Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

13 Vital Tips and Hacks to Protect Your WordPress Admin Area

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
13 Vital Tips and Hacks to Protect Your WordPress Admin Area

As we continued to emphasize the security of your WordPress admin panel due to the recent attack on our site, we have compiled a fully detailed article that will highlight some of the must have security measures for your WordPress Admin Area.

11 Vital Tips and Hacks to Protect Your WordPress Admin Area

We are not saying that you must follow all of these tips, but you should still have a few of these implemented on your site in order to be sure. The more steps you take, the harder it will become for the hackers.

1. Create Custom Login Links

It is very obvious that in order to access the WordPress admin panel, all one has to do is type in the url of the site with /wp-login.php. Now if you used a same password in more than one location, and it was jeopardized then it is easy for the hacker to hack your site. A plugin called Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly. You can then set your login url to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.

Stealth Login

2. Pick a Strong Password

This is a very obvious step, but we must mention it as it can’t be emphasized enough. Do not use the same password in other places. Try to make each password different and hard to guess. Use the WordPress Password Strength Detector to your advantage and make your password strong. Another thing you want to do is change your password periodically, so even if some has guessed your password, it is useless to them once you have changed it.

Strong Password

Excellent guide to Create Strong Passwords.

3. Limit Login Attempts

Sometimes the hacker might think they know your password, or they might develop a script to guess your password. In that case what you need to do is limit the login attempts. You can easily do so by using a plugin called Limit Login Attempts which will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings via your wp-admin panel.

Login Lockdown

4. Use Secure SSL Login Pages

SSL Login Pages

You can login to WordPress Admin Panel through the encrypted channels with SSL meaning your session URLs will have https://. You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate. Once you have confirmed paste the following code in your wp-config.php file:

define(’FORCE_SSL_ADMIN’, true);

There is also a plugin called Admin SSL that will force SSL on all pages. It is easier if you run this plugin, but it is only compatible with version 2.7 and above.

5. Password Protect WP-Admin Directory

There is nothing wrong with having two passwords. It just adds another level of security to your WordPress Admin Area. This can be done by using a plugin called AskApache Password Protect. It encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both. You can also use cPanel Password Protection on a Directory if you are using a cPanel Web Host to password protect wp-admin directory.

Ask Apache Protect

6. Limit Access via IP Address

You can limit access to your WP-Admin Panel and only allow certain IP Addresses to access. All you have to do is create a .htaccess file in /wp-admin/ folder if there is not one there already. Paste the following code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from
# whitelist David's IP address
allow from
# whitelist Amanda's IP address
allow from
# whitelist Muhammad's IP address
allow from
# whitelist Work IP address
allow from

Change the IP Address and it will work. The downside to this hack is that if you ever want to access the admin panel from some other place, you won’t be able to do so unless you add that extra IP in your .htaccess file.

Update: In the comments Henry suggested an alternate way using htpasswd and combo with the IP which will allow you to enter from other places as well. Check it out here.


7. Never use “admin” Username

This is the first user that is created when WordPress is installed. You should never use or keep this user. Because in the past multiple loopholes have been found that are linked to Brute Force Attack and admin username, you should refrain from using it. You should create another user using your WordPress admin panel, and assign administrator roles to it. Try to make this username something that is not obvious, so it is harder for the hacker to guess. Then delete the admin user altogether to stay on the safe side.

8. Remove Error Message on the Login Page

Error Message

When you enter a wrong password or an invalid username, you get an error message in the login page. So if a hacker gets one thing right, the error message will help them identify that. Therefore it is recommended if you remove that error message entirely. Open your functions.php located in your theme folder and paste the following code:

add_filter('login_errors',create_function('$a', "return null;"));

A plugin called Secure WordPress also accomplishes this and it has other features as well. Check it out to see if you are interested.

9. Use Encrypted Password to Login

When you don’t have SSL enabled, this method comes in handy. There is a plugin that lets you do this job, and it is called Semisecure Login Reimagined. Semisecure Login Reimagined increases the security of the login process using an RSA public key to encrypt the password on the client-side when a user logs in. The server then decrypts the encrypted password with the private key. JavaScript is required to enable encryption.

10. WordPress AntiVirus Protection

AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Special feature of this plugin is Manual testing with immediate result of the infected files, and Daily automatic check with email notification.

11. Stay Updated with the Latest WordPress Version

Last but definitely not the least is to stay updated with the latest version of WordPress because after each version is release, WordPress also releases the bugs and exploits of the previous version which puts your Admin Area in risk if you don’t upgrade.

What tricks do you have to protect your WordPress Admin Area?

[Update from the Comments]

Thanks to Yves for suggesting this plugin in the comments.

12. One Time Password

One Time Password plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.

Another good plugin suggested by Constantine in the comments:

13. WordPress Firewall Plugin

WordPress Firewall Plugin Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress. It also protect most WordPress plugins from the same attacks. You can optionally configure as the first plugin to load for maximum security. It will give you an option to send an email to you with a useful dump of information upon blocking a potential attack and much more.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. John says:

    Any idea why deleting wp-login.php does not prevent brute force attacks? I thought it was a quick fix for a site that only requires my login, therefore only replace the file when needed?

    Help please!

  2. Craig says:

    Great advice apart from the removal of admin messages, if you’re lessening the user experience because of security then you’re not doing it right.

  3. Tahir says:

    smart collection….!!

  4. Talha says:

    Thanks a lot. I have a website . I will set up there.

  5. Pat Fortino says:

    This plugin no longer exists: Stealth Login

    Can you recommend an alternative?


  6. Lori says:

    I’ve also been told to “remove links to the admin page from the site so that the hacking robots can’t just follow a link.” I’m not sure what this means, or how I would do it… Anyone know what this means and could point me to step-by-step directions to do so?

    (I don’t see links to an admin page anywhere on my website, nor do I remember there ever being any. The only way I access the admin page is by going to the /wp-admin address.)

  7. Emily Johns says:

    Great information!

    For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
    From the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
    Tested and happy with it!

  8. Barry Richardson says:

    I was under the impression that the original username (e.g. “admin”) of a WP site cannot be deleted, so even if we did add a new username, the original “admin” would still be available for a potential hacker to exploit.

    • WPBeginner Support says:

      If you create a new user account with the administrator role, then you can safely delete admin user.

  9. Sandeep Jinagal says:

    Hyy WPBeginner first of All u are Doing Best OF Best???
    And m want to Know m Want to Set my login Page Like urs. bcoz when m trying to open ur login page. it shows a popup for login. can u give me that tool.

  10. Kheti says:

    Thanks for this educative material. Very helpful. Thanks for the good work and support.

  11. ifaheem says:

    great article but needs to be updated. There are a few great plugins which do all of the above task by one plugin install!

    My site was under heavy attacks, fake google bot were always there. I noticed up to 300 Hits from a single IP. the most visited area was wp-admin :(

    After performing above steps (update them by some research), feeling secure a little.

    Don’t Install a plugin without reading Min. of 5 reviews. They tell you the truth (Go for a bad review and see what he/she says; they have suffered something bad!

  12. Prince Jain says:

    Thank you for such a great post. :)

    But please update that Stealth Login Plugin do not create customize URL for Login Window, instead it add up an authorization code below username and password at login window of WordPress.
    Also can you please suggest a plugin to create custom URL for login window.

  13. Mitchell Miller says:

    Stealth Login was removed from WP Plugin repository.

    But changing wp-login.php link is the first step to protecting a WordPress site.

  14. laya rappaport says:

    What happens when you give your login details to someone to work on your website and they change the login details so you can no longer access your word press account?

    • James Campbell says:

      I’m not sure if there’s a way for you to retrieve your sites information necessarily, but if you’re able to, always create a new user and give other people access through that particular user. This allows you to restrict access to certain areas and you can also delete their access when it’s no longer needed. Giving up your access to your site let’s them block you out.

    • Lisa Wells says:

      If someone’s changed your WordPress user information, hopefully you can still login to your database through, say phpMyAdmin. From there you should be able to create a new admin user directly in the tables:

  15. user4574 says:

    One other helpful item not mentioned is database permissions. The WordPress db user generally doesn’t need to be granted all permissions. In the vast majority of cases it only needs ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE.

    So if you’re doing it directly in mysql, it would be:

    If doing it in cPanel or whatnot, just tick the appropriate boxes when granting permissions to the db_user.

  16. Tanmoy Das says:

    Awesome tips for any newbie ! I want to always change the login URL but dont know how to do it. Thanks for those tips.

  17. Derick says:

    @Daniel: Hackers now have a tool that enumerates/lists all your usernames including the roles of these, so doing that would not trick the hacker at all.

  18. Thorir says:

    Just installed the Limit Login Attempts plugin on my WP sites. On one of it I almost instantly noticed a lock out, it was also the only install that was in root. All the others are in a subdirectory and several hours later none of them have registered a lock out.

    Perhaps this is a helpful factor, security wise?

  19. Mary says:

    Hello, I hope you are well!
    This was a great article but a little complicated for me.

    because I need the easy way right now, the wordpress firewall plugin looked good but

    my fear is losing my login page.
    I have spent a long time trying to work with FTP and have not been able to understand it.

    Will this be a good plugin for a scaredy cat?? Thanks Mary

  20. Ed van Dun says:

    And what about Bullet Proof Security? It covers some area’s mentioned above and quite a few more.

  21. Prodip says:

    All of the above tips helped me to make my blog with more secured.

  22. Dr. Sean Mullen says:

    This is great info but Please update! Thanks

  23. Guest says:

    I know this article is from way back in ’09, but can you do an updated one, since a lot of these plugins are no longer “officially” compatible with the latest WordPress (3.4.x-3.5)?

    • Editorial Staff says:

      Yes, it is in the works along with few other things. We are doing the best we can. Thanks for letting us know.

  24. whoiscarrus says:

    Just really getting into WP development and can’t say thank you enough! These are great for beggin’n folk like myself!

  25. abhizz says:

    amazing tips about wordpress thank you

  26. Bigdrobek says:

    Great turitorial, but please can you update it?

    Few plug-ins is not exist, are old or are hidden by

    – Stealth Login

    – Login Lockdown

    – Admin SSL

    I am interested in step 1)Create Custom Login Links – do you have tip for new plugin which do similar job?

  27. Faizan Elahi ( BestBloggingTools) says:

    This is a great resource. Thanks :)

  28. mattjwalk says:

    You could also add to the list, “use second factor authentication” instead of standard passwords. There is a new website authentication method where you buy cheap access cards and then install the WordPress plugin. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.

  29. Jermaine says:

    The issue I have with No: 6 is dynamic ip address, you get locked out every time your ip address changes what the workaround?

  30. vivek says:

    great post and nice guide for new bloggers like me

  31. fareed says:

    Great post and very useful to me thank you

  32. Daniel says:

    Hacker will think he is successful when he logs in with admin username and finds that the role has been set to ‘subscriber’. Isn’t this another form of added security. I don’t want to delete my admin because i put messages etc in forums and the blog and like my users to know that it’s from administration. as well as i use my regular username!

  33. Jonathan K. Cohen says:

    This article needs to be revisited. A number of the plugins suggested have not been maintained, and may be incompatible with the latest version of WP.

    These include #1, #3, and #5.

    • John says:

      For #1 ckeck this plugin called WPS Hide Login

    • Greg says:

      I completely agree with you. I’ve been using the Limit Login Attempts plugin for my WordPress for a while. Today this plugin is outdated. I’ve switched to WP Cerber:

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.