We all make mistakes, but some people using WordPress make the same mistakes over and over again. These can lead to problems in security and slow the development process. Here I'll explain what the most common mistakes are and how to avoid them, so your WordPress sites are faster, better planned and more secure.
- Read all our web design articles here (opens in new tab)
01. Keeping 'admin' an administrator
This mistake has been made for years and continues to get made. By default WordPress creates the 'admin' username and assigns it to a administrator level. This is obviously predictable and one way of making it easier for a hacker to get into your site. If you combine this with creating a poor password you're asking to be hacked.
02. Using an administrator to post content
It's important to make sure you're disguising your WordPress installation as much as possible. Predictability is not your friend and posting content under an administrator account is predictable. Guessing your username isn't too hard if it's displayed on your post.
Instead reserve your administrator level account for backend work ONLY. Create a contributor account to use as your author. You can still write the content as an author just assign the post to the contributor before you post it live.
03. Keeping 'wp_' as the table prefix
Being unpredictable is the best way to avoid being hacked. Are you seeing a trend yet?
Since WordPress powers countless millions of sites it's common knowledge that tables by default start with 'wp_' which means if you don't change the table prefix, your Site Options table is 'wp_options'.
It's very easy to change your table prefix and can be done during installation either manually in the wp-config.php file or during auto installation in the form fields.
Choose something difficult and hard to guess, especially since you won't have to think about it again in the future.
04. Not replacing salts and keys
If you don't know about salts and keys, they are in the wp-config.php file and used to authenticate logged in users and their machines. In the past it was easy for a hacker to steal your logged in session cookies and pretend to be you. These passphrases make it nearly impossible for hackers to do this.
Think it might be hard to generate those salts? Well, you'd be right except WordPress has a web page that does it for you. Visit this link (opens in new tab) and copy everything into your wp-config.php file.
05. Not backing up
We've covered four mistakes that you can avoid in an effort to be more secure. But no system on earth is totally secure so there if the worst happens and you get hacked make sure you're ready. There are countless ways to restore. Bluehost now offers full restoration points on a daily, weekly and monthly basis. You can also use VaultPress which backs up everything from your content to your themes and more. VaultPress is not free but it's the absolute best solution out there. Here's another great free solution: BackWPup.
06. Too many categories, not enough tags
Site architecture, organisation and planning is so important. It affects everything from SEO to load times and visitor time on site. Whether you're a designer, developer or blogger you can take the time to evaluate your content and really think out your site organisation.
A common misconception is that you can only add categories to the main nav. This isn't true (go to Appearance>Menus>Screen options and turn on posts and tags). In content-heavy sites I'll use popular tags and even posts in the main nav. Try to limit categories and use tags to bring things together.
07. Forgetting the cache
If you aren't using caching or don't know what it is you're giving up precious seconds of load time, WordPress is a dynamic database driven CMS. Which means visitors to your site prompt the server to request info from your database, then it uses that content to populate your site creating HTML markup. Well caching allows you to save that finalised HTML markup and server that to visitors skipping the need to go to the database every time. This increases efficiency and decreases load time. There are two great free plugins used for caching which are W3 Total Cache and WP Super Cache. If you're looking for managed hosting and don't want to worry about all this WP Engine (opens in new tab) provides the best built in caching I've seen and makes your life extremely easy.
08. Ignoring WordPress updates
I get it, it's hard to remember to update all your sites to the newest version of WordPress. In a bit we are going to talk about managing multiple sites at a time. WordPress core developers and contributors work tirelessly to improve WordPress, its UI, efficiency and speed but when a bug or vulnerability is found it usually gets an update right away. Which means if you're WordPress version is behind it's probably vulnerable.
It's so easy to update WordPress with a single click so you shouldn't worry about the time it takes. I know a common myth is that WordPress will break when you update but it is so backwards compatible it's not even funny. It's very unlikely that your site will break on update but you should test to make sure if you're nervous.
Words: Jesse Friedman
Let me know your thoughts in the comments below or tweet me @professor. And don't forget to grab the Web Designer's Guide to WordPress, a book written, by me, specifically to help you build on your HTML and CSS skills to develop WordPress themes.