Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

14 Vital Tips to Protect Your WordPress Admin Area (Updated)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you looking for ways to protect your WordPress admin area?

Protecting the admin area from unauthorized access allows you to block many common security threats. This can be helpful if you are seeing lots of attacks on your WordPress website.

In this tutorial, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Tips and hacks to protect WordPress admin area

We will cover many tips, and you can use the quick links below to jump between them:

1. Use a Firewall

A firewall monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, such as Wordfence, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud-based firewall to protect your website.

Website Application Firewall

All your website’s traffic goes through the Sucuri cloud proxy first, which analyzes each request and blocks suspicious ones from ever reaching your website. This prevents your website from possible hacking attempts, phishing, malware, and other malicious activities.

Another great option is Cloudflare, which is what we now use on WPBeginner. For more details, see our article on why we switched from Sucuri to Cloudflare.

2. Password-Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your login page.

First, you need to log in to your WordPress web hosting cPanel dashboard and then click on the ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Directory privacy

Next, you will need to select your wp-admin folder, which is normally located inside the /public_html/ directory.

On the next screen, you need to check the box next to the ‘Password protect this directory’ option and provide a name for the protected directory.

After that, click on the ‘Save’ button to set the permissions.

Password protect directory settings

Next, you need to hit the back button and then create a user. You will be asked to provide a username/password and then click on the ‘Save’ button.

Now, when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.

Enter password

For more detailed instructions, see our guide on how to password-protect the WordPress admin (wp-admin) directory.

3. Always Use Strong Passwords

Always use strong passwords

Always use strong passwords for all your online accounts, including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phone.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

4. Use Two-Step Verification on WordPress Login Screen

WordPress login screen with Google Authenticator enabled

Two-step verification, also known as two-factor verification, two-factor authentication, or 2FA, adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.

Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.

For detailed step-by-step instructions, see our guide on how to set up 2-step verification in WordPress using Google Authenticator.

5. Limit Login Attempts

Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Limit Login Attempts Reloaded plugin. Upon activation, go to visit Settings » Login Lockdown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress. To learn more about the plugin, you can also check out our detailed Limit Login Attempts review.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from
# whitelist David's IP address
allow from

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

Disabled login hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts like brute force attacks.

You can easily hide these login hints by adding the following code to your theme’s functions.php file or by using a code snippets plugin like WPCode (recommended):

function no_wordpress_errors(){
return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' );

For more details, see our guide on how to add custom code in WordPress without breaking your website.

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their user accounts and use a weak password. These passwords can be cracked and give someone access to the WordPress admin area.

To fix this, you can install and activate the SolidWP plugin. Then, you can follow the steps in our complete guide on how to force strong passwords on users in WordPress.

9. Reset Password for All Users

Are you concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to the Users » Emergency Password Reset page and click on the ‘Reset All Passwords’ button.

Reset all passwords

For detailed instructions, see our guide on how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new software versions. Each new release of WordPress core contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress.

For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

Note: Would you prefer to leave your WordPress maintenance to the professionals? Our WPBeginner Maintenance Services can take care of everything from updates to malware removal so that you can just focus on running your website.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, and online stores need users to create an account.

However, these users can use their accounts to log in to the WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities.

However, it stops you from properly limiting access to login and registration pages, as you need those pages for users to sign up, manage their profiles, and log in.

The easy way to fix this is by creating custom login and registration pages so that users can sign up and log in directly from your website.

For detailed step-by-step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site, you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user roles can give people more capabilities than they need. To avoid this, you need to understand what capabilities come with different user roles in WordPress.

For more on this topic, see our beginner’s guide to WordPress user roles and permissions.

13. Limit WordPress Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default, they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to the Settings » Dashboard Access page and select which user roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log Out Idle Users

Idle user logout

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Inactive Logout plugin. Upon activation, go to Settings » Inactive Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step-by-step WordPress security guide for beginners and our expert picks of the best WordPress security plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

137 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. anthony says

    This is great information which I will be implementing ASAP!I have already experienced having my blog hacked so have been worried about these issues.Many thanks!!

  3. Jessica says

    I’m currently learning wp development. I want to make a ecommerce site with wordpress using the WP e-Commerce plugin. Does anyone know if these tips will keep my ecommerce site secure.

  4. Ursula Comeau says

    Wow – this is an AWESOME post! Thank you so much for sharing all this information – and some great plugins as well!

    In a world where security has become top priority, these are very important things to be aware of with a WordPress installation. Really appreciate your transparency and willingness to share this information! I’ll be tweeting this one. ;)

  5. Lilia says

    The problem with plugins is that they’re not always compatible with every version, and they aren’t always updated.

    • Editorial Staff says

      Most plugins are compatible with newer versions, and if the developer decides to leave development of the plugin, others often pick up and create a plugin with fixes for the future releases. You just have to stay active in the community.


  6. Dagmar says

    There are also some paid plugins – i.e. “WP Secure” which also claims it is going to make your WP secure from hackers. It also works on the summary of couple of the principles above – i.e. custom made login page, one IP confirmation etc.

    Is it worthy to purchase? = anybody knows if it is easier to use for non-techie than some of the above mentioned?

  7. Kjetil says

    Thanks a lot for your tips.
    Regarding tip 8, I wonder how to insert the code
    `add_filter(’login_errors’,create_function(’$a’, “return null;”));`
    What is the complete function to use?
    I’d like to try since I already use AskApache Password Protect and that plugin is incompatible with Secure WordPress.

    • Editorial Staff says

      You go to functions.php and insert that code. Thats all if we understand your question clearly. If this has not answered it, then please reply to the comment and we will surely take a look at it.


  8. Robinoz says

    Thanks for this invaluable information. I’ve just suffered a malware attack that put my blog off line for a day or two while I had my WordPress programmer sort it out. Ver inconvenient.

    I’ll be implementing some of the suggestions you’ve made in the next day or so.

    Robinoz (All About Jobs blog”

  9. secure server says

    good tips for securing wordpress. as time goes we are going to see hosts either become more stringent and secure or cms packages need to implement on install a few more security initiatives.

  10. John Macpherson says

    It took me a few minutes to work this one out but you have the wrong kind of quotes around this function

    add_filter(’login_errors’,create_function(’$a’, “return null;”));

    It should be:

    add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

    Other than that, great post.

  11. jakesjohn says

    What you can from Wp-PreventCopyBlogs WordPress Plugin

    1.Track the visitors who try to copy your content.

    2.Record the ip of the user who tries to do fraudulent copy with their landing url of your site and referral url.This can help you to do necessary measures if you notice something bad.

    3.Enable Message displayed to your user upon user’s choice.

    4.Disable Selection of you text and Right Click for users depending on the option.

  12. Srecko Bradic says

    I must congratulate with this excellent article!!! To be honest I know for some tips but some very important info was unknown for me until now!

    Keep on good work :razz:

  13. Henry says

    Regarding #6, if you use the following .htaccess file you will be able to login from other locations in a two-step process. This requires you to add a htpasswd file (read your server documentation).

    AuthUserFile ‘some htpasswd file’
    AuthGroupFile /dev/null
    AuthName “WordPress Admin Access Control”
    AuthType Basic

    order deny,allow
    deny from all
    Require valid-user
    # whitelist Syed’s IP address
    allow from
    # whitelist David’s IP address
    allow from
    # whitelist Amanda’s IP address
    allow from
    # whitelist Muhammad’s IP address
    allow from
    # whitelist Work IP address
    allow from
    Satisfy Any

    The “require valid user” and “satisfy any” lines will force the Apache Server to request a Username and Password before you can access the WordPress Login screen. Please DO NOT use the same Username and Password in the htpasswd file that you use for your WordPress access, or you will defeat the purpose of the extra level of security.

  14. Constantine says

    Hi, I have been blogging for 3 years. My blog got hacked in June 2009 and google banned for 30 days, my pageviews immediately slide from 800 a day to less than 100 a day.
    I highly recommend installing wordpress firewall plugin. The plugin will send your an email every time someone tries to hack your blog together with the hackers IP address. The plugin detects and blocks strange requests, redirecting the attack to the homepage.
    On monday i got an email of six attempted hack attempts over the weekend. The hacker tried the admin page three times when that failed he tried searching wordspew plugin which i dont use.

    To all newbies good luck

    • Renee Fischer says

      Once a hack is successful the bot or human hacker will keep your data and keep retrying your website files looking for a way back in. they will continue to be relentless. if they have happened to hack your email or computer or server they will keep going until they have hacked everything you touch. they are like cockroaches that found crumbs that led to your house.

    • Editorial Staff says

      You give them the special URL that you created if you trust them enough. For the most part, guest authors should not even be allowed in the admin panel unless they are authors of your site. If someone has written multiple posts for your site then they can be trustable so you can give them the special url /login or /googlogin or whatever you created.

      Most top blogs take guest posts via email and if those guest authors become regular authors, only then they are allowed in the admin panel.


  15. Tim says

    Great tips.

    For the involved readers there is an inaccuracy in #6.

    “The downside to this hack is that if you ever want to access the admin panel from some other place, you won’t be able to do so unless you add that extra IP in your .htaccess file.”

    If the ip-address you allow is a box you can can SSH into, you can SSH tunnel through it (I use foxyproxy, because it makes the switch very easy). Also, if you are using nginx instead of apache you can evaluate the URI w/ regular expressions to block everything from wp-app.php to wp-trackback.php (or selectively choose which ones you do not want to block). I cover this @ but it is not for the unexperienced.

    I have a large collection of tin-foil hats.

  16. Jo says

    This site is a happy new find for me (FYI,thanks to @Problogger on Twitter), and I’m looking forward to further exploration. This article is the kind of tight, clear writing that is too rare these days. Thanks for some genuinely helpful information.

    • Editorial Staff says

      We are glad that you like our site, and we are also very glad that Darren found the article useful enough to tweet it. We hope you follow us on twitter so you can stay up to date with all the nice tutorials.


  17. Marc says

    Wow – I’m fairly new to WP and had no idea there were so many gateways for hackers. I’m sure they won’t find their way in after adding a few of these.


  18. Roger Duck says

    WordPress security is a growing issue and these steps are critical for securing a WordPress site. Beefing up security helps the entire community as well as your own site to take time to implement these ideas. Well done.

  19. James Morrison says

    A good list of vital tips to secure your site. I particularly like #8 I’ve never done this before but will from now on!

    Regarding #7 – Remove ‘admin’ username:

    I don’t remove the admin username, I create a new admin account then change the ‘admin’ users account type to subscriber.

    That way, even if someone does crack the password it’s a useless account. If you remove it, someone can register that username…

  20. Cheap Sites says

    Thank you for all the suggestions, I’m working on a few big projects and this will certainly help once the blogs are up and running.

    First time here and I’m loving the blog, good job!


    • Editorial Staff says

      Yes you can do that, but in this article we were only talking about WordPress Admin Panel not the entire site in general. There are many other ways to protect your site entire WordPress blog.


  21. Rafi says

    Hey this is a wonderful collection of tips and hacks, very useful. I recommend every WP blogger to go through the list and follow the steps as well as any other useful resources available elsewhere. After all we have NOT set up our blogs so someone shall take control of our lives. Damn.

    Thanks for sharing, WPBeginner.

Leave a Reply to Ed van Dun Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.