that since it’s so easy to change this username when you are installing, it is nonsensical not to go ahead and change it right then. Bullas adds that it is important to make your username and password complex via inclusion of letters, numbers, and special characters. Let’s retire password123?
#4 – Going nuts with plugin overload
Do you get a new phone and immediately install 200 apps on it? That should not be your same process with WordPress.
You want to have as few plugins as possible on your site, advises developer Nathan Ello. “If you can run your entire WordPress website with zero plugins,” he says, “then congratulations, you’re officially a wizard.”
The key basis for Ello’s argument is that plugins sometimes are not completely compatible. Beware of plugin conflicts.
The risk presented by plugins is not just about conflict among plugins, of course. There are often security vulnerabilities – so vet carefully, and always make sure that your plugins are tested with the latest WordPress release.
#5 – Publishing without enough forethought
Given how obsessive the digital world has become with consistent posting of content through blogs and social media, it is interesting to see Dunlevie suggest slowing down. She notes that Google updates have increasingly prioritized how user-friendly and valuable your content is (and that is at a broader semantic level rather than just related to keywords).
Specifically, Dunlevie says that any posts should be carefully revised and edited prior to publishing them. Beyond your search engine results, it will also help you from a user experience perspective.
She suggests working with an editor. You can use an editor if you want to improve pieces you already have on your site or as part of the process to refine new ones as they’re created.
#6 – Skipping favicon customization
Ever look at the browser window, see those tiny icons adjacent to the title of the page, and wonder how you could have your own? It is easy not to pay enough attention to that element, the favicon. The problem with neglecting favicons is that they will get their information elsewhere. You don’t want your site to be advertising your theme company through its favicon.
Your favicon should be thought of as your identity, says WPbeginner. Here is the Code information on Creating a Favicon if you need help moving forward.
#7 – Poor (faulty or off-point) choice of theme
WordPress is a standardized way to approach the web, so it’s important that you make the most of the elements that are most easily controllable – such as your theme. Think about it this way: the structure of your design will have a major impact on how well you do in search. Think usability, affordability, and credibility when selecting a theme, says Bullas – who suggests going straight to the WordPress Themes Directory to find one.
#8 – Lack of a staging environment
Staging is a concept that’s important to development. You have your production environment, which is your live site. The public can see that version of your site. You could even say that “is” your site. There should be another part of your site, though – so that you aren’t always playing around with the live site when you make changes.
Small changes? Sure: it makes sense to correct typos and make other minor adjustments to the live site. The production environment should generally not be something you modify, though – without first sending it through staging for boot camp.
Ello mentions examples of three typical WP changes you would want to introduce first in staging:
- – Upgrading to a new release
- – Installing and trying out a new plugin
- – Changing or updating your theme
#9 – Keeping the default permalink
What link tends to stick around and mess with your search engine presence? That’s a permalink. The permalink is a static hyperlink referring to one of your blog posts. Default structure is www.thisisyoursite.com/?p=123. That structure could be much better both for engagement and to better feed Google – so you want to change it.
Making your permalinks friendlier to users and to the search engines will give you better visibility. It will also convey to your audience that your approach is professional, organized, logical, coherent, and systematic.
Overall, you can change your permalink structure through Settings > Permalinks. For each post, you can improve your SEO performance if you use strong keywords (and key concepts).
#10 – Disregarding the machinery
Let’s get back to that mention of staging – which points to the importance of preparation prior to launch of any new (and significant) modifications. “Staging” sounds like it’s on the stage, but it’s really about something going on backstage, in a way. While staging is about preparation, you also need to think about the behind-the-scenes aspects of your site in terms of infrastructure. Having a highly reliable site on enterprise-grade hardware is critical on numerous levels: it will not only deliver information faster to users (and to you!) but will also improve your SEO.
Want to avoid mistakes and accelerate your server for CMS peace of mind and success? Choose WordPress hosting with isolated resources, 99.996% proven uptime, and fully managed 24/7/365 support. Get started.