by Charles Oropallo | Jul 23, 2025 | Do-It-Yourself, Security, Website Development, WordPress
WordPress powers over 40% of all websites on the internet. That popularity makes it a prime target for hackers. Every day, thousands of WordPress sites get compromised because owners make simple security mistakes.
The good news? Most of these mistakes are easy to fix. You don’t need to be a security expert to protect your website. You just need to know what you’re doing wrong and how to fix it.
Let’s dive into the seven biggest WordPress security mistakes and their solutions.
Mistake #1: Ignoring Updates (The Silent Site Killer)
Here’s the harsh truth: 97% of WordPress security problems come from plugins. Yet only 30% of WordPress users have auto-updates enabled.
Think about it this way. When developers find a security hole, they release an update to fix it. The longer you wait to update, the more time hackers have to exploit that known weakness.
How to Fix It:
Enable automatic updates for WordPress core, plugins, and themes. Most hosting providers offer this feature in their control panels. If yours doesn’t, consider switching to a managed WordPress host.
Check your plugins weekly. Delete any you’re not using. Inactive plugins can still be exploited by hackers.
Set calendar reminders if auto-updates aren’t available. Manual updates beat no updates every time.
Pro Tip: Create a staging site to test updates before they go live. This prevents your main site from breaking during updates.
Mistake #2: Using Weak Passwords and Predictable Usernames
“admin” with password “password123” isn’t clever. It’s dangerous. 41% of WordPress users still use weak passwords or skip two-factor authentication entirely.
Hackers use bots that test thousands of password combinations per minute. A weak password like “ADMIN123” gets cracked in seconds.
How to Fix It:
Create strong passwords with at least 12 characters. Mix uppercase, lowercase, numbers, and special characters.
Never use “admin” as your username. Choose something unique that doesn’t relate to your business name.
Use a password manager like 1Password or Bitwarden. They generate complex passwords and store them securely.
Change default usernames immediately. If you already have an “admin” account, create a new administrator account with a different username, then delete the old one.
Quick Check: Can you guess your password by looking at your keyboard or personal information? If yes, change it now.
Mistake #3: Skipping Two-Factor Authentication (Your Security Backup Plan)
Passwords alone aren’t enough anymore. Even strong passwords can be compromised through data breaches or phishing attacks.
Two-Factor Authentication (2FA) adds a second layer of protection. Even if hackers get your password, they still need your phone or authentication app to get in.
How to Fix It:
Install a 2FA plugin like Wordfence or Google Authenticator for WordPress.
Set up 2FA for all user accounts, especially administrators and editors.
Use an authenticator app instead of SMS when possible. Apps like Google Authenticator or Authy are more secure than text messages.
Test your 2FA setup regularly. Make sure you can access backup codes if you lose your phone.
Remember: 2FA might seem inconvenient, but it’s much less inconvenient than rebuilding your hacked website.
Mistake #4: Forgetting to Back Up Your Website
“My hosting company handles backups.” Famous last words from website owners who lost everything.
Hosting backups might not include all your files. They might be stored on the same server that gets hacked. Or they might be overwritten before you realize you need them.
How to Fix It:
Set up automated daily backups that include your entire website and database.
Store backups in multiple locations. Use cloud services like Google Drive, Dropbox, or Amazon S3.
Test your backup restoration process monthly. A backup that doesn’t restore is useless.
Keep at least 30 days of backup history. Sometimes you don’t notice problems immediately.
Use plugins like UpdraftPlus or BackWPup for automated scheduling.
Reality Check: When did you last check if your backups actually work? If you can’t answer that, check today.
Mistake #5: Installing Themes and Plugins from Sketchy Sources
Free premium themes and plugins sound tempting. But they often come with hidden malware or backdoors that give hackers access to your site.
Even legitimate-looking themes can contain malicious code that steals user data or redirects visitors to scam sites.
How to Fix It:
Only download themes and plugins from the official WordPress repository or established developers.
Check ratings and reviews before installing anything. Look for recent updates and active support.
Research the developer. Do they have other plugins? A professional website? Good reviews?
Scan new themes and plugins with security tools before activation.
Delete unused plugins immediately. Don’t just deactivate them: remove them completely.
Warning Sign: If a “premium” theme or plugin is offered free on a random website, it’s probably infected with malware.
Mistake #6: Ignoring File Permissions (The Technical Blind Spot)
File permissions control who can access what on your server. Wrong permissions can let hackers read sensitive files or upload malicious code.
Most WordPress users never check their file permissions. They assume their hosting provider set them correctly. That’s a dangerous assumption.
How to Fix It:
Set correct file permissions: 755 for directories and 644 for files.
Never use 777 permissions unless absolutely necessary (and change them back immediately after).
Protect your wp-config.php file with 600 permissions.
Work with your hosting provider to audit permissions if you’re unsure.
Use security plugins that monitor and alert you about permission changes.
Technical Note: If file permissions sound too complex, ask your web developer or hosting support to check them for you.
Mistake #7: No Security Monitoring (Flying Blind)
Many WordPress owners only discover they’ve been hacked when visitors complain or Google flags their site. By then, the damage is done.
Hackers often work silently, stealing data or using your site to attack others. You need active monitoring to catch problems early.
How to Fix It:
Install security monitoring plugins like Wordfence, Sucuri, or iThemes Security.
Set up email alerts for suspicious login attempts, file changes, or malware detection.
Monitor your website traffic for unusual spikes or patterns.
Check your site regularly from different devices and browsers.
Use Google Search Console to monitor for security warnings.
Pro Tip: Set up uptime monitoring to alert you immediately if your site goes down. Services like UptimeRobot offer free basic monitoring.
Taking Action: Your Security Checklist
Security isn’t a one-time task. It’s an ongoing process. Here’s your priority order for fixing these mistakes:
- Enable automatic updates immediately – This fixes your biggest vulnerability right now
- Change weak passwords and usernames – Use a password manager to make this easy
- Set up 2FA on all accounts – Add that crucial second layer of protection
- Configure automated backups – Your safety net for when things go wrong
- Audit your plugins and themes – Remove anything suspicious or unused
- Check file permissions – Get help if this feels too technical
- Install security monitoring – Your early warning system
Don’t try to fix everything at once. Start with automatic updates and work down the list. Each step makes your site significantly more secure.
Remember: The best time to secure your WordPress site was yesterday. The second-best time is right now.
Need help implementing these security measures? Our team specializes in WordPress security and can audit your site for vulnerabilities. Contact us for a security consultation that could save your website from becoming another hacking statistic.
by Charles Oropallo | Apr 9, 2025 | SEO, Technical Help, Website Development
You’re paying for a website, but your local customers can’t find you online. Sound familiar? Here’s the truth: most web developers focus on making sites look pretty. They skip the local search engine optimization (SEO) tactics that actually get you found.
Local SEO isn’t rocket science. It’s a series of strategic moves that help your business appear when people search for services “near me.” The best part? You can implement most of these yourself.
Let’s dive into the strategies that actually move the needle for small businesses.
Your Google Business Profile Is Everything
Your Google Business Profile is the foundation of local visibility. It’s free, takes 15 minutes to set up, and directly impacts your Google Maps rankings.
Think about your last local search. You probably clicked on one of the first three businesses in the map results. Those spots aren’t random, they’re earned through profile optimization.
Complete every section of your profile. Add your business hours, phone number, website, and services. Upload high-quality photos of your storefront, products, and team. Businesses with photos get 42% more direction requests than those without.
Post regular updates about promotions, events, or new services. Google treats active profiles as more relevant than dormant ones. Even a weekly post about your business makes a difference.
Enable messaging if your business can respond quickly. Enable appointment booking if applicable. These features signal to Google that your business is engaged and customer-focused.
NAP Consistency Rules Everything
NAP stands for Name, Address, Phone Number. This information must be identical everywhere your business appears online. Everywhere means your website, social media, directories, and citations.
Here’s what happens when your NAP is inconsistent: Google doesn’t trust your business information. Confused search engines don’t rank confused businesses highly.
Create a master document with your exact business information. Use “Street” instead of “St.” Use your local phone number, not a toll-free number. If your business name is “Joe’s Coffee,” don’t call it “Joe’s Coffee Shop” anywhere else.
Check your NAP across these platforms: Google Business Profile, Yelp, Facebook, Yellow Pages, Better Business Bureau, and industry directories. Fix any inconsistencies immediately.
One formatting tip that saves headaches later: always use your business address exactly as it appears on your Google Business Profile. This becomes your standard format everywhere else.
Local Keywords Are Your Best Friend
Local keywords help the right people find your business. These aren’t complicated, they’re simply your services plus your location.
Examples include “dentist in Portland,” “pizza delivery Chicago,” or “car repair near me.” Research what your customers actually search for using Google’s Keyword Planner or simply by typing your services into Google and seeing the autocomplete suggestions.
Create separate pages for different service areas if you serve multiple locations. A plumbing company serving three towns should have dedicated pages for each area. Each page should include local landmarks, neighborhood names, and area-specific information.
Don’t stuff keywords unnaturally into your content. Write for humans first, search engines second. A sentence like “Our Chicago pizza delivery service delivers pizza in Chicago” sounds robotic and hurts more than it helps.
Instead, write naturally: “We deliver fresh pizza throughout Chicago’s downtown area, including the Loop and River North neighborhoods.”
Mobile Optimization Can’t Be Optional
Sixty percent of local searches happen on smartphones. Google uses mobile-first indexing, meaning they primarily look at your mobile site to determine rankings.
Your website must load quickly on phones. Compress images, choose a fast hosting provider, and avoid heavy plugins that slow loading times. A three-second delay can lose 53% of mobile visitors.
Make buttons large enough for thumbs. Avoid tiny links or navigation elements that frustrate mobile users. Test your site on different devices and screen sizes.
Eliminate pop-ups that cover mobile screens. Google penalizes sites with intrusive mobile pop-ups. If you must use pop-ups, make them easy to close and ensure they don’t block important content.
Check your mobile-friendliness with Google’s Mobile-Friendly Test. It’s free and shows exactly what needs fixing.
Customer Reviews Drive Everything
Reviews influence both customers and search rankings. Google considers review quantity, frequency, and responses when determining local rankings.
Ask satisfied customers for reviews. Don’t be pushy, but don’t be shy either. A simple request after completing good work often works: “If you’re happy with our service, a quick Google review would really help our small business.”
Respond to every review, positive and negative. Thank customers for positive reviews. Address negative reviews professionally and offer to resolve issues offline.
Here’s a template for negative review responses: “Thanks for your feedback, [Name]. We apologize for your experience and would like to make this right. Please call us at [phone] so we can discuss this further.”
Never ignore reviews. Silent businesses look unengaged to both customers and Google.
Local Directories Still Matter
Getting listed on local directories builds credibility and provides valuable backlinks to your website. Start with major directories like Yelp, Yellow Pages, and your local Chamber of Commerce website.
Industry-specific directories matter too. Restaurants should be on OpenTable and TripAdvisor. Contractors should be on Angie’s List and Home Advisor.
Ensure your NAP information is consistent across all directories. Inconsistent listings hurt more than they help.
Don’t pay for directory submissions unless you’re certain they’re legitimate. Many “directory submission services” are scams that list your business on low-quality sites.
On-Page SEO With Local Focus
Optimize your website content for local search by including location-based keywords naturally throughout your pages.
Your homepage should mention your primary service area early and often. Include your city or region in your title tag, meta description, and main headings.
Create location-specific content that provides value. A home improvement company could write about local building codes, weather considerations, or neighborhood characteristics.
Add your address to your website footer. Include local landmark references in your content. Mention nearby businesses, events, or community involvement.
Don’t forget about image optimization. Name your photos with descriptive, location-specific filenames like “chicago-pizza-restaurant-interior.jpg” instead of “IMG_1234.jpg.”
Advanced Local SEO Tactics
Geo-tag your images when uploading to your website and social media. This embeds location data that helps search engines understand your business location.
Build relationships with other local businesses for natural backlink opportunities. Sponsor local events, join community organizations, or participate in local business associations.
Create Google Posts regularly through your Google Business Profile. These mini-blog posts appear in your knowledge panel and show Google that your business is active.
Monitor your online mentions using Google Alerts. Set up alerts for your business name to catch new reviews, mentions, or potential NAP inconsistencies.
Consider local schema markup on your website. This structured data helps search engines understand your business information more clearly.
Common Mistakes That Kill Local Rankings
Buying fake reviews destroys credibility and violates Google’s guidelines. Focus on earning authentic reviews through excellent service.
Using inconsistent business names across platforms confuses search engines. Stick to one version of your business name everywhere.
Ignoring negative reviews makes problems worse. Address concerns professionally and publicly to show potential customers how you handle issues.
Creating multiple Google Business Profiles for one location results in suspension. Google allows one profile per location, period.
Measuring Your Local SEO Success
Track your Google Business Profile insights to see how customers find you. Monitor calls, website clicks, and direction requests.
Use Google Search Console to see which local keywords drive traffic to your website. Focus your efforts on keywords that generate actual business.
Check your local rankings monthly for your most important keywords. Tools like BrightLocal or simply searching on different devices can show your position.
Most importantly, track actual business results. More calls, appointments, or walk-ins matter more than rankings alone.
Local SEO isn’t complicated, but it requires consistency and attention to detail. Start with your Google Business Profile, fix your NAP consistency, and build from there. Your local customers are searching for your services right now( make sure they can find you.)
by Charles Oropallo | Dec 16, 2024 | Do-It-Yourself, Technical Help, Website Development, WordPress
SimplePractice: Incorporating its Widget into your WordPress Divi Website
This article is about adding the SimplePractice widget to your WordPress website that uses the Divi theme. I’ll explain what SimplePractice is and get into how to install its widget into your WordPress Divi website.
Simplifying Practice Management for Mental Health Professionals
SimplePractice is a trusted all-in-one platform designed to make life easier for mental health professionals and other wellness practitioners. See https://SimplePractice.com for more details. It streamlines essential administrative tasks like scheduling, billing, documentation, and client communication, allowing practitioners to focus on what truly matters—their clients. With a user-friendly interface and powerful tools, it’s an ideal solution for solo practitioners and small group practices.
One of the standout features is its online scheduling tool, which lets clients book appointments through a secure, HIPAA-compliant client portal. This portal also allows clients to complete intake forms, sign documents, and even message their provider—all in one place. For therapists who offer virtual sessions, the telehealth integration enables seamless video appointments without the need for third-party apps.
SimplePractice also simplifies billing and insurance management. Providers can create invoices, process payments, and submit insurance claims directly through the system. Plus, its customizable progress notes and treatment plan templates make maintaining records both quick and efficient.
What makes SimplePractice shine is its simplicity. The platform is intuitive and easy to navigate, with minimal learning curves for both practitioners and their clients. The robust support team and extensive online resources ensure any questions are resolved quickly.
Whether it’s automating reminders, securely managing client data, or customizing a practice’s workflow, SimplePractice makes running a private practice straightforward and stress-free. It’s the tool busy professionals rely on to save time, stay organized, and provide exceptional care.
The SimplePractice appointment request widget can be incorporated into a development domain for your client’s pending Divi site and ultimately in the live site. Here’s how you can achieve this:
Step 1: Review the Widget Code
Once you have the widget code from the client, you need to verify its structure. Typically, it includes a <script> tag provided by SimplePractice. For example:
The data-sp-client-id is unique to your client’s SimplePractice account, so ensure that value matches.
Step 2: Add the Widget Code to the Divi Site
In Divi, you can embed custom code into the site using the Code Module or Theme Builder:
- Using the Divi Code Module:
- Open the page or section where you want to display the widget.
- Add a Code Module within the desired row or column.
- Paste the SimplePractice widget code into the module.
- Save the changes and preview to ensure the widget appears as expected.
- Using Divi Theme Builder (if the widget should appear site-wide):
- Navigate to Divi > Theme Builder in the WordPress dashboard.
- Create or edit a custom header, footer, or body section.
- Add a Code Module and paste the widget code.
- Assign the template to the desired pages or the entire site.
Step 3: Customize the Widget (Optional)
The Customizing Your Widget section in the SimplePractice documentation explains how you can:
- Change colors, fonts, and styles to match the Divi site’s design.
- Customize settings by modifying the
<script> code parameters.
If your client’s code already includes customization, verify if it aligns with the new site’s look. For further adjustments, update the styles within the widget script.
Step 4: Use the Development Domain
SimplePractice widgets do not rely on a specific domain to function, as long as the data-sp-client-id is correct. You can install and test the widget on the development domain without any issues. Once the site goes live on the actual domain, the widget should still work without changes.
However, after the site goes live, it’s good practice to:
- Confirm the widget works properly on the live domain.
- Recheck any customized URLs or redirects tied to the widget to ensure they match the live setup.
Step 5: Test the Integration
- Navigate to the development site.
- Test the widget to ensure it displays and works correctly (e.g., appointment requests can be submitted).
- Check for any conflicts with other scripts or plugins on the Divi site.
by Charles Oropallo | Nov 26, 2024 | Do-It-Yourself, Technical Help
Resolving Default Page Mismatches
We had a website transferred to us for hosting by a client who did not know about resolving default page mismatches. This occurs, for example, the a page not found error happens when a site visitor is clicking on your navigation trying to get back to the home page. When hosting a website, ensuring that the correct default page is served when visitors navigate to the root domain (e.g., exampledomain.com) is critical. A mismatch between menu navigation items and the actual default page can confuse visitors and lead to a poor user experience. Below, I’ve outlined several methods to address such issues. Each method depends on the tools and access available on your hosting environment.
1. Redirect Default Page Using a New default.htm File
The simplest solution is to create a default.htm file that redirects visitors to the correct index.html file.
Steps:
- Create a new file named
default.htm in the root directory of the website.
- Add the following HTML code to the file:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="refresh" content="0;url=index.html">
<title>Redirecting...</title>
</head>
<body>
<p>If you are not redirected, <a href="index.html">click here</a>.</p>
</body>
</html>
- Save and upload the file to the server.
When visitors access exampledomain.com/default.htm, they will be automatically redirected to index.html.
2. Set Default Pages in Virtualmin
If your hosting server uses Virtualmin, you can configure the default pages it prioritizes when serving the site.
Steps:
- Log in to Virtualmin.
- Navigate to the specific domain by selecting it from the dropdown.
- Go to Server Configuration > Website Options.
- Locate the option for “Default index file names” or similar.
- Add
default.htm to the list if it is not already present. For example:
index.html index.htm default.htm
- Save the changes and reload the website.
With this configuration, default.htm will be recognized as a valid default page alongside index.html.
3. Use an .htaccess File
You can also use an .htaccess file to specify which files should be served as default pages.
Steps:
- Access the root directory of the website via FTP or the file manager.
- Open or create a file named
.htaccess.
- Add the following lines to the file:
DirectoryIndex default.htm index.html index.htm
- Save the file and upload it to the server.
This tells the server to prioritize default.htm as the default page. If default.htm is not found, it will fall back to index.html or other specified files.
4. Update Navigation Links in the Website’s Code
If all navigation menu items point to default.htm, you can update the site’s HTML files to point to index.html instead.
Steps:
- Download the HTML files that contain navigation links.
- Search for
default.htm in the code and replace it with index.html.
- Save and upload the updated files to the server.
This ensures that navigation links point to the correct file and prevents further confusion.
5. Configure the Web Server Directly
For advanced users with root access to the server, you can modify the web server’s configuration files to set the default page order.
Apache Servers:
- Edit the Apache configuration file (e.g.,
/etc/httpd/conf/httpd.conf or /etc/apache2/apache2.conf).
- Find the
DirectoryIndex directive and modify it:
DirectoryIndex default.htm index.html index.htm
- Save the file and restart Apache:
systemctl restart apache2
Nginx Servers:
- Edit the server block configuration file (e.g.,
/etc/nginx/sites-available/exampledomain.com).
- Modify the
index directive:
index default.htm index.html index.htm;
- Save the file and restart Nginx:
systemctl restart nginx
6. Combine Redirect and Navigation Fixes
For maximum compatibility and user experience, you can combine several methods. For example:
- Use the
.htaccess file or Virtualmin to prioritize default.htm.
- Add a redirect in
default.htm for edge cases.
- Update all navigation links to
index.html.
Final Thoughts on Resolving Default Page Mismatches
Choosing the right method depends on your hosting setup and access level. If you’re looking for a quick fix, creating a redirect in default.htm is the easiest option. For a more permanent and scalable solution, consider updating the server configuration or .htaccess file.
Always remember to test changes thoroughly to ensure they work as expected before making them live. This will prevent any disruptions for your website’s visitors.
And, finally, at CharlesWorks we take care of these types of issues for you.
by Charles Oropallo | Aug 21, 2022 | Do-It-Yourself, The CW Corner
Many costs for energy have risen in recent months. Here in the Northeast our electric bills just suffered a 110% hike. For the math challenged: that’s more than doubled!! The change was this:
- OLD RATE pre 8/1/2022: 10.669¢ per kWh (kilo or thousand watt hours)
- NEW RATE post 7/31/2022: 22.566¢ per kWh
I operate CharlesWorks from my home. So this applies to home services. We run many web servers and computers here so the electric rate increase resulted in an immense change. Saving money on electric is important to everyone.
Saving Money on Electric through Research
The biggest hassle I ran into was simply understanding my electric bill. The monthly electric bill has gotten quite complex. There are two basic parts to my electric bill:
- Supplier: This is the part of the electric bill that just increased from 10.669¢ to 22.566¢ per kWh. This is the part that we can shop around for better pricing on.
- Delivery: This is the part of the electric bill that will remain constant. This seems the most complicated because there are a number of components (8 on my bill) listed in this. The total on my bill for these delivery charges ended up at 12.21¢ per kWh. Whatever this total amount is on your bill should not change should you switch suppliers. So this cost should remain the same.
I did a lot of research on this. Hopefully this will save you the hassle of researching. Ultimately, I discovered that the process is, like many things we study, learn and practice, quite straightforward.
To switch my electric supplier there were a couple of prerequisites I needed assurance of:
- That my electric bill was actually going to go down. Sounds over-simplistic but I am cautious when it comes to ongoing expenses.
- That there were no cancellation fees should I change my mind if the power rate were to lower. I’ve not really seen that happen before – but just in case.
Moving to Direct Energy
I decided to switch to Direct Energy. After a lot of researching around and talking to several others, I found they were the best of all worlds:
- LOW RATE: Direct Energy offers the lowest kilowatt hour rate at 16.59¢ kWh which was the lowest I could find.
- NO CANCELLATION FEE: Direct Energy offers switching to a 36 month contract with no cancellation fee should I move away. Most other companies I researched imposed at least a $100 cancellation fee.
- REFERRAL FEE: Direct Energy offers a referral fee. If you refer someone else to them who signs up they will give you a $50 referral fee. You can’t go wrong there. Mine is http://www.directenergy.com/refer-a-friend/raf/D866981 and if you click on that you can get started saving like I did.
- $50 FOR SIGNUP: At the time of this article Direct Energy is offering a $50 Visa Prepaid Card for signing up using a friend’s referral – so you can get this by using my referral code.
Here is the information you will need to switch over to Direct Energy. You should have this info handy when you sign up. It is all on your current electric bill:
- ACCOUNT NUMBER: You’ll need your current electric or gas bill Account Number. On my bill it was listed on the upper left corner of the first page.
- CUSTOMER NAME KEY: You’ll need what is called the Customer name key. On my bill it is 4 letters located in the upper left corner of the second page of the electric bill.
So switching really was a no brainer in light of the worst PSNY/Eversource electric power rate increase I have ever seen.
Act Now
I can’t say how long this rate or particular deal will remain in effect. I can only encourage you to act now while the offer is happening.
Just CLICK HERE to take advantage of this offer while it lasts!
European Union General Data Protection Regulation Compliant