10 WordPress Mistakes to Avoid

WordPress is an amazingly powerful and flexible tool. But like any tool, its wide array of options means it’s easy to make mistakes using it.

While all of these mistakes will adversely affect your website, some can be absolutely devastating. That’s why it’s so important to know what they are so you can avoid them.

In this article, you’ll find 10 common WordPress mistakes and how to avoid them.

1. Using Poorly-Coded Themes

This is the first and most important thing to look at because it forms the foundation for your SEO efforts, and frankly, most themes suck in this regard.

Whether your theme is custom-built, purchased from a theme vendor, or downloaded for free from the WordPress repository, there are a few critical details you need to evaluate to ensure it will not put you at a disadvantage, including:

HTML Validation

This is critical because invalid HTML can cause rendering issues, which affect both users and search engines.

When this happens, you can lose visitors because your website doesn’t display and/or work properly for them, and you can rank poorly because search engines can’t properly render your page and understand the content on it.

There’s a simple and free tool for checking HTML validation via W3C’s Markup Validation Service but I want to include a caveat – while I think valid HTML is important, I’m not an HTML validation purist.

What I mean by that is there are cases where some errors may not be worth fixing from an ROI (Return on Investment) perspective.

It’s also important to note that you may not be able to fix some errors because they may be coming from something you don’t have the ability to edit, such as core functionality in some themes or plugins.

In cases like this, if you’re faced with severe errors that are causing rendering issues, it may make more sense to start over and rebuilding from the ground up.

HTTP Requests

Many themes load a ridiculous number of scripts, images, fonts, and other types of files, which cause your pages to load more slowly.

The worst part is that many themes load these files unnecessarily. Rather than loading files only on pages where they are used, many themes simply load them on every page, which results in a significantly slower load speed.

Page speed is critical, both for users and for SEO.

There’s no particular number to aim for, but fewer is always better from a performance standpoint – especially if your website loads slowly.

Excessive DOM Size

This may sound incredibly technical, but it’s actually pretty simple. It just means we need to ensure that the HTML for our WordPress site is as efficient as possible.

While that may seem trivial, efficient HTML code can play a huge role in how well a site performs because each element has an impact on memory usage, style calculations, and layout reflows.

Many themes use excessive HTML elements, often nested several levels deep, and this quickly destroys performance.

We see this with page builders, but we also see it at the theme level because most developers focus on the visual appearance with little regard to code efficiency.

2. Using Page Builders

Some may disagree, but I believe using page builders is a huge mistake.

I understand the arguments in favor of them – they make it easier for people to add and edit designed content.

But the problem is that they also create a lot of bloated code, add unnecessary HTTP calls, and often, introduce HTML errors that you can’t fix.

I’ve never seen a single page builder that produces clean, efficient code.

I wrote an in-depth article about website builders a while back, and many of the issues that apply there apply equally to WordPress page builders.

3. Installing Excessive Plugins

One of the things that makes WordPress so powerful is the simplicity of adding functionality by simply installing one or more plugins. Gone are the days of having to hire a developer and spend thousands or tens of thousands of dollars just to add a new feature.

But this can also create significant problems.

The first problem is that there’s a wide range of development quality in these plugins. As with themes, many plugins are poorly coded, which slows down the load speed and introduces HTML errors into your website.

Often, these plugins also load a bunch of scripts, CSS files, images, and fonts, which further degrades speed and creates a poor user experience.

Another problem is that because it’s so easy, many people make the mistake of adding too many plugins.

This causes your websites to load more slowly no matter how well each one may be coded because it still requires processing power to execute the functionality they provide and to include any external files they load.

4. Not Optimizing Media

We’re all carrying an incredibly powerful camera in our pocket these days, which gives us the ability to easily add new photos to our WordPress website, but this also leads to a common and significant mistake.

When you take a picture with your iPhone or Android device, the image will generally be significantly larger than it needs to be for use on your website.

These large, high-resolution images are great for printing, or even for cropping a smaller section to be displayed at full size without losing image quality. But if uploaded directly to your WordPress media library, they will often be stored as full-sized, unoptimized images.

Some themes will automatically resize uploads based on a set of dimension pairs to help eliminate this issue. Many do not, however.

If your WordPress site is already up and running and you’re just starting to address this issue, the good news is that you don’t need to re-upload everything in your media library because there are a variety of plugins available to automatically resize them.

I want to point out that it’s absolutely critical to back up your website before running tools like this because if they delete or overwrite something you didn’t intend them to, you’ll need a way to undo that.

Learn more about the optimization of media in How to Improve Page Speed for More Traffic & Conversions.

5. Omitting an XML Sitemap

While everyone can benefit from having an XML sitemap, this is especially important on larger websites because it helps search engines to find and crawl all of your pages. Particularly the ones that may be buried deep with few links pointing to them.

Surprisingly, this critical feature is not yet native to WordPress, so you will have to rely on a plugin.

I generally use Yoast for this because it also incorporates several other features that we need, but there are a number of plugins that can dynamically create your XML sitemap each time you add, modify, or delete pages, posts, and media.

6. Skipping Updates

Given what I do for a living, I get to see the backend of a tremendous number of websites and am always surprised at how out of date some people are willing to let their plugins and themes and even WordPress core get.

After decades of consistently seeing this, I really shouldn’t be surprised though.

This common mistake can have devastating consequences because these updates patch not only performance, design, and usability issues, but also security holes that may give hackers the ability to get into your website.

Once they get in, they can do all kinds of malicious things, ranging from the obvious – like deleting or defacing a website, to the subtle – like intercepting credit card info or adding outbound links.

If you know you’re the kind of person who won’t make time to regularly update WordPress core, I recommend that you turn on automatic updates.

7. Overlooking Security

We’ve already talked about the security implications of not keeping your plugins, themes, and WordPress core up to date, but keeping your website secure goes far beyond that.

It’s important to point out that there is no way to make your website completely secure. But by taking steps to harden your security, you’ll deter most hackers, with the rare exception of those who are specifically targeting you.

This is because hacking is largely a numbers game where hackers crawl thousands or even millions of websites looking for easily exploited vulnerabilities.

Don’t Use a Default Username

By default, the first username in a WordPress install will generally be “admin” which should be changed because it’s the username hackers will try first.

If you’re setting up a brand new website, this is simple – just change it during the installation process.

If you have an existing website, there is no way to change usernames within the admin area, however, you can log into your hosting account’s phpMyAdmin and modify the WordPress database directly.

You should also change the display name in your user profile so that you aren’t broadcasting your username to the world with each post.

Lockdown your admin area

There are multiple ways to limit access to your admin area to a particular IP, which will prevent most hacking attempts.

Linux Server (Most Web Servers)

This is a simple process of creating a .htaccess file with the right content and uploading it to your wp-admin folder.

Simply fire up a text editor, create a new file and paste the code below. Be sure to replace xx.xx.xx.xx with your IP, which you can find by entering “what’s my ip” into a Google search.


order deny,allow

deny from all

# Replace with your IP address

allow from xx.xx.xx.xx

Windows Server

I’ve never hosted anything on a Windows server, and the process here is a bit foreign to me, so if you’re on a Windows server, I’ll just encourage you to search Microsoft’s support documents to find the appropriate process for your version of Windows.


I look at this as a last resort because it is the least efficient method to limit access to a particular IP. It also poses another problem in that when your IP changes, you’ll be unable to update the plug-in to your new IP.

The only way to access your admin area at that point will be to login via FTP and delete the plugin. If you’re going to go through all of that, you’re better off just using .htaccess in the first place.

Enable TFA (Two Factor Authentication)

Two-factor authentication is a powerful tool to protect your website because it sends a code to your mobile device that you must enter before logging in. This means that without physical access to your device, someone else won’t be able to access your admin area.

This requires a plugin, and there are a number of free and paid plugins available to create this functionality.

Limit login attempts

This is one more simple way to harden your WordPress website’s security by blocking login attempts from a particular IP after a certain number of failed attempts.

This also requires a plugin, and there are a number of free and paid plugins available to create this functionality as well.

8. Not Implementing Backups

Everyone needs automated backups. This is an essential part of having a website.

Aside from enabling you to easily roll back changes, it also may help you to quickly recover from a hack by restoring an older version of your website.

Your backup schedule will depend to some degree on how frequently you modify your website but at the very least, it should run weekly. I like to keep several months’ worth of backups in case a hack occurs and goes unnoticed for a while – this enables us to go back far enough to find a clean backup to restore from.

While these backups can live on your webserver to speed up the restore process, ideally, they should also be backed up to the cloud so you always have a clean copy.

9. Omitting Schema

In the world of SEO, we need every advantage we can find, and while schema may not directly impact ranking, it can have a positive impact on clickthrough rates because of added visual cues.

This means that your website may earn clicks that would have otherwise gone to other higher ranking websites simply because your listing in the search results drew more attention.

Schema is basically a way to communicate to search engines what your content is about, and how the entities within your content relate to each other.

You’ll want to implement your schema as JSON, which is a type of JavaScript, rather than microdata, which is HTML markup.

There are a number of plugins available, both free and paid, to help with this, but I personally prefer to write the JSON and insert it into the code myself because this gives me greater control without having to add yet another plugin.

And sometimes, we have to do this because plugins can’t handle some of the more complex scenarios we run into.

For example, let’s say you’re working with a national brand with multiple franchise locations. In this case, some pages may need schema for the parent company, while others need the schema for both the parent company and the local franchise. That requires a custom approach.

10. Not Properly Configuring Permalinks

The default permalinks that WordPress creates are not ideal from a search perspective, so we’ll want to change them.

This is a relatively easy fix, and it’s essential because a proper URL structure helps search engines to better understand the hierarchy of your website.

You’ll want to change this setting from whatever it’s currently at to the following:

Image Credits: Paulo Bobita