13 Vital Tips and Hacks to Protect Your WordPress Admin Area
As we continued to emphasize the security of your WordPress admin panel due to the recent attack on our site, we have compiled a fully detailed article that will highlight some of the must have security measures for your WordPress Admin Area.
We are not saying that you must follow all of these tips, but you should still have a few of these implemented on your site in order to be sure. The more steps you take, the harder it will become for the hackers.
1. Create Custom Login Links
It is very obvious that in order to access the WordPress admin panel, all one has to do is type in the url of the site with /wp-login.php. Now if you used a same password in more than one location, and it was jeopardized then it is easy for the hacker to hack your site. A plugin called Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly. You can then set your login url to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.
2. Pick a Strong Password
This is a very obvious step, but we must mention it as it can’t be emphasized enough. Do not use the same password in other places. Try to make each password different and hard to guess. Use the WordPress Password Strength Detector to your advantage and make your password strong. Another thing you want to do is change your password periodically, so even if some has guessed your password, it is useless to them once you have changed it.
Excellent guide to Create Strong Passwords.
3. Limit Login Attempts
Sometimes the hacker might think they know your password, or they might develop a script to guess your password. In that case what you need to do is limit the login attempts. You can easily do so by using a plugin called Login Lockdown which will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings via your wp-admin panel.
4. Use Secure SSL Login Pages
You can login to WordPress Admin Panel through the encrypted channels with SSL meaning your session URLs will have https://. You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate. Once you have confirmed paste the following code in your wp-config.php file:
define(’FORCE_SSL_ADMIN’, true);
There is also a plugin called Admin SSL that will force SSL on all pages. It is easier if you run this plugin, but it is only compatible with version 2.7 and above.
5. Password Protect WP-Admin Directory
There is nothing wrong with having two passwords. It just adds another level of security to your WordPress Admin Area. This can be done by using a plugin called AskApache Password Protect. It encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both. You can also use cPanel Password Protection on a Directory if you are using a cPanel Web Host to password protect wp-admin directory.
6. Limit Access via IP Address
You can limit access to your WP-Admin Panel and only allow certain IP Addresses to access. All you have to do is create a .htaccess file in /wp-admin/ folder if there is not one there already. Paste the following code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist Syed’s IP address
allow from xx.xx.xx.xxx
# whitelist David’s IP address
allow from xx.xx.xx.xxx
# whitelist Amanda’s IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad’s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Change the IP Address and it will work. The downside to this hack is that if you ever want to access the admin panel from some other place, you won’t be able to do so unless you add that extra IP in your .htaccess file.
Update: In the comments Henry suggested an alternate way using htpasswd and combo with the IP which will allow you to enter from other places as well. Check it out here.
7. Never use “admin” Username
This is the first user that is created when WordPress is installed. You should never use or keep this user. Because in the past multiple loopholes have been found that are linked to Brute Force Attack and admin username, you should refrain from using it. You should create another user using your WordPress admin panel, and assign administrator roles to it. Try to make this username something that is not obvious, so it is harder for the hacker to guess. Then delete the admin user altogether to stay on the safe side.
8. Remove Error Message on the Login Page
When you enter a wrong password or an invalid username, you get an error message in the login page. So if a hacker gets one thing right, the error message will help them identify that. Therefore it is recommended if you remove that error message entirely. Open your functions.php located in your theme folder and paste the following code:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
A plugin called Secure WordPress also accomplishes this and it has other features as well. Check it out to see if you are interested.
9. Use Encrypted Password to Login
When you don’t have SSL enabled, this method comes in handy. There is a plugin that lets you do this job, and it is called Semisecure Login Reimagined. Semisecure Login Reimagined increases the security of the login process using an RSA public key to encrypt the password on the client-side when a user logs in. The server then decrypts the encrypted password with the private key. JavaScript is required to enable encryption.
10. WordPress AntiVirus Protection
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Special feature of this plugin is Manual testing with immediate result of the infected files, and Daily automatic check with email notification.
11. Stay Updated with the Latest WordPress Version
Last but definitely not the least is to stay updated with the latest version of WordPress because after each version is release, WordPress also releases the bugs and exploits of the previous version which puts your Admin Area in risk if you don’t upgrade.
What tricks do you have to protect your WordPress Admin Area?
[Update from the Comments]
Thanks to Yves for suggesting this plugin in the comments.
12. One Time Password
One Time Password plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.
Another good plugin suggested by Constantine in the comments:
13. WordPress Firewall Plugin
WordPress Firewall Plugin Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress. It also protect most WordPress plugins from the same attacks. You can optionally configure as the first plugin to load for maximum security. It will give you an option to send an email to you with a useful dump of information upon blocking a potential attack and much more.
Comments
76 Responses to “13 Vital Tips and Hacks to Protect Your WordPress Admin Area”Share Your Opinions
Tell us what you're thinking...
and if you want a pic to show with your comment, then get gravatar!
Please make sure that you have read our Comment Policy.
Link to WordPress AntiVirus Protection?
No matter how much you proofread, some thing are always missed. Glad we have users like you. Link added. Thanks again.
What about aksimet and captcha systems?
Hey this is a wonderful collection of tips and hacks, very useful. I recommend every WP blogger to go through the list and follow the steps as well as any other useful resources available elsewhere. After all we have NOT set up our blogs so someone shall take control of our lives. Damn.
Thanks for sharing, WPBeginner.
A helpful list. Will be giving these a go. Better paranoid than sorry.
Useful post for my blog.
Hey very useful post.
I use the limit loggin requests to my ip address. This mean that anyone that attempts to access http://www.domainname.com/wp-admin that is not making the request from my ip address will simply get a 404 page.
But what if you allow your blog visitors to register, and force them to log on before posting comments?
Then you cannot use the IP protect and others, but you should still use limit lockdown, not use admin username, and semisecure login.
Good tips. You can also move your wp_config.php file outside of the web root to provide an extra layer of security.
Yes you can do that, but in this article we were only talking about WordPress Admin Panel not the entire site in general. There are many other ways to protect your site entire WordPress blog.
Thank you for all the suggestions, I’m working on a few big projects and this will certainly help once the blogs are up and running.
First time here and I’m loving the blog, good job!
Dan
Glad that you like it here. Feel free to make any suggestions if you ever have a question, or would like some specific topic covered at WPBeginner.
A good list of vital tips to secure your site. I particularly like #8 I’ve never done this before but will from now on!
Regarding #7 – Remove ‘admin’ username:
I don’t remove the admin username, I create a new admin account then change the ‘admin’ users account type to subscriber.
That way, even if someone does crack the password it’s a useless account. If you remove it, someone can register that username…
Qwerstion for James Morrison. Can you explain a bit more what you are saying and how to do it?
For the staff, I have tried a number of times to get a number for the akisnet plugin and cannot seem to come by one. How is one obtained.
Very nice post. I will be implementing these directly. I had one of my blogs hacked twice in 30 days once.
Thanks for the great info.
Follow these steps:
1.) Create a new user account with admin access (eg ‘James’)
2.) Sign in with new account to WP Admin
3.) Edit ‘admin’ users’ account and change access to subscriber
That way if someone tries to compromise the admin account and succeeds they still can’t do anything bad to your site.
To get an akismet key you need to sign up for one at http://www.wordpress.com
Hope this helps!
You can always change the default “admin” username to anything you wish via phpMyadmin database. Here’s my post about it as well as my experience about blog hacking and security:
http://softwarecritics.info/open-source/blogosphere-alert-prevent-your-wordpress-blogs-from-being-hacked/
And to protect all your hard work / security features from your clients….
http://wordpress.org/extend/plugins/hide-admin-panels/
WordPress security is a growing issue and these steps are critical for securing a WordPress site. Beefing up security helps the entire community as well as your own site to take time to implement these ideas. Well done.
Wow – I’m fairly new to WP and had no idea there were so many gateways for hackers. I’m sure they won’t find their way in after adding a few of these.
Thanks.
This site is a happy new find for me (FYI,thanks to @Problogger on Twitter), and I’m looking forward to further exploration. This article is the kind of tight, clear writing that is too rare these days. Thanks for some genuinely helpful information.
We are glad that you like our site, and we are also very glad that Darren found the article useful enough to tweet it. We hope you follow us on twitter so you can stay up to date with all the nice tutorials.
Excellent tips and hacks, I only applied 6 of 11 tips you suggested, let me try the rest
I’m wondering if there is something comparable for my blog because it is a WordPress.com site and also I have a new blog at danaddiamond.BlogSpot.com
WordPress.com does not allow you to have a lot of privileges but with their server, you are safe for the most part.
Thanks for this piece. I have been waiting for an article like this. Adding a couple of your tips will help secure my WP sites.
Thanks again.
You are welcome
Let us know which one you use and your thoughts on the process of implementing it.
Great tips.
For the involved readers there is an inaccuracy in #6.
“The downside to this hack is that if you ever want to access the admin panel from some other place, you won’t be able to do so unless you add that extra IP in your .htaccess file.”
If the ip-address you allow is a box you can can SSH into, you can SSH tunnel through it (I use foxyproxy, because it makes the switch very easy). Also, if you are using nginx instead of apache you can evaluate the URI w/ regular expressions to block everything from wp-app.php to wp-trackback.php (or selectively choose which ones you do not want to block). I cover this @ http://www.phrison.com/securing-arbitrary-uris/ but it is not for the unexperienced.
I have a large collection of tin-foil hats.
You are correct.
Warning: New users don’t try this at all. This is for experienced users only.
Thanks for the tips
Hi
Nice list! You may want to add the nice “One time Password” plugin for WordPress:
http://wordpress.org/extend/plugins/one-time-password/
very useful.
:geek: thanks for sharing. i will spred this surely
Thank you! Very helpful article. I will try your tips and hacks on some of my blogs.
Real a very useful article. I tweeted it.
By the way I want to ask one thing; How does Stealth Login works for guest authors?
You give them the special URL that you created if you trust them enough. For the most part, guest authors should not even be allowed in the admin panel unless they are authors of your site. If someone has written multiple posts for your site then they can be trustable so you can give them the special url /login or /googlogin or whatever you created.
Most top blogs take guest posts via email and if those guest authors become regular authors, only then they are allowed in the admin panel.
In reality 2., 7. and 11. (if not hardened) are the most important things. The other things are nearly unnecessary
Hi, I have been blogging for 3 years. My blog got hacked in June 2009 and google banned for 30 days, my pageviews immediately slide from 800 a day to less than 100 a day.
I highly recommend installing wordpress firewall plugin. The plugin will send your an email every time someone tries to hack your blog together with the hackers IP address. The plugin detects and blocks strange requests, redirecting the attack to the homepage.
On monday i got an email of six attempted hack attempts over the weekend. The hacker tried the admin page three times when that failed he tried searching wordspew plugin which i dont use.
To all newbies good luck
Thanks for suggesting this one. Its now added in the post
I just made a French translation of your article on my blog (http://bit.ly/19V6YU)
thanks for the tips !
Thanks for the translation
Thanks for the great article. I’m looking forward to making my own blog more secure.
Regarding #6, if you use the following .htaccess file you will be able to login from other locations in a two-step process. This requires you to add a htpasswd file (read your server documentation).
AuthUserFile ‘some htpasswd file’
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
order deny,allow
deny from all
Require valid-user
# whitelist Syed’s IP address
allow from xx.xx.xx.xxx
# whitelist David’s IP address
allow from xx.xx.xx.xxx
# whitelist Amanda’s IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad’s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Satisfy Any
The “require valid user” and “satisfy any” lines will force the Apache Server to request a Username and Password before you can access the WordPress Login screen. Please DO NOT use the same Username and Password in the htpasswd file that you use for your WordPress access, or you will defeat the purpose of the extra level of security.
Thanks for the suggestion. Post updated with a link to this way as well
Brilliant post, I think I’ll sleep better tonight!
Excellent post! Will be testing several of the security tips you provided. Thanks for putting all this together!
I must congratulate with this excellent article!!! To be honest I know for some tips but some very important info was unknown for me until now!
Keep on good work
What you can from Wp-PreventCopyBlogs WordPress Plugin
1.Track the visitors who try to copy your content.
2.Record the ip of the user who tries to do fraudulent copy with their landing url of your site and referral url.This can help you to do necessary measures if you notice something bad.
3.Enable Message displayed to your user upon user’s choice.
4.Disable Selection of you text and Right Click for users depending on the option.
It took me a few minutes to work this one out but you have the wrong kind of quotes around this function
add_filter(’login_errors’,create_function(’$a’, “return null;”));
It should be:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Other than that, great post.
Hi. You’ve written a very good post.
I’ve rewrote this great post in Indonesian language.
I really hope you dont mind.
We have sent you an email regarding this. We do not allow full article translation. Please summarize it and link to our article if your users want to read the full tips.
Thanks for your response.
I’ll revise my post.
good tips for securing wordpress. as time goes we are going to see hosts either become more stringent and secure or cms packages need to implement on install a few more security initiatives.
Thanks for this invaluable information. I’ve just suffered a malware attack that put my blog off line for a day or two while I had my WordPress programmer sort it out. Ver inconvenient.
I’ll be implementing some of the suggestions you’ve made in the next day or so.
Robinoz
http://www.e1jobs-blog.com (All About Jobs blog”
Hi
Thanks a lot for your tips.
Regarding tip 8, I wonder how to insert the code
`add_filter(’login_errors’,create_function(’$a’, “return null;”));`
What is the complete function to use?
I’d like to try since I already use AskApache Password Protect and that plugin is incompatible with Secure WordPress.
Thanks,
Kjetil
- http://www.dolcevita.no
You go to functions.php and insert that code. Thats all if we understand your question clearly. If this has not answered it, then please reply to the comment and we will surely take a look at it.
Link to WordPress Firewall Plugin?
It is working now.
There are also some paid plugins – i.e. “WP Secure” which also claims it is going to make your WP secure from hackers. It also works on the summary of couple of the principles above – i.e. custom made login page, one IP confirmation etc.
Is it worthy to purchase? = anybody knows if it is easier to use for non-techie than some of the above mentioned?
If you can do the work for free then what is the point in paying?
Seriously guys, change your site name to WP ROCKER, you guys rock hard. I installed three plugins to protect my admin panel after reading this great post.
The problem with plugins is that they’re not always compatible with every version, and they aren’t always updated.
Most plugins are compatible with newer versions, and if the developer decides to leave development of the plugin, others often pick up and create a plugin with fixes for the future releases. You just have to stay active in the community.
Wow – this is an AWESOME post! Thank you so much for sharing all this information – and some great plugins as well!
In a world where security has become top priority, these are very important things to be aware of with a WordPress installation. Really appreciate your transparency and willingness to share this information! I’ll be tweeting this one.
I’m currently learning wp development. I want to make a ecommerce site with wordpress using the WP e-Commerce plugin. Does anyone know if these tips will keep my ecommerce site secure.
Make sure that you have SSL Protection on your e-commerce site for all transactions. These are only to protect your admin area.
Very useful tips. Thank you
Thanks Nice list this will surely help to secure wordpress admin panel.
AWESOME post!! Thank you for this info
man m moving from one post to the other in your blog and m loving it it.thnx a lot.guess i’ll have to subscribe now.
This is great information which I will be implementing ASAP!I have already experienced having my blog hacked so have been worried about these issues.Many thanks!!
uh what a useful info guys, it can help surely!!
thanks for posting! ^_^
Thanks for your post.
Im using password protect for my wp-admin folder in cpanel, is it enough?
This article needs to be revisited. A number of the plugins suggested have not been maintained, and may be incompatible with the latest version of WP.
These include #1, #3, and #5.
Hacker will think he is successful when he logs in with admin username and finds that the role has been set to ‘subscriber’. Isn’t this another form of added security. I don’t want to delete my admin because i put messages etc in forums and the blog and like my users to know that it’s from administration. as well as i use my regular username!
Great post and very useful to me thank you