With WordPress, it is very easy to create a blog or a website. Yet, there are cases (which are increasing on a daily basis) when people suffer because they don’t pay attention to the security features of the WordPress website or blog. There are loads of cases when you glance on the freelancing websites, where people’s websites and blogs are hacked and they ask for bits of help.
- 1. 1. Change Default Admin Username and Pick a Strong Password
- 2. 2. Create Custom Login Links
- 3. 3. Limit Login Attempts
- 4. 4. Force SSL on Login Pages and Admin Area
- 5. 5. Password Protect WP-Admin Directory
- 6. 6. Put in place a CAPTCHA in the login page
- 7. 7. Remove Error Message on the Login Page
- 8. 8. Allow Only Specific IPs to Log In.
- 9. 9. Add Extra Layer by Two-Factor Authentication
- 10. 10. Use Encrypted Password to Login
- 11. 11. One Time Password
- 12. 12. Update WordPress to the Latest Version
These incidents show that when you don’t pay attention to your WordPress website security, there are chances where it can be attacked by hackers. To avoid these cases you need to keep your WordPress Admin Area and its Login Page protected. In this article, I am going to give you information about the ways and steps to protect the most sophisticated area of your WordPress site, the “WordPress admin area”. Let’s get started,
1. Change Default Admin Username and Pick a Strong Password
If you’re installing WordPress, never let the default admin account to be as
admin. This is so predictable to try for brute-force attack or any other attack.
Here, even if you change your admin username as
iamadmin, it can create a hell lot of difference and save you from a lot of trouble (But, do not go for this name, it is an example to show how changing admin username can make a difference).
In terms of passwords, always follow the WordPress guide. When you enter the password below the entry box, it shows how strong is your password. Always make your password strong in that aspect.
Now, even if your website does not provide any financial privileges to the hacker, but this doesn’t stop the hacker to try to gain access of your website. Allow me to present you a simple scenario which is kinda common in WordPress websites. Have a look in the below figure:
As you can see, there are these hacking attempts on one WordPress website in one day. So, as from the figure, it is quite clear that all the lockouts attempts are targeting on
admin username. So, I think I have made my point here.
Now, the streamline question is why do they keep on trying? One of the most leading and most prevailing reasons is that “WordPress has no banning ground rule on any of the attacker”. So, if you don’t do anything, they will not stop trying.
This leads us to our next point.
It is very obvious that in order to access the WordPress admin panel, all one has to do is type in the URL of the site with
/wp-login.php. Now if you used the same password in more than one location, and it was jeopardized then it is easy for the hacker to hack your site.
A plugin called Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access
wp-login.php directly. You can then set your login URL to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually log in. This also prevents any bots that are used for malicious intents from accessing your
wp-login.php file and attempting to break in.
3. Limit Login Attempts
As I end the previous point by saying, WordPress doesn’t ban any user from trying unsuccessfully to login in to an account. Hence you have to limit the login to your admin area and ban the user for a certain time or else they will endlessly keep on trying to guess successfully for your WordPress blog or website.
For this purpose, you can use plugins such as Wordfence Security, WP Limit Login Attempts, and Login LockDown. Below is a screenshot of WP Limit Login, as I am currently using it. So, when you enter any wrong credential this is how it looks like,
Let’s move on to our next point which is:
4. Force SSL on Login Pages and Admin Area
There are times when you log in to your WordPress website through a public network. This is one of the cases where you might be exposed to be a “Man-in-the-middle attacks”. The hackers can listen to the traffic and can access your HTTP request. After accessing your request on WordPress, they can see your WordPress credentials in plain text.
This can be prevented by using SSL login. SSL login enables your WordPress website to be accessible over HTTPS. Usually, your hosting services provide that in your subscription. If not, then you need to buy an SSL certificate and set it on your website server. You may want to check out some options from some SSL certificate shops like Cheap SSL Shop. Or you can follow this guide to install SSL on your server if you own it.
If your website already has an SSL certificate and runs on HTTPS, then open your
wp-config.php file and edit it with the following code:
// Use SSL (HTTPS) for the login page. define('FORCE_SSL_LOGIN', true); // Use SSL (HTTPS) for the whole admin area. define('FORCE_SSL_ADMIN', true);
FORCE_SSL_LOGIN ensures that the login page opens only on HTTPS. The constant
FORCE_SSL_LOGIN put in 2nd place secure connection throughout the WordPress admin area.
5. Password Protect WP-Admin Directory
There is nothing wrong with having two passwords. It just adds another level of security to your WordPress Admin Area. This can be done by using a plugin called AskApache Password Protect. It encrypts your password and creates the
.htpasswd file, as well as setting the correct security-enhanced file permissions on both. You can also use cPanel Password Protection on a Directory if you are using a cPanel Web Host to password protect
6. Put in place a CAPTCHA in the login page
Using a CAPTCHA in the admin area can reduce hacking attempts as it prevents automated scripts to brute-force or any other automated possibility of an attack on your login page. Go to your dashboard and then to the Plugins → Add New and then type, ‘CAPTCHA’. You’ll get loads of WordPress Plugins to enable CAPTCHA in your login page.
I currently use Captcha plugin by BestWebSoft. This plugin has over 300,000 active installs and a good rating. This plugin creates a new area on your login page. Simply activating this plugin will create a CAPTCHA image, without which no one can log in even by knowing the username and password. This effectively blocks the automated scripted brute force attacks. Have a look at the given screenshot of the plugin utility.
7. Remove Error Message on the Login Page
When you enter a wrong password or an invalid username, you get an error message in the login page. So if a hacker gets one thing right, the error message will help them identify that. Therefore you should remove that error message entirely. Open your
functions.php located in your theme folder and paste the following code:
add_filter('login_errors',create_function('$a', "return null;"));
A plugin called Secure WordPress also accomplishes this and it has other features as well. And this is the result:
8. Allow Only Specific IPs to Log In.
Before taking this point any further, I want to be clear. I recommend this step only for those who have static IP address.
If you know your IP address, then whitelist that IP using the
.htaccess file from your
wp-admin folder. Yet you can allow many IP addresses to log in to your admin area but still, my recommendation is for only static IP owners.
To whitelist an IP, you have to open your
wp-admin folder and edit a file named
.htaccess and just add the following codes:
order deny,allow # Replace 184.108.40.206 with the desired IP address allow from 220.127.116.11 # Allow more IP addresses to access the wp-admin area by uncommenting the line below and editing the IP address # allow from 18.104.22.168 deny from all
As you can see, change
22.214.171.124 from your desired IP address, similarly for the second IP as well.
When you don’t add any IP address and they try to access your admin area, they will get this message:
9. Add Extra Layer by Two-Factor Authentication
You can use two-factor authentication to add an extra layer of security in your WordPress admin area. To apply it on your website, you just have to install and activate a plugin. When you search for Two-Factor Authentication in the WordPress website’s plugins page, you will see the following results:
Read this article to know exactly how to set up two-factor authentication.
10. Use Encrypted Password to Login
11. One Time Password
One Time Password plugin enables you to log in to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.
12. Update WordPress to the Latest Version
Last but definitely not the least is to stay updated with the latest version of WordPress because after each version is released, WordPress also releases the bugs and exploits of the previous version which puts your Admin Area in risk if you don’t upgrade.
In the end
WordPress is very easy to use, and that’s why everyone loves it. But, we forget that this ease of functionality can be brutal if someone else found access to your website. So, my recommendation is to follow all the steps I had mentioned above in the article.
If you face any trouble just let me know via comments, and I will help you in tackling that issue.
Author Bio – Kerin Miller is a passionate blogger and WordPress enthusiast. She is associated with Stellen Infotech and provides optimum solutions for custom WordPress Website development. She also likes to dedicate her time to blogging about her area of expertise. You can follow her on Facebook, and Twitter!