Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

5 Things You Must Avoid Doing in WordPress

Last updated on:

The WordPress backend can be dangerous ground to tread upon as a beginner. Anything that offers such power must also apportion responsibility to the user, which is where some people can go wrong when getting started.

Without wanting to frighten you too much, there are certain things you can do in WordPress that will just plain break it. On a less worrying (but also important) note, there are other things you can do that I would certainly advise against — whether it represents a potential security risk or simply something that has a negative impact on the user experience.

With the above in mind, in this post I want to cover five things that you must avoid doing in WordPress. With the following recommendations implemented your website will be far safer, reliable, functional and enjoyable for visitors.

1. Don’t Use the Code Editors

There are a couple of landmines contained within the WordPress backend; you can access them via Appearance > Editor and Plugins > Editor in the sidebar.

At first glance these editors are pretty interesting — full access to the back end of your website! Imagine the possibilities.

My blog's header file accessed via the Theme Editor.

My blog’s header file, accessed via the Theme Editor.

Imagine the possibilities indeed — with one wrong keystroke you can suddenly find your website well and truly broken:

Leaving Work Behind

I only had to remove three characters from my theme’s PHP files to completely change the complexion of my website as seen above.

But that’s not the worst of it — it is all too easy to accidentally disable access to the backend of your WordPress site, which leaves you with no immediate means of restoring order to your site.

Because of this I recommend that you only ever access and edit your site’s PHP files with an FTP application such as Filezilla (my personal favorite and’s recommendation). You should make a copy of any PHP file that you intend to edit before you start so that you can quickly switch back to a working version should you accidentally wreak havoc on your site. It’s far better to be safe than sorry!

2. Don’t Keep Deactivated Themes Installed

In my experience there are three types of WordPress users:

  1. Those who run a very tight ship
  2. Those who keep thing reasonably neat and tidy
  3. Those who have little regard for the backend of their site

If you fall into the second or third type then you should give careful thought to the themes you currently have installed on your WordPress site. I’m not talking about the active theme, but those that you have installed and deactivated.

Although those themes are deactivated, they still exist on your WordPress installation and any security flaws or vulnerabilities can still be exploited. For instance, the most famous of WordPress theme hacks is the TimThumb exploit, which continues to affect certain blogs to this day.

Generally speaking, if you use good quality themes and ensure that they are kept up to date then you shouldn’t run into any problems. However, if you have old themes laying unused on your site’s backend then my recommendation would be to delete them immediately. Due to its huge scale of utilization, WordPress is a big target for hackers. Don’t make yourself an easy target.

3. Don’t Use Your Theme’s SEO Functionality

This recommendation is less of a “you must do this” and more of a suggestion that I strongly urge you to follow.

Depending on what theme you have you may find that it has built-in SEO features. I advise that you avoid using these features for two reasons:

  1. If you ever decide to change themes then the SEO data within your theme may be lost (or difficult to extract)
  2. The free WordPress SEO by Yoast plugin has the best SEO functionality of any plugin or theme available

It’s a bold claim but one that it is generally accepted by some of the WordPress community’s most respected users and developers. For instance, as of 31st October 2012 WooThemes deprecated SEO functionality within their themes due to SEO by Yoast being “more beneficial” to WordPress users. WooThemes handing over the SEO reins to another developer is a bold sign of their faith in Yoast’s plugin and an indication of how loved it is.

If you’d like to know more about SEO by Yoast then check our guide on common WordPress SEO mistakes.

4. Don’t Categorize and Tag Prolifically

There are few things I cringe more at than the poor use of categories and tags within WordPress.

Let’s get one thing straight up front — categories and tags can both have a part to play on your website. Contrary to what some people believe, tags aren’t an antiquated taxonomy type that offers no relevance in the modern blogging era. Furthermore, categories are not there to be used and abused.

My favorite definition of categories and tags comes from Lorelle:

Categories are your site’s table of contents [and] tags are your site’s index words.

Now think about this — does the same text in a book show up in different chapters? Of course not. This format should be transferred to your blog. What I mean by this is that a post should rarely be allocated to more than one category. If you feel the need to allocate it to two or more, you probably have too many overlapping categories (7-10 is my rule of thumb for an optimal number).

Categories should represent the broad topics covered on your blog (e.g. “dinner recipes”) and tags should be more specific (e.g. “chicken”). Content should only be tagged when the tags in question are directly related and relevant to the content. Generally speaking I would say that you should only be using not more than 50 tags.

My point is this: both categories and tags should be used in order to benefit the user. That is their primary purpose. If you lose sight of that then navigating your site will become a troublesome experience. At the very least make sure that your categories are clearly defined and well-stocked. If you’re not sure how to tag then either read more on the topic or leave them alone.

5. Don’t Leave Comments Moderation On

I’ll end with a real pet hate of mine. There is nothing more frustrating to me when commenting a blog when I am confronted with the following message:

Image Credit: WPMU

If you have to wait for your comment to be moderated before it goes live, do you feel encouraged to comment? Do you feel valued by the blogger? I’m guessing that the answer to both questions is no.

In my opinion, comments moderation represent a lack of respect on the part of the blogger for the commenter’s time and should be avoided at all costs. The funny thing is that you often find comments moderation on smaller blogs — rarely is it used on bigger ones (that are likely to receive more spam). I would speculate that it is because bigger bloggers know not to antagonize their most loyal supporters (i.e. those that comment).

In reality spam is not that big an issue — plugins such as Akismet do a great job of stopping most spam. I wrote an article here on WPExplorer about spam prevention. And when a blog gets big and receives a lot of comments, individually moderating each and every one becomes an unnecessarily huge task. Turn comments moderation off via the Settings > Discussion screen accessible from the sidebar.

What Do You Recommend Avoiding?

Above I’ve outlined five things that I think you should avoid doing in WordPress — from serious security flaws to pet hates. There are of course many more warnings and recommendations one could make about using WordPress which is why I want to open it up to you.

So tell us — what do you recommend that we avoid doing in WordPress to keep our sites safe and easy and enjoyable to use? Let us know in the comments section below!

Article by Tom Ewer author
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


  1. David

    Another thing to avoid: clicking “update plugin” without researching what the changes are and whether this new update will have any impact on your theme / other plugins.

    Think carefully, act wisely, make regular backups of your site and database – only click update if you understand what you are doing.

    • AJ Clarke | WPExplorer

      Great tip David! One of the cool things about WPEngine, which we’ve recently switched to is whenever you go to update a plugin it gives you a pop-up asking if you want to backup your database first. I’ve had issues in the past by carelessly updating a plugin prior to testing and it cost me a lot of time and effort. Great tip!

  2. Barış Ünver

    I just disable file modifications completely by adding the following line to the wp-config.php files:

    define('DISALLOW_FILE_EDIT', true);

    It’s safe, too.

    • AJ Clarke | WPExplorer

      Good idea 😉 Leave no room for temptation/laziness.

    • Elliott Richmond

      You took the words right out a my keyboard

  3. Mike Schinkel (@mikeschinkel)

    Hi @Tom,

    For many bloggers and especially for those who are trying to grow their traffic, I agree.

    But I don’t think it’s fair to say that comments moderation represent a lack of respect on the part of the blogger for the commenter’s time. Not all bloggers are devoted full-time to maintaining and commenting on their blogs.

    I know that for some people seeing a bunch of new comment is like an avalanche of Xmas presents but for others (like me) who can’t devote much time to their blog but do blog to communicate ideas I get filled with dread every time I get a comment because that usually means another 10-15 minutes of time to answer that I hadn’t planned for during my day.

    The other option is to turn off comments completely, for example. Of those two options, which is really more disrespectful?

    Respectfully speaking, I think passing value judgements about how someone manages their blog when you are not contributing to their income in any substantial way is what seems disrespectful to me; why should they not be allowed to choose what works best for them? (I’m asking matter-of-factly, not calling you out on anything here.)

    • Tom Ewer

      Hey Mike,

      Thanks for stopping by and sharing your thoughts.

      First thing I’ll say is that it’s only my opinion; I certainly wasn’t trying to put my argument forward as objective reasoning.

      Secondly, you *are* allowed to choose what works best for you! I’m not saying otherwise.

      Thirdly, I think you have missed my point slightly. You appear to be looking at this entirely from your (i.e. the blogger’s) perspective, as opposed to the reader’s. If you re-read the article you’ll see that I come at the issue from the reader’s perspective rather than the blogger’s. Do you disagree with my assertion that comments moderation would put the reader off a bit? Would it not put you off a bit? I know it puts me off — if I’ve made a comment I want to see it go live immediately. I’ve taken the time to leave a comment; I don’t want to feel like it has to be inspected before going live!

      I understand where you’re coming from but I do stand by what I said. In most situations I would definitely advise that comments moderation is turned off. There are always exceptions where comments moderation is the better of two evils. Perhaps you’re in that situation.



  4. Mike Schinkel (@mikeschinkel)

    BTW, I just got this message when I posted my prior comment:

    – “* Your comment is awaiting moderation.”


    • AJ Clarke | WPExplorer

      I’ll let tom know to check out this comment. Personally I don’t agree with the statement here on WPExplorer simply because we get a lot of people leaving comments trying to seek free help customizing and setting up their WordPress sites, so it doesn’t fit our needs to leave the comments wide open. However, I can see Tom’s point on a blog where most people’s comments are going to be criticisms, points of view, counter arguments, extensions of the post…etc It’s nice to auto accept those comments so that other viewers can see these comments right away.

      Thanks for stopping by Mike!

  5. ReTox

    “Due to its huge scale of utilization, WordPress is a big target for hackers. Don’t make yourself an easy target.”

    No, it’s not. It’s because it’s crap. It is developed by people with no knowledge in software development and security.

    Therefore, that’s why you have a message “You’ve entered a wrong password” for admin user on each WP installation (unless you make some other username). Bruteforce it and that’s it.

    • AJ Clarke | WPExplorer

      That’s exactly Tom’s point. You need to make sure that your WP site is safe because by default it’s not as safe as it could be and worse people will leave outdated/unsafe code on their sites. You need to make sure you keep everything updated – and of course a topic for another article, there are tons of other steps to make to ensure you are “hacker-proof” (if there is such a thing). But yes, WordPress is also an easy target because it used by so many people, if it wasn’t used by that many people then there wouldn’t be people trying to hack it all the time, no matter how safe or not it was.

    • Tom Ewer

      Hi ReTox,

      I would say that you have a point if you hadn’t engaged in such wild hyperbole 😉

      WordPress in its default setup isn’t that secure. There’s a lot of easy things you can do to make it more secure. I certainly stand by my point that WordPress’ huge scale of utilization makes it a big target.



  6. Brian Krogsgard

    capital_p_dangit() to your image : )

    • Kyla

      We’re gonna have to have a talk with our featured image creator… arrrrrggggghh. Thanks for pointing it out!

    • Mike Schinkel (@mikeschinkel)

      @Brian: That’s capital_P_dangit(), thank you very much. 😉

  7. Akash Bhadange

    Regarding the security of admin panel of any WP site, I will recommend that changing the path of admin panel will be a plus or a forward step in admin security.
    Or you can delete the “admin” username from the backend. Because by default the Admin account username is “admin” which is not allowed to change.

    • AJ Clarke | WPExplorer

      For the admin I agree, but what I think is almost better rather then deleting admin is to make admin a subscriber 😉

  8. tink

    just testing to see if you put into practice point 5. 😉
    Thanks for a great post.

    • Kyla

      We don’t personally, see the response above as to why 🙂

    • Tom Ewer

      AJ is awesome enough to publish his writers’ opinions here on WPExplorer, even if they don’t necessarily align with his own 🙂

  9. bucurblog

    The good thing is that you have such good collaborators Aj,nice job with this article.Thank you Tom,another reason why this site is so good has very good articles…

    • AJ Clarke | WPExplorer

      Yes we do! And we are always looking for more 😉

  10. Elliott Richmond

    One thing I’d throw in is “Never edit the core files” obvious I know but that’s my input 🙂

    • AJ Clarke | WPExplorer

      Yes, never edit those unless you really know what you are doing. I’m not going to lie I’ve been known to do that 😉 For example I mess with the core so I can have my featured images auto cropped at the top rather then the middle on WPE 😉 Don’t tell anyone!

  11. Rudd

    I’d like to add something to point no 2.

    If you’re using other theme than the default theme, make sure you don’t delete default theme. Make sure you have at least one (I prefer the latest default theme – Twenty Twelve). If something happen to your theme, WordPress will use the default theme as callback. Just share from my experience.

    • Kyla

      That’s a good point!

  12. Jonny Rowntree

    This is a great article. However, because of a title tag issue in WordPress SEO by Yoast which I’m unable to find a solution to, I don’t think I’ll be using it for now.

    • AJ Clarke | WPExplorer

      As far as I’m aware there isn’t a title tag issue in WP SEO by Yoast. My guess is your theme isn’t using the correct code for the title tag in header.php – or you haven’t selected the Yoast SEO setting to force title re-writes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.