If there is one content management system (CMS) that’s credited for revolutionizing the modern web, it’s WordPress. Thanks to this revolutionary software, making any type of website is not difficult today. Its flexibility and ease of use make it so popular that WordPress powers as many as 62% of websites on the web, and companies of all sizes use it for various purposes. However, with popularity come a lot of risks too. WordPress is also a popular target for cybercriminals, and as many as 90% of hacked websites are based on it.

Does it mean that WordPress is insecure? Absolutely not. It’s the most secure CMS available today, if you avoid some common pitfalls that make it vulnerable to attacks. What are those pitfalls? Well, that’s exactly what we’re going to learn in this article. Let’s begin:

#1. Use Of Weak Passwords

The most common reason why WordPress websites get hacked is because of the weak passwords. For the sake of convenience, we often prefer keeping a password that is easy to remember, but the thing is that easy passwords are also easy to be cracked by a brute force attack. 

So, it’s important that you use a strong password for your website, which is a combination of letters (in both upper as well as lowercase), numbers and symbols. WordPress also generates such strong passwords for you by itself, and you can use them without thinking much. 

#2. Username = Admin

The next major reason behind hacking of WordPress websites is the use of default “Admin” username. That’s the username WordPress suggests for you when you set it up, and if you don’t change it you increase the risk of your site being hacked. 

Especially if an ‘admin’ username is combined with a weak password, your risk of being hacked is significantly more than most other sites. 

Therefore, you should use something else as your username instead of this ‘Admin’ thing. Also avoid using your name, because that makes another easy guess for people who know you. 

#3. Not Installing An SSL Certificate

If your website is loading over default HTTP protocol instead of the secure HTTPS, not only your website but your visitors are also at risk of being hacked. 

This certificate encrypts the information before it’s transmitted so no one can steal the data. That is because information being sent to a website over HTTP protocol can be seen by anyone with help of a data sniffing attack. For instance, if your site requires people to register, their usernames and passwords can be stolen by hackers while they’re in transit between their computer and your server. 

The way to prevent that from happening is by installing an SSL certificate on your web server, which makes your website load over secure HTTPS protocol. 

Security experts recommend Comodo SSL Certificate that offers best encryption of your customer information and prevents any security breach or leakage. Comodo SSL are used by Most of Fortune 1000 companies. Over 750K businesses also use Comodo SSL worldwide.

If you are searching for a cost-effective SSL certificate, then get a Comodo Essential SSL certificate from CHEAPSSLSHOP for your site now if you don’t already have one!

#4. Not Protecting WP Admin Directory

Not protecting the WP-Admin directory on your web server is another common reason why WordPress websites get hacked. Since this directory stores all important files related to the administration of our WordPress installation, it’s one of the most targeted areas for anyone looking to attack a WordPress website. 

You should protect it with a password, thus adding an extra layer of security. 

#5. Use Of Insecure FTP Protocol

FTP refers to the File Transfer Protocol. This protocol is used to upload our files to a web server, and therefore it’s another route through which cybercriminals try to attack our WordPress-based sites. The reasoning behind it is the same as that of HTTP – when you upload files using default FTP protocol, the FTP username and password of your account are transferred in an insecure manner. 

The files you transfer are also transferred without proper security safeguards – anyone who can steal your data packets can see them. If you want to protect your server from an attack through this route, you should always use SFTP. This protocol is basically the HTTPS equivalent of FTP because it encrypts everything before it’s transferred. 

#6. Incorrect File Permissions

Every web server uses some rules to determine which files are accessible to which users, and a misconfiguration in those rules can seriously undermine the security of your WordPress site. As a thumb rule, all your WordPress files should have 755 as file permission while folders should have 644. Here’s how can you check your file permissions and fix them easily:

  1. Connect to your site through an FTP client
  2. Go to wp-content folder of your WordPress installation
  3. Right-click on “uploads” folder
  4. Select File permissions
  5. Check the numeric value column. If it’s not 744 or 755 already, then set it to 755.
  6. Check the checkbox of “Recurse into subdirectories” and radio button of “Apply to directories only” and save it. 

With that, you’ve fixed your directory permissions. Next step is to fix the file permissions, and given below are the steps to do that:

  1. Follow the step #1 to step #4 given above
  2. In the numeric value column, change the value to 644
  3. Check the “Recurse into subdirectories” checkbox and radio button of “Apply to files only”
  4. Save. 

#7. Not Updating WordPress On Time

Keeping your WordPress installation up to date is also essential for security. The developers of WordPress release regular updates to fix various security loopholes depending on the new vulnerabilities that are discovered. 

So, if there is any update available for WordPress, install it as soon as possible. Same applies to your themes and plugins as well – update them whenever a new update is available for them. 


These 7 steps can go a long way to protect your WordPress website. Implement them today, and you’ll be much less likely to face an incident of your site being hacked. 

If you know any other steps that can improve WordPress security significantly, share them in the comments. 

And share this article with your friends so they can also secure their WordPress sites from cyber threats.