Performing a security audit on your website can have great advantages.
It helps you keep an eye on what’s happening on your site.
It prepares you for common and minor issues that might suddenly show up.
In this tutorial, we’ll show you how to perform a security audit in WordPress in a step-by-step manner.
Performing a Security Audit in WordPress
The best thing about WordPress is that it makes everything super simple with its massive list of plugins. With these plugins, you can find a solution to almost every problem.
Running a security audit too isn’t tough if you know which security plugin to use for the best results. Generally, there are several options available for you to choose from. But we would love to recommend the WP Security Audit Log plugin.
WP Security Audit Log – An Overview
WP Security Audit Log is a powerful plugin that helps you identify any kind of suspicious behavior on your website. With this plugin, you can easily protect your site from any kind of malicious hacks by monitoring WordPress logs.
With WP Security Audit Log, you get to know what each logged in person is doing, so you can spot any malicious behavior before they become a threat.
With a 4.8-star rating and more than 1 million downloads, this plugin is one of the best options to perform a security audit on your WordPress site. This plugin is compatible with the latest versions of WordPress and works smoothly alongside any other plugin on your site.
Let’s now move on to see how to use this plugin in a step-by-step manner.
Step 1: Installing and Configuring WP Security Audit Log
The first step is to download and install WP Security Audit Log on your WordPress site. Here’s how to install a WordPress plugin.
Once the plugin is activated, the plugin will display a message on your screen asking if you want to run the wizard for the basic plugin settings. Click on the Yes option.
This will prepare your plugin for the configuration process. It will then ask you a few questions. Go through them carefully and answer them by marking a yes or no right below the question. Here, you also get to choose the period for which you want to keep your data in your log. You can opt for the last 6 months, 12 months, etc..
You can stop tracking the logs of any certain user if you want to.
In the final step, it will display a message to confirm the completion of the setup process. Just hit the Finish button and you’re ready to get started.
Step 2: Monitoring Events with WP Security Audit Log
Once your plugin is set up, you can start monitoring the events on your WordPress site. For that, go to your dashboard and you’ll see the Audit Log option on the left-hand side of your screen.
Click on the Audit Log viewer option. This will display the activity that the plugin just performed on your site.
You will get important details like the date of the event, the user involved, the IP address of the user, and the event message. So if a user logged into your website, you can find out exactly who that was and can see the user’s activity on the site. You also get to know their IP address.
Step 3: Controlling Events With WP Security Audit Log
The plugin also lets you control the events you want to add to your website. You can do that by going to Audit Log » Enable/Disable Events.
Under the Log Level option, you can select from 3 different choices.
Just click on the dropdown arrow and select your best choice. Based on this option, you’ll see the events and descriptions on this page. Here you can enable or disable individual events by checking/unchecking the boxes next to them.
Step 4: Terminating Logged In User Session
With Audit Log, besides monitoring the activity on your website, you can also terminate a user session with a click of the mouse. For that, go to your dashboard and select Audit Log » Logged in Users
Here you can either terminate all sessions together or do it individually for your users. If you want to terminate all of them together, use the option on the top. If you want to terminate a single user session, then hit the Terminate button next to the specific user and your work is done.
Step 5: Downloading the Log Reports
The next step is to download the reports created by the plugin. But before downloading them, you can manage and control the type of report you want to download.
You can do it by going to Audit Logs » Reports. Here you’ll have two different tabs.
Under the first one that says Generate & Configure Periodic Reports, you can select the type of report and the data range. It also lets you select the format of your report and configure your settings for downloading periodic reports.
In the second tab that says Statistics Reports, you can choose the data range, criteria and the format of your report. Once done, just hit the Generate Report button to download your report.
By downloading these reports from time to time, you can rest assured that you have all your data backed up in case of any unfortunate events.
So that’s it. We hope this article helped you learn how to perform a security audit in WordPress. If you haven’t performed an audit yet, go do it now. Meanwhile, you might also be interested in reading our complete WordPress security guide.
Do you want to monitor user activity on your WordPress site?
Running a multi-author blog or membership site comes with its own unique challenges such as stopping spam registrations and managing editorial workflow.
One solution that owners and admins of multi-user WordPress sites seek out is the ability to easily monitor user activity on their website.
This allows them to put a check and balance system in place. If things go out of control, then they can easily figure out what went wrong, who did it, and how to fix it.
In this article, we will show you how to monitor user activity and keep a security audit log in WordPress.
Why You Should Enable WordPress Activity Monitor and Logs?
A common objection that often comes up is you shouldn’t give WordPress login access to anyone that you don’t trust. If you do that, then you won’t need an activity tracking solution.
That’s a bit extreme because there are several very valid use-cases of activity logs.
Sometimes users can accidentally make an error or mistake that may break your WordPress website. Having an activity tracking log helps you identify and fix those issues faster.
Since the audit logs will show you which user made the mistake, you can also educate them on best practices to prevent the same mistake in the future.
A good example is if a moderator approved a comment that doesn’t fit your comment guidelines, then you can quickly correct their mistake and also notify them about it.
Another very good use-case for security audit logs is when you hire a WordPress developer from third-party contract websites like Codeable, Upwork, etc.
While most developers are trustworthy, sometimes you will run into a dishonest developer who can cause your business to lose significant amount of money.
Recently one of our Facebook group members reported that a developer she hired from Upwork changed the PayPal address in her WooCommerce store.
These kind of subtle changes are extremely hard to detect unless you have a WordPress user audit log that keeps track of all activity.
Several years ago this issue happened to WPBeginner founder, Syed Balkhi, where a freelance developer quietly changed several of his affiliate links. Syed caught and fixed the issue thanks to a security audit log plugin.
With the above benefits in minds, let’s take a look at how to set up and monitor user activities on your WordPress website.
We will share two WordPress audit log plugins.
Simple History (free plugin, but not as robust)
WP Security Audit Log (best-in-class for what it does)
Monitoring User Activity with Simple History
Simple History is a free user activity monitoring plugin for WordPress, but it is not as feature rich. If you run a small website or WordPress blog, then this plugin will work for you.
The first thing you need to do is install and activate the Simple History plugin. You may follow our beginner’s guide on how to install a WordPress plugin for detailed instructions.
Upon activation, head over to Settings » Simple History from the left sidebar of your WordPress admin panel.
On the settings page, you can choose whether you want the activity log to appear on the dashboard, on a separate page, or both.
You can also decide the number of items that will appear on the Dashboard and the log page.
By default, the Simple History plugin cleans the activity log history that is older than 60 days. You can also delete the history manually by clicking on the Clear log now button on the settings page.
This plugin allows you to monitor the history with the help of a secret RSS feed. However, you need to check the “Enable RSS feed” option to use it.
Viewing User Activities with Simple History
To check the user activity log, you need to visit the Dashboard » Simple History page. You can also view them on the Dashboard, but this will depend on how you have configured the settings of this plugin.
This plugin displays the events of the last 30 days by default. You can change it to a fixed range (up to 60 days) or to a custom range by clicking on the Dates dropdown menu.
To search for specific events on your site, you need to click on the “Show search options” link. This will open up a number of fields. You can either use a single field or a combination of them to find the desired data.
For example, you can use the Users field to find someone and then, click on the Search events button to see the activities of that person in the last 30 days.
By default, the Simple History plugin allows you to monitor login, logout, wrong password, post/page editing, media upload, plugin install/update, user profile changes, and more.
It also has support for bbPress forums which lets you see the forum and topic activities on your website.
Simple History allows you to add your own custom events as well. If you have development experience and want to add a custom event, then you can check out the details on this page.
Monitor User Activity using the WP Security Audit Log
Although Simple History does a good job of tracking user activities on your website, it is limited in functionality.
If you are looking for a plugin that provides detailed and real-time user activity reports, then you should use the WP Security Audit Log plugin.
It is a feature-rich plugin that allows you to keep track of every change that happens on your website. You can also get email and SMS notifications for important site events.
To get started, you need to install and activate the WP Security Audit Log plugin on your WordPress site.
Upon activation, you will see a new menu item Audit Log in the left sidebar of your admin panel. You need to click on it to configure this plugin.
On the settings page, you will have to enter the license key of this plugin, and then you need to click on the “Agree & Activate License” button to start using this plugin.
Note: To get the license key, you can check the welcome email that you have received after purchasing the plugin.
Once activated, you will see new options under the Audit Log menu in the left sidebar.
To monitor the events on your website, you need to head over to the Audit Log » Audit Log Viewer page.
This plugin displays the latest events at the top bar of your screen. You can also click on those notifications to go to the Audit Log Viewer page.
The log page will allow you to see all events on your website. You will get important details like the date of the event, the user involved, IP address of the user, and the event message.
For example, if someone logged into your site, then you will be able to find out who was that user, when did that person login, and the IP address of the user.
You can also control the events that you want to track by going to the Audit Log » Enable/Disable Events page.
Here you can select Basic, Geek, or Custom from the Log Level dropdown menu. Based on your selection, you will see different event names and their description on that page.
You can now enable or disable individual events by checking/unchecking the boxes. You can do the same by going to different tabs like Content & Comments, WordPress Install, Visitor Events, etc.
To track the logged in users on your site, you need to go to the Audit Log » Logged In Users page.
From here you will see all the users who are logged into your site. You can also force someone to log out by clicking on the Terminate Session button.
If you want to download the activity log of your site, then simply go to the Audit Log » Reports page to generate a report based on the criteria that you may have.
That’s all! We hope this article helped you to understand how to monitor user activity in WordPress with the help of Simple History or WP Security Audit Log plugin.
You may also want to check out our ultimate WordPress security guide and our list of the best WordPress firewall plugins.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Is your website secure enough? Thousands of blogs and websites are being hacked every day.
You’ll need to ensure your site is secure from potentially vulnerable threats by imposing security authentication while logging into your site.
In this article, we’ll show you some of the best WordPress security authentication plugins.
Why Use a WordPress Security Authentication Plugin?
There are tons of amazing WordPress security plugins that can protect your website and inform you about any suspicious activities when detected.
It’s also important for you to enable security authentication, so you can rest assured that only authorized users are logging into your site. A security authentication plugin can authorize users automatically or let them go through two-factor authentication.
1. iThemes Security
iThemes Security is an excellent WordPress security authentication plugin that helps you keep your website safe and secure with its two-factor authentication feature. When it’s enabled, a user will not be able to log into your website unless they first provide the password and then the secondary code sent to their authentication app.
It also checks for multiple login attempts and limits the number of attempts per user with WordPress brute force protection. The plugin watches out for users who try altering any file on the site. If any such action is detected, the plugin will immediately send you a notification so that you can take appropriate action. In case you suspect vulnerability, you can even lock out user access to the site during a specified time.
2. WP Login Plus
WP Login Plus is a robust plugin that offers amazing protection to your website with its user ID authentication process. It lets you customize the login page as well. With this plugin, you can even add login animations to your website. If you think you don’t want it anymore, just disable it and you’re done.
It also lets you add an auto-complete option, so that users can skip entering every little detail for registering or logging in to the site. The details will be automatically filled out based on the data from the computer memory.
3. WorldPay XML Direct
WorldPay XML Direct is a fantastic WordPress authentication plugin for WooCommerce site. It’s best suited for you if you accept online payments or donations. With this plugin, you can first securely capture all payment details on your server and then send the captured data to WorldPay. It will then be processed using WorldPay’s hosted payment pages.
You can also have full control over the way your customers sees the payment pages. It supports the cardholder authentication and makes sure that all your payments are processed with the MasterCard’s SecureCode security protocol. You can use this plugin to accept your payments in multiple currencies as well.
4. WP Magic Link Login
With the WP Magic Link Login plugin, you can empower your users to log in to your website without a password. All they need to do is submit their email addresses. The plugin will then automatically send a link to the given email address. This link expires after a specified time.
To enhance security, you can enable an option that accepts users from the same IP address only.
5. Wordfence Security
Wordfence Security is a free security plugin that identifies and blocks malicious traffic in order to ensure your website is totally safe. The plugin comes with a real-time IP blocker that actively works to block all requests from any suspicious IP addresses.
It also has a malware scanner that will block all request that comes with dangerous code. The two-factor authentication form that comes with the plugin proactively protects your site from spammers.
If you have multiple admins, it is possible for you to block some of them as well using the known compromised password. You can use the plugin on an unlimited number of websites and it will notify you of any breached password attacks, administrator logins, suspicious actions on the site, etc.
6. Rublon Two-Factor Authentication
Rublon is yet another WordPress security authentication plugin that lets you maintain full-proof security for your website. By using this plugin, you can secure your website from Botnets that has a reputation of attacking thousands of websites every day.
All you have to do is install and activate this plugin on your WordPress website. This will instantly protect your administration account with an email-based two-factor authentication. If you want to protect more than one account, you will have to switch to a paid version of the plugin. You can avail that by signing up from their official website and then selecting a preferred plan.
7. Duo Two Factor Authentication
Duo Two Factor Authentication is an amazing WordPress security authentication plugin that protects your website data from being robbed by any mischievous element. With this plugin, you can quickly add a two-factor authentication password to your website and rest assured that your site’s security is in safe hands.
You can do this with the help of Duo’s mobile app that works even if your phone is out of coverage. Alternatively, you can enable authentication using SMS or a call back to your phone. The plugin has options for that too. It works great with other plugins that you may have installed on your site.
8. Shield Security
Shield Security is another robust security authentication plugin for WordPress that shields your website from all security threats with its two-factor authentication. The plugin supports Google authenticator and Email authentication. It will also notify you every time it detects a threat on your site with its powerful core file scanner.
Besides, it also works on limiting login attempts, blocking automated spam comments and much more. It will also identify and block malicious IP addresses that can cause harm to your website. The plugin is super easy to use and set up.
9. Google Authenticator
Google Authenticator lets you enable two-factor authentication (2FA, MFA) on your site. With its authentication, you can rest assured that your site is secure from any kind of unauthorized access.
It is translation ready and supports standard TOTP and HOTP protocols for the authentication methods. The plugin is compatible with the latest version of WordPress and works wonderfully alongside various modern and advanced plugins.
These are some of the best security authentication plugins that you might want to use on your website. If you want to know more about WordPress security, here’s a detailed guide for you.
By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website.
However this capability can be abused if it gets in the wrong hand such as hackers who can use it to upload backdoor access files or malware to your website.
These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.
Sounds scary, right?
Don’t worry there is an easy fix for that. Basically, you’d simply disable PHP execution in certain directories where you don’t need it. Doing so, any PHP files will not run inside those directories.
In this article, we will show you how to disable PHP execution in WordPress using the .htaccess file.
Disabling PHP Execution in Certain WordPress Directories Using .htaccess File
Most WordPress sites have a .htaccess file in the root folder. This is a powerful configuration file used to password protect admin area, disable directory browsing, generate SEO friendly URL structure, and more.
By default, the .htaccess file located in your WordPress website’s root folder, but you can also create and use it inside your inner WordPress directories.
To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.
Simply create a blank file on your computer by using a text editor like Notepad (TextEdit on Mac). Save the file as .htaccess and paste the following code inside it.
deny from all
Now save the file on your computer.
Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.
You can upload it by using an FTP client or via File Manager app in your hosting account’s cPanel dashboard.
Once the .htaccess file with the above code is added, it will stop any PHP file to run in these directories.
Using this .htaccess trick helps you harden your WordPress security, but it is not a FIX for an already hacked WordPress site.
Backdoors are cleverly disguised and can already be hidden in plain sight.
If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.
Sucuri is the best WordPress security plugin on the market. It scans your website for possible threats, suspicious code, malware, and vulnerabilities.
It also effectively blocks most hacking attempts to even reach your website by adding a firewall between your site and suspicious traffic.
Most importantly, if your WordPress site gets hacked, then they will clean it up for you. To learn more, you can check our Sucuri review because we have been using their service for years.
We hope this article helped you to learn how to disable PHP execution in certain WordPress directories to harden your website security. If you are looking for a complete guide, check out our ultimate WordPress security guide.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
When creating a WordPress website, everyone make mistakes. However each mistake is a learning opportunity that helps you grow.
Over the years, we have helped thousands of WordPress users start their websites and blogs. In setting up our own websites as well as helping others, we have learned to avoid some common WordPress mistakes.
It has helped us save time, money, and grow our business more effectively.
In this article, we will share those experiences with you, so you can avoid these common WordPress mistakes.
The goal is to help you learn from other people’s mistakes when making your own websites.
1. Choosing The Wrong Platform
The biggest mistake people make when starting out is choosing the wrong blogging platform. Basically, there are two types of WordPress. First, there is WordPress.com which is a blog hosting service, and then there is WordPress.org also which is the famous self-hosted WordPress platform that everyone loves.
You need to start with self-hosted WordPress.org because it gives you access to all the features you need out of the box.
To learn more see our article on WordPress.com vs WordPress.org with a side by side comparison of the two platforms.
2. Buying More than What You Need
To get started with a WordPress website, you need a domain name and WordPress hosting.
The challenge is that a lot of domain registrars try to upsell other services. This confuses the small business owners who are just starting out.
The add-on services may include privacy protection, extra email accounts, security services, and more.
You can skip all of these things and save money to spend on growing your business. If you later decide that you need those services, then you can always purchase them from your hosting company.
You also need to choose the right hosting plan for your website. For 90% of websites that are just starting out, a shared hosting account is quite enough to get you going.
We recommend using Bluehost. They are one of the biggest hosting companies in the world and officially recommended by WordPress.
They are offering WPBeginner users a discount on hosting + free domain and SSL certificate. Basically, you can get started for $2.75 per month.
→ Click Here to Claim This Exclusive Bluehost Offer ←
As your business grows, you can choose to upgrade your hosting plan or move to a managed WordPress hosting company.
For more details, see our guide on the cost of a WordPress website and how to save money when building your website.
3. Not Setting up Automated Backups
Each year billions of dollars worth of damages are caused by data loss. Almost every website on the internet is prone to accidents, theft, hacking attempts, and other disasters.
Your most powerful line of defense against these threats is automated backups. Without a backup, you could lose all your WordPress data, and it would be very difficult to recover it (sometimes even impossible).
We have seen many people lose their entire websites just because they didn’t have an up to date backup.
Setting up backups is extremely easy, and there are excellent WordPress backup plugins available in the market. Once you set up one of these backup plugins, they would automatically create backups for you.
The second part of this mistake is not storing backup files on a remote location. A lot of folks store their WordPress backups on their web hosting server. If they lose their website data, then they also lose the backups.
Make sure that you store your backups on cloud storage service like Google Drive, Dropbox, etc. Backup plugins like UpdraftPlus can automatically do that for you.
4. Not Setting up Google Analytics
If you want to grow your business with confidence, then you need to know how people find and use your website. That’s where Google Analytics can help.
We recommend using MonsterInsights, the most popular Google Analytics plugin for WordPress. It saves you time during setup, and shows you the stats that matter, right inside your WordPress dashboard.
If you don’t want MonsterInsights Pro, then there’s also a free version of MonsterInsights available that you can get started with.
5. Not Setting up a Contact Form
Not setting up a contact form is another easily avoidable mistake that many beginners make. Without a contact form, your website visitors will not be able to contact you, and this can cause you to lose significant opportunities.
You will see a contact page on almost every popular website. It is one of the most important pages every website need to have.
WordPress does not come with a built-in contact form, but there are a lot of great WordPress contact form plugins available that you can use.
We recommend using WPForms Lite which is the free version of the popular WPForms plugin that’s being used by over 2 million websites.
You can see our detailed instructions on how to create a contact form in WordPress.
6. Not Building an Email List
Did you know that more than 70% of people who visit your website will never come back again?
If you are not building your email list, then you are basically losing money with every website visitor that leaves your site. Converting website visitors into email subscribers allows you to bring back those users to your website.
To learn more about this topic, see our article on why building an email list is important.
You will need an email marketing service to set up your email list. We recommend using Constant Contact because they are one of the best email marketing companies on the market with a very beginner friendly platform.
For step by step instructions, see our complete tutorial on how to start an email newsletter.
7. Not Choosing The Right WordPress Theme
One of the biggest challenges WordPress beginners face is choosing the right design for their website.
With thousands of WordPress themes out there, an average beginner tries multiple themes before settling for the right one, and this process can even lead the user to rebuild their website multiple times.
To avoid this, we recommend choosing the right WordPress theme from the start and then stick to it.
This allows your website visitors to become familiar with your website, your brand, and its unique style. Consistency and continuity of your design makes a big impact on brand recognition and awareness.
We are often asked by readers, how to choose a theme that just works?
Well, when it comes to design we prefer simplicity over glitter. It has worked really well not just for us, but many successful online businesses.
You need to choose a great looking but simple WordPress theme that pays attention to the following items:
It must look equally good on all devices (desktop, mobile, and tablets).
It should be easy to customize and flexible to adapt to your needs.
It should work with popular plugins and WordPress page builders.
It should be optimized for performance and speed.
Now we understand that as a non-techy user, you may not be able to check all those things on your own. In that case, we recommend choosing a theme from a top commercial WordPress theme shop like StudioPress, Themify, or Astra Theme.
If you need more recommendations, then check out these theme showcases where we hand-picked the best WordPress themes in different categories.
8. Ignoring WordPress Updates
We have seen many beginners and even experienced WordPress users who don’t install updates on their site. Many of them believe that doing so will cause errors and could break their site.
That’s not true.
You can easily and safely update WordPress without breaking your website. By not updating WordPress, you leave your website vulnerable to security breaches while using outdated software.
It’s not just WordPress, your WordPress theme and plugins also regularly release updates for bug fixes, security patches, and new features.
For more details, see our guide on how to safely update WordPress
9. Not Optimizing Your Website for SEO
A lot of WordPress users rely on their best guesses when it comes to promoting their websites. Some completely ignore SEO, while some do it half-heartedly.
SEO (Search Engine Optimization) helps you rank higher in search engines, so more users can find your website.
Search engines are the biggest source of traffic for most websites. SEO is crucial for the success of your online business.
We have a complete step by step WordPress SEO guide for beginners which will help you properly optimize your website for SEO.
10. Not Using Categories and Tags Properly
Another big mistake is not using categories and tags properly. Some users end up using categories where they should have used tags and vice-versa.
We have seen websites with dozens of categories and no tags at all. We have seen websites using hundreds of tags and no categories at all.
Basically, categories are your website’s table of contents. If your website was a file cabinet, categories would be its drawers.
On the other hand, tags are like the index page. If your website was a file cabinet, tags would be the labels on individual file folders.
For a more detailed explanation, see our guide on categories vs tags and how to use them properly in WordPress for maximum SEO advantage.
11. Not Using Posts and Pages Properly
Sometimes beginner WordPress users end up using posts to create important website pages. Similarly, some users end up using pages for articles when they should have used posts instead.
A lot of users realize their mistake after a while when their website becomes difficult to manage.
On the other hand, posts are for time-based content like news, updates, articles, and blogs.
Take a look at our complete guide about the difference between posts vs pages and what you can do with them.
12. Not Choosing The Right URL Structure (Permalinks)
Selecting the right URL settings (permalink structure) for your website is really important. Changing your URL structure later is not easy, and it can have a significant impact on your website traffic.
We recommend going to the Settings » Permalinks page in your WordPress admin area and choosing a URL structure with that shows your post name in the URL.
13. Ignoring Website Speed and Performance
Human attention span is dropping rapidly, and users want instant gratification. With faster internet connections, your users would find a few extra seconds of page load time to be extremely slow.
And it’s not just users, even search engines rank faster websites higher in their results. By ignoring website speed and performance you risk user experience as well as search rankings.
Which is why you need to make sure that your website loads fast. We have a step by step guide that will help you improve WordPress speed and performance without going too deep into the technical stuff.
14. Not Choosing The Right Plugins
The real power of WordPress comes with its plugins. There are thousands of free WordPress plugins that you can install with a few clicks.
However, not all plugins are good. In fact, some plugins are bad and could affect your website’s performance and security. Often users end up downloading plugins from unreliable sources that distribute hidden malware.
Here are a few things you need to keep in mind when choosing plugins:
Only install plugins from WordPress.org or WordPress companies with good reputation.
Look for plugin reviews and support forums because they are a good indicator of a plugin’s quality
Check trusted WordPress resources like WPBeginner for plugin recommendations
If you want some recommendations right now, then check out our list of must have WordPress plugins for all websites.
For more information, check out our guide on how to choose the best WordPress plugins for your website.
15. Ignoring WordPress Security Best Practices
Many users do not take any security measures to harden WordPress security. Some believe that their website is too small, and it will not be targeted by hackers.
Hackers target websites indiscriminately. For example, they could use your website to distribute malware, brute force attacks, steal data, and more.
By not securing your website, you can lose search rankings, your website data, and/or customer information. This could cost you a lot of money and headache.
You need to follow the security best practices and build layers of security around your WordPress site. It does not take too much time, and you don’t need any special skills to do that.
Simply follow our complete WordPress security guide with step by step instructions to protect your website.
16. Changing Website URL and Losing All Traffic
How many of you hated the first domain you registered and wanted to switch away from it when you got serious about blogging? Yup, it happens to all of us.
While you can change the website URL or domain name, it does have a significant SEO impact. What makes matters even worse is when you switch URLs without taking proper steps.
You need to set up proper redirects, inform Google about the change, and add the new domain to Google Search Console.
We have described all the steps in our guide on how to properly move WordPress to new domain.
17. Not Removing WordPress Demo Content
A lot of people don’t delete the default demo content added by a new WordPress install. This includes a sample page, a post titled ‘Hello World’, and a default comment.
Not removing this content allows search engines to crawl and index them. Now if you search for the text in demo content on Google, you’ll find hundreds of thousands of pages. That’s duplicate content and search engines penalize duplicate content as low-quality pages.
Similarly, many people don’t change the default WordPress tag line that says ‘Just another WordPress site’.
You need to delete all default content and the tag line, as they look unprofessional and create a bad impression.
18. Not Setting up Comment Moderation
Comment spam is annoying and can make your brand look bad. Many beginners have their blogs set up to automatically publish all new comments without moderation.
This means spam comments with links to malware and low-quality sites can go live on your website without your knowledge. This could damage your search rankings and your website’s reputation.
You need to always keep comment moderation turned on for all your WordPress sites. Simply go to Settings » Discussion page and check the box next to ‘A comment must be manually approved’ option.
After that, you need to make it part of your routine to check and approve comments on your website. For more tips, see our article on how to combat comment spam in WordPress.
19. Not Optimizing Your Images for Web
Images are essential in the making of a highly engaging website. However, they are also heavier in filesize than plain text.
If you are adding images to your website without optimizing them, then this would affect your website speed.
You need to make it a habit of saving your images as optimized for the web. You can use Photoshop, GIMP (free), or other online tools to reduce the image file size before uploading it.
For instructions, see our tutorial on how to save images optimized for the web.
20. Saving Unnecessary Code in Theme’s Functions File
Another common mistake that we often come across is when folks add too many code snippets in their theme’s functions.php file.
Functions file is designed to behave like a plugin, but it is not the ideal place for all types of code snippets. You will lose these modifications when you switch the theme. You may even forget that you added some code in there after a while.
We recommend only adding code in your theme’s functions file if the code is related to changing something with that particular theme.
For all other custom code, it is better to use a site-specific plugin or the code snippets plugin.
21. Getting Locked Out by Editing Functions File in WordPress Admin Area
Another annoying mistake that is quite common is when folks edit functions file inside the WordPress admin area.
By default, WordPress comes with a built-in code editor to edit theme and plugin files inside WordPress. Often beginners end up breaking their website when adding or removing code using those editors.
Even though WordPress added functionality to catch fatal errors and not save them. You could still lock yourself out and make your website inaccessible.
We recommend disabling theme and plugin editor in WordPress and use FTP to edit files in WordPress.
22. Not Setting Up Google Search Console
Data is really important when planning a strategy to grow your business and website. Many users make the mistake of not adding their WordPress site to Google Search Console for a long time.
This means they miss out important search data that could help them grow their website.
Google Search Console is a free tool provided by Google. It allows you to see how your website appears in search results and fix any search indexing problems quickly.
See our complete Google Search Console guide to see how you can use it to improve search rankings and grow your business.
23. Using Uncategorized as Default Category
A lot of folks leave Uncategorized as their default category. WordPress requires all posts to be filed under a category and when no category is selected, it automatically adds the post under default category.
Many times users forget to select a category for their post and hit the publish button which publishes that post in Uncategorized.
This mistakes can be easily avoided by choosing a proper default category in WordPress settings.
24. Not Using a Professional Branded Email Address
We have seen many folks sending us emails from their Gmail or Hotmail accounts while pitching for a business that already has a website.
Now, how do we know for sure that they are officially representing that company or website?
Similarly if you have a business, and you are still sending people business emails from a free email account, then people will have a hard time taking you seriously.
People do not have the time or skills to verify that you are the actual owner of that website or business.
This mistake is also easily avoidable. See our guide on how to easily get a professional business email address for free.
25. Leaving a Site Public While Working on It
People often leave under construction websites publicly accessible. This is not very professional and can harm your business.
A publicly accessible website can be automatically crawled and indexed by search engines anytime. Your competitors can find it and steal your ideas. Your customers can find it and see the unfinished website.
There is an easier solution to avoid this mistake. Simply put your website in maintenance mode and add a coming soon page to build anticipation.
26. Not Learning WordPress
WordPress is very easy to use even for non-technical users. This allows many users to keep running their websites without learning more about WordPress.
By doing so, you miss the opportunity to explore the incredibly helpful features of WordPress. Things that are very simple to implement but could transform your business.
Learning WordPress is quite easy, particularly when you already have a running WordPress site. Explore different sections of WordPress, try out new plugins, learn more about SEO, and email marketing.
WPBeginner is the largest free WordPress resource site for beginners with tons of awesome resources, videos, how-tos, step-by-step tutorials, and more.
Following are just some of the helpful resources you’ll find on WPBeginner (all of them are completely free).
WPBeginner Dictionary – The best place for beginners to start and familiarize themselves with the WordPress lingo
WPBeginner Videos – New to WordPress? Watch these 23 videos to master WordPress.
WPBeginner Blog – The central place for all our WordPress tutorials.
You can also subscribe to our YouTube Channel where we regularly share video tutorials to help you learn WordPress.
We hope this article helped you learn about common WordPress mistakes and how to easily avoid them. You may also want to see our tips on effective ways to increase your website traffic without spending too much money.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.