broken pencils

The WordPress content management system (CMS) can be pretty turnkey; it’s one of the most user-friendly around, with an intuitive dashboard that lets developers and nondevelopers alike customize and publish content with ease.

It’s not foolproof, however. In fact, there are a few common mistakes any WordPress user should be wary of—pitfalls that can affect a site’s security and performance. Some of these mistakes are easily overlooked and can trip up even the most seasoned WordPress users.

Whether you’re building a new WordPress site or auditing an existing one, be sure to mind these 12 common mistakes.


Uploading images in a snap is one of the best parts of WordPress, but not properly resizing images is a common user error that might be less obvious to new users. It can have both visible and invisible effects, both of which hurt user experience.

Sometimes you might be working with a theme that doesn’t automatically constrain images in its featured image settings. This means it’s up to you to be sure the image is optimized, or you’ll end up with photos that are oddly cropped, distorted, or running off the page.

Even if the photo looks normal to the naked eye, an unoptimized photo file can seriously slow down your site’s load time. Say you upload a 20MP photo and fail to resize it. Even if your layout is responsive and the photo looks properly constrained, your site will be forced to load a big file each time that page is called up. If you have a gallery of photos, that workload is multiplied exponentially.

2. Using plugins when they’re not necessary.

It seems there’s a plugin for everything these days, but site owners should be wary of falling back on plugins as a solution to every problem. We’re definitely not discouraging the use of plugins—they’re the backbone of WordPress’s customizability, and there are some truly exceptional ones everyone should install—but be judicious. Not all plugins are created equal, and having too many can pose risks to your site’s security and performance.

3. Letting WordPress default settings linger.

WordPress is all about customization, but before you start tinkering around, turn your attention to your default settings. These include page titles, login page URLs, admin usernames, and database table prefixes. Leaving defaults peppered around your site can create security risks and even damage your SEO.

Be sure to update page titles, which will be reflected in your page and post URLs. Optimize them for search, and be careful not to edit a post’s URL without creating a redirect or users will see error messages. Create new admin usernames and delete the default “admin” username to make life more difficult for hackers. Always put thought into passwords, and while you’re at it, make sure your site’s title and tagline are updated too.

4. Adding customizations to a parent theme.

For the nondeveloper, this might seem a little on the technical side, but it’s an important mistake to avoid and one you can easily control when you choose a theme for your site.

Be sure to choose a child theme, which is a template that uses a separate code layer that runs on top of a parent theme. When a developer customizes aspects of your theme, he or she will do so at the child layer, not the parent layer. This is important for continuity because any customizations made to a parent theme are likely to be lost the next time you update to a new version.

5. Forgetting to back up before making changes big and small.

When should you back up? If you don’t have a plugin or a hosting platform running automatic, regular backups for you, the answer is: Back up before you make any substantial changes.

Back up before updating your WordPress version. Back up before updating your theme. Back up before running an SQL query. Back up before updating plugin versions. If you update plugin versions without backing up your site and that new plugin code wasn’t verified to work with the core version of WordPress you’re running, you’ll run into problems. Plugin developers do their best to test for compatibility, but they can’t always account for every plugin you’re running at the same time—and it takes only a bit of bad code to cause an issue or an error.

If you do update part of your site and it breaks the whole thing, you’ll need either a) the ability to quickly fix the error or b) a backup of your site to roll back to, or you’ll likely face some downtime.

Tip: Plugins such as Worker from ManageWP can automatically back up WordPress for you.

6. Ignoring the new GDPR compliance.

As of version 4.9.6, WordPress software is compliant with the new EU General Data Protection Regulation (GDPR) and features new security-boosting enhancements. Even so, every site and plugin is different, and there’s the potential for serious repercussions with noncompliance, so make sure your site is compliant sooner rather than later.

7. Taking WordPress security for granted.

WordPress is a veteran CMS with a huge team behind it, but its widespread use makes it a frequent target for hackers. There are plenty of things you can do to keep your site safe such as updating to the latest core version, updating plugins, and updating themes. These new versions feature fixes and patches, so if bugs or vulnerabilities are exploited, you’ll benefit from the latest and greatest security.

Also, keep an eye out for any suspicious plugins you’re not sure you downloaded. A backdoor hack discovered in May 2018 uses the installation of unauthorized plugins to breach sites. Don’t give every person contributing to your site admin privileges, either.

Brush up on these and more in our Guide to Securing Your WordPress Website.

8. Opting for cheap, simple hosting for your WP.

Investing in good hosting for your WordPress site is critical. While WordPress can offer a lot in the way of support, it’s ultimately your hosting platform or your developer who will save the day when something goes wrong with your self-hosted WordPress site. Cheap, low-quality hosting might not seem like a big deal, but it can threaten the security, performance, and data of your site.

A great hosting provider can make a huge difference and make your life a lot easier—especially when it comes to keeping your site up and running. Great providers such as SiteGround, WP Engine, and Liquid Web will run nightly backups for you (a handy solution to mistake #5) and can also offer services that remove the need for certain plugins (a solution to mistake #2).

Compare some other top hosting options with 5 Best Web Hosting Providers for Small-Business Owners.

9. Not getting an SSL certificate for your site—or the SSL certificate that fits your needs.

SSL certificates are not one-size-fits-all, so it’s important to know what you need and shop accordingly. If SSL certificates are available from your hosting provider, know what’s in them and what they do. Because going from HTTP to HTTPS is increasingly nonnegotiable these days, this is a big one you won’t want to avoid.

Learn more in What Are SSL Certificates and Why Do You Need One?

10. Developing or updating a site without a staging environment.

Whether your developer is working on your site locally or in the cloud with server space from a provider such as Liquid Web, staging environments are an important consideration for new and existing sites alike. You have a few options for making changes to a live site, such as copying a site and moving it to a deindexed URL that you can tinker with away from the general public.

Say you give someone the credentials to edit your live website and he or she makes changes to the live version instead of pulling a copy of your code down to his or her local machine. If any of those changes cause issues, there’s a chance your live site will crash, requiring you to roll it back or fix the bug. Making changes in a staging site removes the need for a “Coming Soon” plugin or making any DNS changes. Once you’re finished testing for bugs, the staging environment can go live worry-free.

Get some ideas for how to set up a great WordPress development workflow.

11. Not optimizing content for SEO or doing proper SEO titles and snippets.

WordPress has excellent built-in SEO, and the Yoast plugin offers truly exceptional SEO as well. But expecting miracles without going the extra mile is a mistake. Be sure you’re making all the necessary updates throughout your site, customizing default page names and permalinks so that they’re search-engine friendly.

12. Not minifying your HTML, CSS, and JavaScript code.

If you’ve ever run a Google speed test on your site, you might have noticed this recommendation. Minification compresses code so that it is smaller and takes less time to load. It’s easy for a developer to do, and it will help your site load faster.