WordPress is one of the most highly rated CMS currentlybeing used throughout the world because of its mere easiness to use backend.Any non-technical user would be able to install themes of liking and plugins toincrease functionality on site.
Because CMS is easy to use, users do most common mistakes inwordpress which needs to be avoided or else would lead to large scale vulnerabilities.
When you install wordpress , it comeswith a default URL structure for accessing admin side.It means this page can be easily accessible toall the users who know this admin name. This has become one of the most crucialpoint for hacking of wordpress based websites. Changed the name of admin toyour like so that others cant access admin easily.
With admin, developers have mostcommon habit of making mistakes by assigning world famous username admin to its second most famous password admin/123456.This has leaded another aspectfor fishers and attackers to hack the site easily. Always generate strong andsolid passwords and keep some nice username which cant caught easily byhackers.
Developer has tendency to installplugins while development and then not removing it from admin after the site islive. Unnecessary collection of plugins can reduce the speed of the website byconsiderable amount and even non technical client might get confused. Alwayskeep files, images and plugins that are used in website and remove all unwantedthings. This way website will run faster and admin will look neat and nice touse.
Another aspect of site gettinginjected is because of using default prefix that comes for tables. Always try to change wp_ prefix tosome standard liking of your prefix. This will avoid hackers use common prefixfor hacking tables.
Always make a habit of taking backupson regular basis and usually before doing any changes.
Whenever you install wordpress,comments are active by default. No matter what post you write, comments are alwaysactive. Accepting comment from spam or bots would always lead to site injection.
Avoid using links structure which hascertain ID passed in URL. One cons isgoogle will not index such pages and second is this sites are the most commonto get hacked.
I have seen most common mistake non technicalpeople do is they don’t update plugins or wordpress to latest version. Theyfeel scare to update in case it may lead to stop certain functions on site. Butin actual , updation is good because it involves lot of security patches, bugfixings and latest compatibility issues.