Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress admin area.
1. Use a Website Application Firewall
A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.
All your website’s traffic goes through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.
For more details, see how Sucuri helped us block 450,000 attacks in one month.
2. Password Protect WordPress Admin Directory
Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your website.
First login to your WordPress hosting cPanel dashboard and then click on ‘Password Protect Directories’ or ‘Directory Privacy’ icon.
Next, you will need to select your wp-admin folder, which is normally located inside /public_html/ directory.
On the next screen, you need to check the box next to ‘Password protect this directory’ option and provide a name for the protected directory.
After that, click on the save button to set the permissions.
Next, you need to hit the back button and then create a user. You will be asked to provide a username / password and then click on the save button.
Now when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.
For more detailed instructions, see our guide on how to password protect WordPress admin (wp-admin) directory.
3. Always Use Strong Passwords
Always use strong passwords for all your online accounts including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.
We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phones.
For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.
4. Use Two Step Verification to WordPress Login Screen
Two step verification adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.
Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.
For detailed step by step instructions see our guide on how to setup 2-step verification in WordPress using Google Authenticator.
5. Limit Login Attempts
By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.
To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.
For detailed instructions, see our guide on why you should limit login attempts in WordPress.
6. Limit Login Access to IP Addresses
Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.
Simply add this code to your .htaccess file.
"WordPress Admin Access Control"
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.
For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.
7. Disable Login Hints
On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts.
'Something is wrong!'
8. Require Users to Use Strong Passwords
If you run a multi-author WordPress site, then those users can edit their profile and use a weak password. These passwords can be cracked and give someone access to WordPress admin area.
To fix this, you can install and activate the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.
It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.
9. Reset Password for All Users
Concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.
First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.
For detailed instructions, see our guide on how to how to reset passwords for all users in WordPress
10. Keep WordPress Updated
WordPress often releases new versions of the software. Each new release of WordPress contains important bug fixes, new features, and security fixes.
Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.
Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.
11. Create Custom Login and Registration Pages
However, these users can use their accounts to log into WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities. However, it stops you from properly limiting access to login and registration pages as you need those pages for users to signup, manage their profile, and login.
The easy way to fix this is by creating custom login and registration pages, so that users can signup and login directly from your website.
For detailed step by step instructions, see our guide on how to create custom login and registration pages in WordPress.
12. Learn About WordPress User Roles and Permissions
WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site you can select a user role for them. This user role defines what they can do on your WordPress site.
Assigning incorrect user role can give people more capabilities than they need. To avoid this you need to understand what capabilities come with different user roles in WordPress. For more on this topic see our beginner’s guide to WordPress user roles and permissions.
13. Limit Dashboard Access
Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default they can all access the admin area.
To fix this, you need to install and activate the Remove Dashboard Accessplugin. Upon activation, go to Settings » Dashboard Access page and select which users roles will have access to the admin area on your site.
For more detailed instructions, see our guide on how to limit dashboard access in WordPress.
14. Log out Idle Users
WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.
To fix this, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.
For more details, see our article on how to automatically log out idle users in WordPress.
We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step by step WordPress security guide for beginners.