5 Things You Must Avoid Doing in WordPress

The WordPress backend can be dangerous ground to tread upon as a beginner. Anything that offers such power must also apportion responsibility to the user, which is where some people can go wrong when getting started.

Without wanting to frighten you too much, there are certain things you can do in WordPress that will just plain break it. On a less worrying (but also important) note, there are other things you can do that I would certainly advise against — whether it represents a potential security risk or simply something that has a negative impact on the user experience.

With the above in mind, in this post I want to cover five things that you must avoid doing in WordPress. With the following recommendations implemented your website will be far safer, reliable, functional and enjoyable for visitors.

1. Don’t Use the Code Editors

There are a couple of landmines contained within the WordPress backend; you can access them via Appearance > Editor and Plugins > Editor in the sidebar.

At first glance these editors are pretty interesting — full access to the back end of your website! Imagine the possibilities.

My blog's header file accessed via the Theme Editor.

My blog’s header file, accessed via the Theme Editor.

Imagine the possibilities indeed — with one wrong keystroke you can suddenly find your website well and truly broken:

Leaving Work Behind

I only had to remove three characters from my theme’s PHP files to completely change the complexion of my website as seen above.

But that’s not the worst of it — it is all too easy to accidentally disable access to the backend of your WordPress site, which leaves you with no immediate means of restoring order to your site.

Because of this I recommend that you only ever access and edit your site’s PHP files with an FTP application such as Filezilla (my personal favorite and WordPress.org’s recommendation). You should make a copy of any PHP file that you intend to edit before you start so that you can quickly switch back to a working version should you accidentally wreak havoc on your site. It’s far better to be safe than sorry!

2. Don’t Keep Deactivated Themes Installed

In my experience there are three types of WordPress users:

  1. Those who run a very tight ship
  2. Those who keep thing reasonably neat and tidy
  3. Those who have little regard for the backend of their site

If you fall into the second or third type then you should give careful thought to the themes you currently have installed on your WordPress site. I’m not talking about the active theme, but those that you have installed and deactivated.

Although those themes are deactivated, they still exist on your WordPress installation and any security flaws or vulnerabilities can still be exploited. For instance, the most famous of WordPress theme hacks is the TimThumb exploit, which continues to affect certain blogs to this day.

Generally speaking, if you use good quality themes and ensure that they are kept up to date then you shouldn’t run into any problems. However, if you have old themes laying unused on your site’s backend then my recommendation would be to delete them immediately. Due to its huge scale of utilization, WordPress is a big target for hackers. Don’t make yourself an easy target.

3. Don’t Use Your Theme’s SEO Functionality

This recommendation is less of a “you must do this” and more of a suggestion that I strongly urge you to follow.

Depending on what theme you have you may find that it has built-in SEO features. I advise that you avoid using these features for two reasons:

  1. If you ever decide to change themes then the SEO data within your theme may be lost (or difficult to extract)
  2. The free WordPress SEO by Yoast plugin has the best SEO functionality of any plugin or theme available

It’s a bold claim but one that it is generally accepted by some of the WordPress community’s most respected users and developers. For instance, as of 31st October 2012 WooThemes deprecated SEO functionality within their themes due to SEO by Yoast being “more beneficial” to WordPress users. WooThemes handing over the SEO reins to another developer is a bold sign of their faith in Yoast’s plugin and an indication of how loved it is.

If you’d like to know more about SEO by Yoast then check out the following two posts here on WPExplorer:

4. Don’t Categorize and Tag Prolifically

There are few things I cringe more at than the poor use of categories and tags within WordPress.

Let’s get one thing straight up front — categories and tags can both have a part to play on your website. Contrary to what some people believe, tags aren’t an antiquated taxonomy type that offers no relevance in the modern blogging era. Furthermore, categories are not there to be used and abused.

My favorite definition of categories and tags comes from Lorelle:

Categories are your site’s table of contents [and] tags are your site’s index words.

Now think about this — does the same text in a book show up in different chapters? Of course not. This format should be transferred to your blog. What I mean by this is that a post should rarely be allocated to more than one category. If you feel the need to allocate it to two or more, you probably have too many overlapping categories (7-10 is my rule of thumb for an optimal number).

Categories should represent the broad topics covered on your blog (e.g. “dinner recipes”) and tags should be more specific (e.g. “chicken”). Content should only be tagged when the tags in question are directly related and relevant to the content. Generally speaking I would say that you should only be using not more than 50 tags.

My point is this: both categories and tags should be used in order to benefit the user. That is their primary purpose. If you lose sight of that then navigating your site will become a troublesome experience. At the very least make sure that your categories are clearly defined and well-stocked. If you’re not sure how to tag then either read more on the topic (start here) or leave them alone.

5. Don’t Leave Comments Moderation On

I’ll end with a real pet hate of mine. There is nothing more frustrating to me when commenting a blog when I am confronted with the following message:

Image Credit: WPMU

Image Credit: WPMU

If you have to wait for your comment to be moderated before it goes live, do you feel encouraged to comment? Do you feel valued by the blogger? I’m guessing that the answer to both questions is no.

In my opinion, comments moderation represent a lack of respect on the part of the blogger for the commenter’s time and should be avoided at all costs. The funny thing is that you often find comments moderation on smaller blogs — rarely is it used on bigger ones (that are likely to receive more spam). I would speculate that it is because bigger bloggers know not to antagonize their most loyal supporters (i.e. those that comment).

In reality spam is not that big an issue — plugins such as Akismet do a great job of stopping most spam. I wrote an article here on WPExplorer about spam prevention. And when a blog gets big and receives a lot of comments, individually moderating each and every one becomes an unnecessarily huge task. Turn comments moderation off via the Settings > Discussion screen accessible from the sidebar.

What Do You Recommend Avoiding?

Above I’ve outlined five things that I think you should avoid doing in WordPress — from serious security flaws to pet hates. There are of course many more warnings and recommendations one could make about using WordPress which is why I want to open it up to you.

So tell us — what do you recommend that we avoid doing in WordPress to keep our sites safe and easy and enjoyable to use? Let us know in the comments section below!

Tom Ewer
Post Author: Tom Ewer

Tom Ewer is a professional blogger, longtime WordPress enthusiast and the founder of WordCandy.

Disclosure: This page contains external affiliate links that may result in us receiving a comission if you choose to purchase said product. The opinions on this page are our own. We do not receive payment for positive reviews.
Got something to say? Join the discussion.
  1. Another thing to avoid: clicking "update plugin" without researching what the changes are and whether this new update will have any impact on your theme / other plugins. Think carefully, act wisely, make regular backups of your site and database - only click update if you understand what you are doing.
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      Great tip David! One of the cool things about WPEngine, which we've recently switched to is whenever you go to update a plugin it gives you a pop-up asking if you want to backup your database first. I've had issues in the past by carelessly updating a plugin prior to testing and it cost me a lot of time and effort. Great tip!
      Admin
  2. Barış Ünver says:
    I just disable file modifications completely by adding the following line to the wp-config.php files: define('DISALLOW_FILE_EDIT', true); It's safe, too.
  3. Mike Schinkel (@mikeschinkel) says:
    Hi @Tom, For many bloggers and especially for those who are trying to grow their traffic, I agree. But I don't think it's fair to say that comments moderation represent a lack of respect on the part of the blogger for the commenter’s time. Not all bloggers are devoted full-time to maintaining and commenting on their blogs. I know that for some people seeing a bunch of new comment is like an avalanche of Xmas presents but for others (like me) who can't devote much time to their blog but do blog to communicate ideas I get filled with dread every time I get a comment because that usually means another 10-15 minutes of time to answer that I hadn't planned for during my day. The other option is to turn off comments completely, for example. Of those two options, which is really more disrespectful? Respectfully speaking, I think passing value judgements about how someone manages their blog when you are not contributing to their income in any substantial way is what seems disrespectful to me; why should they not be allowed to choose what works best for them? (I'm asking matter-of-factly, not calling you out on anything here.)
    • Tom Ewer says:
      Tom Ewer
      Hey Mike, Thanks for stopping by and sharing your thoughts. First thing I'll say is that it's only my opinion; I certainly wasn't trying to put my argument forward as objective reasoning. Secondly, you *are* allowed to choose what works best for you! I'm not saying otherwise. Thirdly, I think you have missed my point slightly. You appear to be looking at this entirely from your (i.e. the blogger's) perspective, as opposed to the reader's. If you re-read the article you'll see that I come at the issue from the reader's perspective rather than the blogger's. Do you disagree with my assertion that comments moderation would put the reader off a bit? Would it not put you off a bit? I know it puts me off -- if I've made a comment I want to see it go live immediately. I've taken the time to leave a comment; I don't want to feel like it has to be inspected before going live! I understand where you're coming from but I do stand by what I said. In most situations I would definitely advise that comments moderation is turned off. There are always exceptions where comments moderation is the better of two evils. Perhaps you're in that situation. Cheers, Tom
      Author
  4. Mike Schinkel (@mikeschinkel) says:
    BTW, I just got this message when I posted my prior comment: - "* Your comment is awaiting moderation." ;-)
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      I'll let tom know to check out this comment. Personally I don't agree with the statement here on WPExplorer simply because we get a lot of people leaving comments trying to seek free help customizing and setting up their WordPress sites, so it doesn't fit our needs to leave the comments wide open. However, I can see Tom's point on a blog where most people's comments are going to be criticisms, points of view, counter arguments, extensions of the post...etc It's nice to auto accept those comments so that other viewers can see these comments right away. Thanks for stopping by Mike!
      Admin
  5. "Due to its huge scale of utilization, WordPress is a big target for hackers. Don’t make yourself an easy target." No, it's not. It's because it's crap. It is developed by people with no knowledge in software development and security. Therefore, that's why you have a message "You've entered a wrong password" for admin user on each WP installation (unless you make some other username). Bruteforce it and that's it.
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      That's exactly Tom's point. You need to make sure that your WP site is safe because by default it's not as safe as it could be and worse people will leave outdated/unsafe code on their sites. You need to make sure you keep everything updated - and of course a topic for another article, there are tons of other steps to make to ensure you are "hacker-proof" (if there is such a thing). But yes, WordPress is also an easy target because it used by so many people, if it wasn't used by that many people then there wouldn't be people trying to hack it all the time, no matter how safe or not it was.
      Admin
    • Tom Ewer says:
      Tom Ewer
      Hi ReTox, I would say that you have a point if you hadn't engaged in such wild hyperbole ;-) WordPress in its default setup isn't that secure. There's a lot of easy things you can do to make it more secure. I certainly stand by my point that WordPress' huge scale of utilization makes it a big target. Cheers, Tom
      Author
  6. Brian Krogsgard says:
    capital_p_dangit() to your image : )
    • Kyla
      We're gonna have to have a talk with our featured image creator... arrrrrggggghh. Thanks for pointing it out!
      Admin
    • Mike Schinkel (@mikeschinkel) says:
      @Brian: That's capital_P_dangit(), thank you very much. ;-)
  7. Akash Bhadange says:
    Regarding the security of admin panel of any WP site, I will recommend that changing the path of admin panel will be a plus or a forward step in admin security. Or you can delete the "admin" username from the backend. Because by default the Admin account username is "admin" which is not allowed to change.
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      For the admin I agree, but what I think is almost better rather then deleting admin is to make admin a subscriber ;)
      Admin
  8. just testing to see if you put into practice point 5. ;-) Thanks for a great post.
    • Kyla
      We don't personally, see the response above as to why :-)
      Admin
    • Tom Ewer says:
      Tom Ewer
      AJ is awesome enough to publish his writers' opinions here on WPExplorer, even if they don't necessarily align with his own :-)
      Author
  9. bucurblog says:
    The good thing is that you have such good collaborators Aj,nice job with this article.Thank you Tom,another reason why this site is so good has very good articles...
  10. Elliott Richmond says:
    One thing I'd throw in is "Never edit the core files" obvious I know but that's my input :)
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      Yes, never edit those unless you really know what you are doing. I'm not going to lie I've been known to do that ;) For example I mess with the core so I can have my featured images auto cropped at the top rather then the middle on WPE ;) Don't tell anyone!
      Admin
  11. I'd like to add something to point no 2. If you're using other theme than the default theme, make sure you don't delete default theme. Make sure you have at least one (I prefer the latest default theme - Twenty Twelve). If something happen to your theme, WordPress will use the default theme as callback. Just share from my experience.
  12. Jonny Rowntree says:
    This is a great article. However, because of a title tag issue in WordPress SEO by Yoast which I'm unable to find a solution to, I don't think I'll be using it for now.
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      As far as I'm aware there isn't a title tag issue in WP SEO by Yoast. My guess is your theme isn't using the correct code for the title tag in header.php - or you haven't selected the Yoast SEO setting to force title re-writes.
      Admin

Leave a Reply