Six Common Ways WordPress Users Break Their Websites

WordPress may seem simple on the outside, but on the inside, it’s a complex system that simultaneously serves your content, handles customer transactions, and manages huge amounts of data. And while WordPress is an incredibly stable platform, it’s not unbreakable.

Even if you’re careful about managing it, you can sometimes find yourself with a broken site. In this post, we’ll look at six of the most common ways that can happen.

1. Using too many plugins

WordPress users are spoiled for choice – there is an extensive number of plugins available to website managers. There is no magic number of plugins you should or shouldn’t have installed, but it’s important to understand that each one has an impact on your site. Why?

Each plugin is loading PHP code, the programming language with which WordPress is largely written. This could be perfectly fine … unless the code is poorly written and insecure.
Each plugin is loading CSS, JavaScript, and assets like images, which can slow down your website.
Each plugin requires updates for security and functionality, which could potentially cause problems.

Every plugin you install increases the chance that you encounter an issue. The more plugins you have, the more likely it is that one will “brick” your site. A website becomes a “brick” when it can no longer provide the functionality it was built to perform.

Plugin updates can brick a website with bad code, because they conflict with another plugin or theme, or clash with settings in your server. In these situations, it’s not uncommon to see error messages like: “Error Establishing Database Connection,” “Internal Server Error,” and “Connection Timed Out.” You may even see strings of code on your site.

Sample database connection error. — Plugin problems can cause unexpected website errors.

Before you install a plugin, ask whether you’ll use the majority of the features it offers. If not, you may be better off looking for smaller, simpler plugins to provide only the functionality you need. Less plugin code running on any given web page means less risk.

Plugins such as Jetpack provide multiple valuable features that enable you to install one plugin to accomplish a variety of tasks instead of several individual plugins, each of which carries its own risks. And you can always turn off any Jetpack features that you don’t need! Plugins like Jetpack are ideal for reducing plugin bloat by using a single solution to meet many needs.

2. Installing plugins or themes from untrusted sources

It’s important that you only download plugins and themes from trusted vendors. WordPress.org is one of these, but you otherwise must ensure that you purchase premium plugins from their official developers.

Nulled themes or plugins are often modified to include malicious code, which can do all sorts of nasty things and ultimately break or deface your website.

Plugins that rely on third-party web services and cross-site scripting (XSS) through cookies can leave your site open to the possibility of “cookie poisoning” (whereby cookies your site sends out are intercepted and have malware added before being returned to your site) or an SQL injection (whereby hackers can gain direct access to your site’s database). Needless to say, neither of these are good news for your website – or your users.

Even premium products without a license key won’t receive any updates, leaving your site vulnerable. You should always check how regularly the plugin is updated — old plugins are more likely to be insecure — and read reviews. Luckily the WordPress.org repository makes this easy!

Jetpack, however, is created by Automattic, a top contributor to WordPress and the company behind WordPress.com. This means that it’s always up to date and provides trustworthy, reliable solutions for website owners.

3. Editing your website code

We’ve all been there. You’re searching for a problem that you’ve been trying to solve on your website and find a potential solution that tells you to copy and paste some code. If you’re an experienced programmer and have decent HTML know-how, this may be fine. If you’re not, this can be dangerous for two reasons:

If you don’t understand exactly what the code is doing, you can’t fully understand the consequences or the impact that it may have on your site.
You may be tempted to put the code in your theme’s functions.php file, to edit a plugin’s source code, or to modify WordPress core. All of these are very bad ideas. If you happen to remove any original code when you do this, your website may break.

If you must install your own code, always make sure you understand its purpose and test it client-side or on a staging website, if possible.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 50% off your first year.

Explore plans

4. Getting hacked

WordPress is the most used content management system in the world. While this offers a wide ecosystem with lots of plugins and themes, and a stellar community, its ubiquity also makes WordPress an obvious target for anyone who wants to hack a website.

Plugin vulnerabilities are found daily, and most, but not all, developers are very quick to patch their plugins. Unfortunately, if you don’t keep your plugins up to date, your website becomes a target for hackers. Even websites that don’t generate much traffic can be hacked.

Hackers often use bots to get into your site, which automates the entire process. If your website is findable on a search engine, it’s findable by a hacker. The WPScan Vulnerability Database is a good resource for checking the latest bugs. As you’ll see, new vulnerabilities are found frequently, sometimes in plugins with thousands or millions of installs. To protect your site, implement a security solution like Jetpack, which offers security scanning, brute force attack prevention, downtime monitoring, and automatic plugin updates.

5. Out-of-date server software

The server that holds your website has an operating system and underlying software that powers it, just like your computer. Like all software, it has to be consistently updated. Many people don’t realize these updates happen, because their web host does it for them behind the scenes.

But what if your web host isn’t applying updates quickly? Many websites are still running PHP 5.6, despite the fact that it no longer receives any security updates. Even PHP 7.1 reached the end of its lifespan in December 2019.

There are several downsides to having out-of-date server software:

Security issues: older software versions may have vulnerabilities.
Speed issues: PHP 7.3 is much faster than older versions.
Compatibility issues: some PHP functions are available in PHP 7.3 but not PHP 5.6. If a plugin only supports 7.3 and you’re running 5.6, this can cause issues. (To help you out, the WordPress plugin repository displays the minimum PHP version required on each plugin’s page.)

6. Poorly configured user access

If you have a website that allows multiple users to log in and add or edit content, you’re increasing the risk of breaking your site. Giving too many permissions to too many people opens up the possibility that someone will cause an issue through inadvertent user input.

Too often, website owners give all contributors administrator-level access. This is incredibly dangerous, as all these newly-minted admins can:

Install and update plugins.
Change your website code.
Edit your theme and web design.
Add or delete pages/posts/products/any other post type.
Access confidential data (including financial data, for online stores).

Any of the above can potentially break a site. Users should be given the exact permissions they need to do their job — nothing more. WordPress comes with some built-in user roles, but you can also create your own using code or a plugin such as User Role Editor or Members. And WooCommerce provides a great guide to understanding WordPress user roles from a security perspective.

Jetpack Activity provides transparency for a website with multiple users. It records actions taken on your site, including login attempts, published or updated pages, plugin installations, setting modifications, and more. You can see who performed each action and when each one took place, and restore a backup of your site from that exact point in time if needed.

What to do if your WordPress site breaks

In the end, websites will still break. Whether you’re an experienced web developer or novice website builder, you’ll probably break your website at some point.

The best way to ensure minimal downtime is to have a comprehensive, off-site backup strategy. Don’t just rely on your host for backups, because:

You may not have control over backups. Your host may only back up your website once a week, but what happens on a busy site where data changes every hour? Real-time backups are critical! If you have an eCommerce store, orders could be placed at any time of day. Without real-time backups, you could lose customer data from the period between the backup and the site crash.
You can never be too backed up. It’s not wise to put 100% of your trust in your host; they can also be compromised. A multi-faceted approach to backups mitigates your risk.
Retrieving a backup from your host is not always as simple as it sounds. You may need to contact support and ask them to restore a backup, which can take a long time and, depending on your host, be a difficult process. If your website is a source of income, every minute it’s down could mean lost revenue.

There are also many WordPress plugin backup solutions, both free and paid. Plugins certainly provide valid options, but not all backup plugins are equal. Some common drawbacks:

By default, some plugins back up to your web server. If your server has a catastrophic failure, your backups may also be lost.
Some plugins allow you to back up your data to an off-site account, like Amazon S3 or Dropbox. While this is a great idea, it requires you to have an account with an off-site provider, which may mean additional fees.
Many free backup plugins are missing features like real-time backups. Premium versions can be both expensive and require you to have separate accounts for off-site backups.

However, Jetpack is an excellent solution for WordPress backups. No matter the type of site you have, Jetpack has a solid backup option. Daily backups are a great option for restaurants, blogs, and portfolios, and include a 30-day archive period, so you can easily access the last 30 days of backups. eCommerce stores, news organizations, membership sites, and online forums will want real-time backups with an unlimited archive, so you can restore your website from any point in time.

Screenshot of Backup operation from the Activity Log. — Backup features let you “rewind” a website to a previous date.

Every significant change to your website is automatically saved. Did someone just write a review? Did you add a new product? Did you update a plugin that broke your site? It’s all backed up.

This provides not only great peace of mind but also a rock-solid off-site platform for your backups. Jetpack even includes a migration feature that allows you to move your whole site to another host or server. If your server faces catastrophic failure or you just want to move your site to another host, Jetpack has you covered.

Breaking a website is a common occurrence. Even for the most careful of website owners, something beyond your control can go wrong. Having both on-site and off-site backup solutions is a great way to help mitigate your risk. And with relatively minimal costs, there’s no reason to risk the safety of your site.

Find out more about Jetpack Backup or compare plans to explore other benefits of activating Jetpack on your WordPress website.