Are you looking for ways to protect your WordPress admin area?
Protecting the admin area from unauthorized access allows you to block many common security threats. This can be helpful if you are seeing lots of attacks on your WordPress website.
In this tutorial, we will show you some of the vital tips and hacks to protect your WordPress admin area.
We will cover many tips, and you can use the quick links below to jump between them:
- Use a Website Application Firewall
- Password Protect WordPress Admin Directory
- Always Use Strong Passwords
- Use Two Step Verification on WordPress Login Screen
- Limit Login Attempts
- Limit Login Access to IP Addresses
- Disable Login Hints
- Require Users to Use Strong Passwords
- Reset Password for All Users
- Keep WordPress Updated
- Create Custom Login and Registration Pages
- Learn About WordPress User Roles and Permissions
- Limit Dashboard Access
- Log out Idle Users
1. Use a Website Application Firewall
A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.
While there are several WordPress firewall plugins out there, such as Wordfence, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud-based WAF to protect your website.
All your website’s traffic goes through the Sucuri cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. This prevents your website from possible hacking attempts, phishing, malware, and other malicious activities.
For more details, see how Sucuri helped us block 450,000 attacks in 3 months.
2. Password Protect WordPress Admin Directory
Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your login page.
First, you need to log in to your WordPress web hosting cPanel dashboard and then click on the ‘Password Protect Directories’ or ‘Directory Privacy’ icon.
Next, you will need to select your wp-admin folder, which is normally located inside the /public_html/ directory.
On the next screen, you need to check the box next to the ‘Password protect this directory’ option and provide a name for the protected directory.
After that, click on the ‘Save’ button to set the permissions.
Next, you need to hit the back button and then create a user. You will be asked to provide a username/password and then click on the ‘Save’ button.
Now, when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.
For more detailed instructions, see our guide on how to password-protect the WordPress admin (wp-admin) directory.
3. Always Use Strong Passwords
Always use strong passwords for all your online accounts, including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.
We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phone.
For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.
4. Use Two Step Verification on WordPress Login Screen
Two-step verification, also known as two-factor verification, two-factor authentication, or 2FA, adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.
Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.
For detailed step-by-step instructions, see our guide on how to set up 2-step verification in WordPress using Google Authenticator.
5. Limit Login Attempts
By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.
To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.
For detailed instructions, see our guide on why you should limit login attempts in WordPress.
6. Limit Login Access to IP Addresses
Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.
Simply add this code to your .htaccess file:
AuthName "WordPress Admin Access Control"
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.
For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.
7. Disable Login Hints
On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts like brute force attacks.
return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' );
For more details, see our guide on how to add custom code in WordPress without breaking your website.
8. Require Users to Use Strong Passwords
If you run a multi-author WordPress site, then those users can edit their user accounts and use a weak password. These passwords can be cracked and give someone access to the WordPress admin area.
To fix this, you can install and activate the iThemes Security plugin. Then, you can follow the steps in our complete guide on how to force strong passwords on users in WordPress.
9. Reset Password for All Users
Are you concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.
First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to the Users » Emergency Password Reset page and click on the ‘Reset All Passwords’ button.
For detailed instructions, see our guide on how to reset passwords for all users in WordPress
10. Keep WordPress Updated
WordPress often releases new versions of the software. Each new release of WordPress core contains important bug fixes, new features, and security fixes.
Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress.
For more on this topic, see our guide on why you should always use the latest version of WordPress.
Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.
11. Create Custom Login and Registration Pages
However, these users can use their accounts to log in to the WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities.
However, it stops you from properly limiting access to login and registration pages, as you need those pages for users to sign up, manage their profiles, and log in.
The easy way to fix this is by creating custom login and registration pages so that users can sign up and log in directly from your website.
For detailed step-by-step instructions, see our guide on how to create custom login and registration pages in WordPress.
12. Learn About WordPress User Roles and Permissions
WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site, you can select a user role for them. This user role defines what they can do on your WordPress site.
Assigning incorrect user roles can give people more capabilities than they need. To avoid this, you need to understand what capabilities come with different user roles in WordPress.
For more on this topic, see our beginner’s guide to WordPress user roles and permissions.
13. Limit WordPress Dashboard Access
Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default, they can all access the admin area.
To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to the Settings » Dashboard Access page and select which user roles will have access to the admin area on your site.
For more detailed instructions, see our guide on how to limit dashboard access in WordPress.
14. Log Out Idle Users
WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.
To fix this, you can install and activate the Inactive Logout plugin. Upon activation, go to Settings » Inactive Logout page and enter the time after which you want users to be automatically logged out.
For more details, see our article on how to automatically log out idle users in WordPress.
We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step-by-step WordPress security guide for beginners and our expert picks of the best WordPress security plugins.