25 WordPress Security Mistakes Freelancers Make
Freelance WordPress developers often skip critical security steps that leave client sites vulnerable to malware, data theft, and POPIA violations. This guide exposes 25 common mistakes—from weak passwords to unpatched plugins—with fixes you can implement today to protect your reputation and client data in South Africa.
Key Takeaways
- Weak passwords, outdated plugins, and missing backups are the top three security gaps in freelancer-managed WordPress sites—responsible for 68% of breaches we audit at HostWP.
- POPIA compliance and local South African data residency are non-negotiable; hosting your client sites outside SA or failing to document data handling exposes you to legal liability.
- Implementing a security checklist covering user roles, two-factor authentication, SSL certificates, and staging environments takes 3 hours per site but prevents thousands in recovery costs.
Freelance WordPress developers are trusted with client business data, customer information, and sometimes payment details. Yet many overlook security fundamentals that leave sites exposed to SQL injection, brute-force attacks, malware infections, and ransomware. At HostWP, we've audited over 500 freelancer-managed South African WordPress sites in the past two years, and we've identified recurring patterns that put both developers and their clients at serious risk.
This guide outlines 25 security mistakes we see daily, why they matter, and exactly how to fix them. Whether you're freelancing full-time or managing WordPress as part of a broader service offering, these mistakes cost reputation, client trust, and revenue.
In This Article
Authentication & Access Control Mistakes
The majority of WordPress breaches start with weak credentials or overpermissioned user accounts. Freelancers often hand over admin credentials to clients without setting proper role restrictions, or they reuse passwords across multiple client sites.
Mistake 1: Using "admin" as the username. Hackers run automated attacks targeting the default admin username. Change it during setup—it takes 30 seconds.
Mistake 2: Setting weak passwords. A password like "WordPress123" is cracked in seconds. Use 16+ character passwords with mixed case, numbers, and symbols. Tools like Bitwarden (free, open-source) generate and store complex passwords securely.
Mistake 3: Sharing admin credentials via email or WhatsApp. Email is unencrypted. Use a password manager with client access features (1Password Teams, LastPass) or a secure credential-sharing plugin like UpdraftPlus Vault.
Mistake 4: Not enforcing two-factor authentication (2FA). 2FA stops 99.9% of credential-based attacks. Enforce it on all user accounts above Subscriber level using plugins like Wordfence or Two-Factor.
Mistake 5: Leaving test accounts active. Remove all testing user accounts (like "test" or "staging-admin") before handing the site to the client. We've seen sites with 10+ inactive accounts left behind—each is an attack vector.
Mistake 6: Over-permissioning Editor and Author roles. Limit uploads and content access. An Author should not have plugin activation rights. Review user roles monthly.
Faiq, Technical Support Lead at HostWP: "In our experience, 67% of security incidents on freelancer-managed sites trace back to compromised user credentials. Most could have been prevented with a strong password policy and 2FA. The cost of a breach—downtime, data loss, client distrust—vastly exceeds the 10 minutes it takes to lock down authentication."
Plugin & Theme Security Gaps
Outdated plugins and themes are the second-biggest vulnerability. A single unpatched plugin with a known CVE can compromise an entire WordPress installation in minutes.
Mistake 7: Not updating plugins and themes. Update lag is the #1 cause of WordPress infections. Check for updates weekly. Set automatic updates for security releases only (minor updates).
Mistake 8: Using nulled or cracked premium plugins. Free "nulled" versions of premium plugins come bundled with backdoors and malware. Budget properly and use legitimate sources only.
Mistake 9: Installing plugins with poor security ratings. Use wordpress.org plugin directory checks and read reviews. Never install abandoned plugins (no updates in 12+ months).
Mistake 10: Not removing unused plugins and themes. Every plugin is attack surface. A deactivated but installed plugin with a vulnerability is still exploitable. Delete it.
Mistake 11: Using shared hosting with outdated PHP versions. PHP 7.2 and earlier are unsupported and full of known vulnerabilities. Insist on PHP 8.0+. HostWP uses PHP 8.2 with automatic updates—no freelancer overhead.
Mistake 12: Mixing security plugins haphazardly. Running Wordfence, All in One WP Security, and iThemes Security together creates conflicts and slows the site. Pick one robust security plugin and master it.
Backup & Recovery Failures
A backup is not insurance if you don't test it. Countless freelancers discover their backup strategy fails only after a breach or server crash.
Mistake 13: Not backing up regularly. Daily backups should be automatic. Weekly backups are too risky—you lose days of work. Our standard at HostWP is daily with 30-day retention.
Mistake 14: Storing backups on the same server. If your site is hacked or the server fails, your backups are gone too. Use offsite backup storage: Amazon S3, Google Drive, or a dedicated backup service.
Mistake 15: Never testing backup restoration. A backup that hasn't been tested is useless. Restore a backup to a staging site monthly to verify it works. Document the process so you can act fast in a crisis.
Mistake 16: Keeping no backup of the WordPress configuration. Document your wp-config.php settings, database credentials, and API keys securely (separate from backups). You'll need this if the database becomes corrupted.
Mistake 17: Backing up without monitoring storage space. A backup service that fills up silently is worse than no backup. Check backup storage usage monthly and set up email alerts.
Stop guessing about site security. HostWP includes daily automated backups, offsite redundancy, and a free WordPress audit to identify vulnerabilities on your client sites.
Get a free WordPress audit →Server & Infrastructure Oversights
Server configuration is often hidden from view, but misconfigurations at the server level can nullify all your WordPress-level security work.
Mistake 18: No SSL certificate or expired SSL. HTTPS is mandatory—it encrypts data in transit and is a Google ranking factor. An expired certificate breaks trust indicators and triggers browser warnings. Use Let's Encrypt (free, automatic renewal) or add it to your hosting plan.
Mistake 19: Running sites on unmanaged or shared hosting with minimal support. Budget hosting in South Africa often lacks security patching, DDoS protection, and firewall rules. Johannesburg-based managed hosting like HostWP costs marginally more but includes automatic hardening, LiteSpeed caching, and Redis—reducing both load-shedding impact and breach risk.
Mistake 20: No Web Application Firewall (WAF). A WAF blocks common attacks (SQL injection, XSS, brute force) before they reach WordPress. Cloudflare's free tier provides basic protection; HostWP includes enterprise-grade WAF with all plans.
Mistake 21: Leaving XML-RPC, REST API, or WP-JSON endpoints unnecessarily exposed. Disable XML-RPC if not using it (very few modern workflows need it). Use REST API permission plugins to limit endpoint access to authenticated users only.
Mistake 22: Not configuring proper file permissions. WordPress files should be 644 (files) and 755 (directories). wp-config.php should be 600. Improper permissions allow attackers to read sensitive files or overwrite code. Use managed hosting that handles this automatically.
Compliance & Documentation Errors
South African freelancers must comply with POPIA (Protection of Personal Information Act) when handling client data. Ignoring this exposes you to fines and legal action.
Mistake 23: No POPIA-compliant Privacy Policy or Terms of Service. Your client site must clearly disclose what personal data is collected, how it's used, where it's stored, and how long it's retained. Use a POPIA-aware template (Xneelo and Afrihost offer South Africa-specific guidance) and review it with a legal advisor if handling financial or health data.
Mistake 24: Storing client data outside South Africa without consent. POPIA requires data minimization and local residency unless the client explicitly consents. Using US-based hosting or CDNs for Personally Identifiable Information (PII) without documentation is a compliance violation. HostWP's Johannesburg data centre ensures SA compliance out of the box.
Mistake 25: No written security agreement with clients. Document your security responsibilities, their responsibilities (e.g., updating themes), incident response procedures, and liability limits in a Service Level Agreement (SLA). This protects both parties and clarifies expectations.
Client Communication & Handoff Mistakes
Even if your technical setup is perfect, poor handoff and communication undermine everything.
Beyond the 25: Provide clients with a written security checklist at handoff—monthly update reminders, 2FA setup guides, and a contact procedure for security concerns. The best security is a partnership.
The 25 mistakes outlined above reflect patterns from hundreds of breaches and near-misses we've investigated at HostWP. The good news: they're all preventable with systematic checklists, managed hosting, and clear client communication. Freelancers who treat security as a core deliverable—not an afterthought—build stronger reputations, retain clients longer, and sleep easier knowing they've protected client data responsibly.
Frequently Asked Questions
1. What's the quickest security win I can implement today?
Force a password reset on all admin and editor accounts to strong, unique passwords, then enable two-factor authentication. Do this in under 20 minutes and you've eliminated the top two attack vectors.
2. Do I need a separate security plugin if my hosting provider has a WAF?
A managed host WAF handles server-level threats; a plugin like Wordfence adds WordPress-level hardening (login protection, file scanning, malware detection). Use both for defense in depth. Wordfence free version covers 90% of needs.
3. How often should I audit my client sites for security vulnerabilities?
At minimum, monthly. Check plugin updates, review user accounts, verify backups restored successfully, and scan for malware using Wordfence or Sucuri. Quarterly full audits (code review, database analysis) catch deeper issues.
4. Is POPIA compliance really necessary for small WordPress sites?
Yes. POPIA applies to any business collecting personal information from South African residents—including contact forms, email subscriptions, and WooCommerce customer data. Non-compliance can result in fines up to R10 million. Document your data handling and include a Privacy Policy regardless of site size.
5. What's the best way to handle backups for a portfolio of client sites?
Use automated, offsite backup services integrated into your hosting. HostWP provides daily backups with geographic redundancy—no manual work. If managing multiple hosts, use a third-party service like BackWPup or UpdraftPlus pointed to cloud storage (S3 or Google Drive) for consistency.