Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

14 Vital Tips to Protect Your WordPress Admin Area (Updated)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you looking for ways to protect your WordPress admin area?

Protecting the admin area from unauthorized access allows you to block many common security threats. This can be helpful if you are seeing lots of attacks on your WordPress website.

In this tutorial, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Tips and hacks to protect WordPress admin area

We will cover many tips, and you can use the quick links below to jump between them:

1. Use a Firewall

A firewall monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, such as Wordfence, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud-based firewall to protect your website.

Website Application Firewall

All your website’s traffic goes through the Sucuri cloud proxy first, which analyzes each request and blocks suspicious ones from ever reaching your website. This prevents your website from possible hacking attempts, phishing, malware, and other malicious activities.

Another great option is Cloudflare, which is what we now use on WPBeginner. For more details, see our article on why we switched from Sucuri to Cloudflare.

2. Password-Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your login page.

First, you need to log in to your WordPress web hosting cPanel dashboard and then click on the ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Directory privacy

Next, you will need to select your wp-admin folder, which is normally located inside the /public_html/ directory.

On the next screen, you need to check the box next to the ‘Password protect this directory’ option and provide a name for the protected directory.

After that, click on the ‘Save’ button to set the permissions.

Password protect directory settings

Next, you need to hit the back button and then create a user. You will be asked to provide a username/password and then click on the ‘Save’ button.

Now, when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.

Enter password

For more detailed instructions, see our guide on how to password-protect the WordPress admin (wp-admin) directory.

3. Always Use Strong Passwords

Always use strong passwords

Always use strong passwords for all your online accounts, including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phone.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

4. Use Two-Step Verification on WordPress Login Screen

WordPress login screen with Google Authenticator enabled

Two-step verification, also known as two-factor verification, two-factor authentication, or 2FA, adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.

Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.

For detailed step-by-step instructions, see our guide on how to set up 2-step verification in WordPress using Google Authenticator.

5. Limit Login Attempts

Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Login Lockdown plugin. Upon activation, go to visit Settings » Login Lockdown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

Disabled login hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts like brute force attacks.

You can easily hide these login hints by adding the following code to your theme’s functions.php file or by using a code snippets plugin like WPCode (recommended):

function no_wordpress_errors(){
return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

For more details, see our guide on how to add custom code in WordPress without breaking your website.

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their user accounts and use a weak password. These passwords can be cracked and give someone access to the WordPress admin area.

To fix this, you can install and activate the SolidWP plugin. Then, you can follow the steps in our complete guide on how to force strong passwords on users in WordPress.

9. Reset Password for All Users

Are you concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to the Users » Emergency Password Reset page and click on the ‘Reset All Passwords’ button.

Reset all passwords

For detailed instructions, see our guide on how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new software versions. Each new release of WordPress core contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress.

For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

Note: Would you prefer to leave your WordPress maintenance to the professionals? Our WPBeginner Maintenance Services can take care of everything from updates to malware removal so that you can just focus on running your website.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, and online stores need users to create an account.

However, these users can use their accounts to log in to the WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities.

However, it stops you from properly limiting access to login and registration pages, as you need those pages for users to sign up, manage their profiles, and log in.

The easy way to fix this is by creating custom login and registration pages so that users can sign up and log in directly from your website.

For detailed step-by-step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site, you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user roles can give people more capabilities than they need. To avoid this, you need to understand what capabilities come with different user roles in WordPress.

For more on this topic, see our beginner’s guide to WordPress user roles and permissions.

13. Limit WordPress Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default, they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to the Settings » Dashboard Access page and select which user roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log Out Idle Users

Idle user logout

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Inactive Logout plugin. Upon activation, go to Settings » Inactive Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step-by-step WordPress security guide for beginners and our expert picks of the best WordPress security plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

137 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Jiří Vaněk says

    I have used many of your tips and, additionally, I also changed the URL of the administration to prevent potential brute force attacks. Regarding strong passwords, I would also recommend not using the default “admin” user because it is the first user a hacker will try to attack with brute force. Personally, when I install WordPress, I never use the “admin” user but always choose a custom name. It’s a small detail, but it can also contribute to security.

  3. Mrteesurez says

    I don’t think there will be a way hackers would be able to enter if one is able to implement all these tips and tricks.
    I have used some, limiting logging attempt and dashboard access and they worked fine, I will still try to implement others for maximum security.

    • Jiří Vaněk says

      WordPress is a complex system, and securing the administration alone is not enough. There is always a way a hacker can attack you. They might target FTP to obtain sensitive database information, attempt to exploit a poorly protected MySQL, or try to take advantage of a newly discovered vulnerability in a plugin, theme, or WordPress itself before you manage to update it. Therefore, it is always good to think comprehensively and not forget about other elements of the system such as MySQL, FTP, and WordPress components.

  4. Moinuddin Waheed says

    Must have tips and tricks for protection of WordPress admin dashboard.
    I have used two factor authentication for admin login and also the login limits for admin access.
    dashboard protection is of utmost importance as it can have serious repurcussions if dashboard gets compromised.
    I didn’t know that we can have these much steps to protect our dashboard.
    Thanks for the exhaustive lists of tips for dashboard protection.

  5. Theo says

    “This plugin has been closed as of November 23, 2020 and is not available for download. This closure is permanent.”

    I know that this is a 3 and a half years old article!

    It would be nice if someone could suggest an alternative! Thank you for your time!

  6. Raksa Sav says

    If I add someone as an administrator of WordPress, can they remove from administrator or stole my WordPress site?

  7. Muchsin says

    I want to ask
    I have tried the tutorial directory privacy on this article and it runs smoothly but there is one problem that is when I try the search feature located in the navigation menu on my website as a user and always asked to fill in the username and password of that directory. Then how do I solve the problem?
    I use the newspaper theme from tagdiv.

  8. Brenda Donovan says

    Good hints and tips here. Does is matter where in the functions.php file one puts the block hints script? Just add it to the bottom?

  9. Joe says

    Another really helpful means of protecting your WP site is to use a login that is NOT ADMIN and not your email address. Use a unique login name like WP@#% or something crazy like that.

  10. Abhinav S Thakur says

    Can anyone fix this?
    How shall I force SSL only for admin and rest of the site should be http.
    Like wp beginner has non SSL site!
    Running wordpress, cPanel

  11. Pinkey says

    Hi,

    I just started a content based website and unfortunately my site got hacked. Please advice us with suitable solutions (software/certificates etc) to avoid any future hacks being done.

    Thanks & best Regards,

    Pinkey

  12. Lucy Barret says

    The tips that you added are so helpful. But for securing WordPress, you need to give more emphasis to the security of your login area. You need to pay more attention on strengthening your admin login area.

  13. John says

    Any idea why deleting wp-login.php does not prevent brute force attacks? I thought it was a quick fix for a site that only requires my login, therefore only replace the file when needed?

    Help please!

  14. Craig says

    Great advice apart from the removal of admin messages, if you’re lessening the user experience because of security then you’re not doing it right.

  15. Lori says

    I’ve also been told to “remove links to the admin page from the site so that the hacking robots can’t just follow a link.” I’m not sure what this means, or how I would do it… Anyone know what this means and could point me to step-by-step directions to do so?

    (I don’t see links to an admin page anywhere on my website, nor do I remember there ever being any. The only way I access the admin page is by going to the /wp-admin address.)

  16. Emily Johns says

    Great information!

    For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
    From the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
    Tested and happy with it!

  17. Barry Richardson says

    I was under the impression that the original username (e.g. “admin”) of a WP site cannot be deleted, so even if we did add a new username, the original “admin” would still be available for a potential hacker to exploit.

  18. Sandeep Jinagal says

    Hyy WPBeginner first of All u are Doing Best OF Best???
    And m want to Know m Want to Set my login Page Like urs. bcoz when m trying to open ur login page. it shows a popup for login. can u give me that tool.

  19. ifaheem says

    great article but needs to be updated. There are a few great plugins which do all of the above task by one plugin install!

    My site was under heavy attacks, fake google bot were always there. I noticed up to 300 Hits from a single IP. the most visited area was wp-admin :(

    After performing above steps (update them by some research), feeling secure a little.

    Don’t Install a plugin without reading Min. of 5 reviews. They tell you the truth (Go for a bad review and see what he/she says; they have suffered something bad!

  20. Prince Jain says

    Thank you for such a great post. :)

    But please update that Stealth Login Plugin do not create customize URL for Login Window, instead it add up an authorization code below username and password at login window of WordPress.
    Also can you please suggest a plugin to create custom URL for login window.

  21. Mitchell Miller says

    Stealth Login was removed from WP Plugin repository.

    But changing wp-login.php link is the first step to protecting a WordPress site.

  22. laya rappaport says

    What happens when you give your login details to someone to work on your website and they change the login details so you can no longer access your word press account?

    • James Campbell says

      I’m not sure if there’s a way for you to retrieve your sites information necessarily, but if you’re able to, always create a new user and give other people access through that particular user. This allows you to restrict access to certain areas and you can also delete their access when it’s no longer needed. Giving up your access to your site let’s them block you out.

  23. user4574 says

    One other helpful item not mentioned is database permissions. The WordPress db user generally doesn’t need to be granted all permissions. In the vast majority of cases it only needs ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE.

    So if you’re doing it directly in mysql, it would be:
    GRANT ALTER, CREATE, CREATE TEMPORARY TABLES, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE ON .* TO ”@’localhost’;

    If doing it in cPanel or whatnot, just tick the appropriate boxes when granting permissions to the db_user.

  24. Tanmoy Das says

    Awesome tips for any newbie ! I want to always change the login URL but dont know how to do it. Thanks for those tips.

  25. Derick says

    @Daniel: Hackers now have a tool that enumerates/lists all your usernames including the roles of these, so doing that would not trick the hacker at all.

  26. Thorir says

    Just installed the Limit Login Attempts plugin on my WP sites. On one of it I almost instantly noticed a lock out, it was also the only install that was in root. All the others are in a subdirectory and several hours later none of them have registered a lock out.

    Perhaps this is a helpful factor, security wise?

  27. Mary says

    Hello, I hope you are well!
    This was a great article but a little complicated for me.

    because I need the easy way right now, the wordpress firewall plugin looked good but

    my fear is losing my login page.
    I have spent a long time trying to work with FTP and have not been able to understand it.

    Will this be a good plugin for a scaredy cat?? Thanks Mary

  28. Ed van Dun says

    And what about Bullet Proof Security? It covers some area’s mentioned above and quite a few more.

  29. Guest says

    I know this article is from way back in ’09, but can you do an updated one, since a lot of these plugins are no longer “officially” compatible with the latest WordPress (3.4.x-3.5)?

  30. Bigdrobek says

    Great turitorial, but please can you update it?

    Few plug-ins is not exist, are old or are hidden by WordPress.org.

    – Stealth Login

    – Login Lockdown

    – Admin SSL

    I am interested in step 1)Create Custom Login Links – do you have tip for new plugin which do similar job?

  31. mattjwalk says

    You could also add to the list, “use second factor authentication” instead of standard passwords. There is a new website authentication method https://www.shieldpass.com where you buy cheap access cards and then install the WordPress plugin. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.

  32. Jermaine says

    The issue I have with No: 6 is dynamic ip address, you get locked out every time your ip address changes what the workaround?

  33. Daniel says

    Hacker will think he is successful when he logs in with admin username and finds that the role has been set to ‘subscriber’. Isn’t this another form of added security. I don’t want to delete my admin because i put messages etc in forums and the blog and like my users to know that it’s from administration. as well as i use my regular username!

  34. Jonathan K. Cohen says

    This article needs to be revisited. A number of the plugins suggested have not been maintained, and may be incompatible with the latest version of WP.

    These include #1, #3, and #5.

    • Greg says

      I completely agree with you. I’ve been using the Limit Login Attempts plugin for my WordPress for a while. Today this plugin is outdated. I’ve switched to WP Cerber:

Leave a Reply to Derick Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.