Skip to content
How To Protect Your Wordpress Admin Area

13 Steps To Protect Your WordPress Admin Area

With WordPress, it is very easy to create a blog or a website. Yet, there are cases (which are increasing on a daily basis) when people suffer because they don’t pay attention to the security features of the WordPress website or blog. There are loads of cases when you glance on the freelancing websites, where people's websites and blogs are hacked and they ask for bits of help.

These incidents show that when you don’t pay attention to your WordPress website security, there are chances where it can be attacked by hackers. To avoid these cases you need to keep your WordPress Admin Area and its Login Page protected. In this article, I am going to give you information about the ways and steps to protect the most sophisticated area of your WordPress site, the “WordPress admin area”.  Let’s get started,

Change Default Admin Username and Pick a Strong Password

If you’re installing WordPress, never let the default admin account to be as admin. This is so predictable to try for brute-force attack or any other attack.

strong password

Choose a strong password

Here, even if you change your admin username as iamadmin, it can create a hell lot of difference and save you from a lot of trouble (But, do not go for this name, it is an example to show how changing admin username can make a difference).

In terms of passwords, always follow the WordPress guide. When you enter the password below the entry box, it shows how strong is your password. Always make your password strong in that aspect.

Now, even if your website does not provide any financial privileges to the hacker, but this doesn’t stop the hacker to try to gain access of your website. Allow me to present you a simple scenario which is kinda common in WordPress websites. Have a look in the below figure:

brute-force attack

Brute-force attack WordPress admin

As you can see, there are these hacking attempts on one WordPress website in one day. So, as from the figure, it is quite clear that all the lockouts attempts are targeting on admin username. So, I think I have made my point here.

Now, the streamline question is why do they keep on trying? One of the most leading and most prevailing reasons is that "WordPress has no banning ground rule on any of the attacker". So, if you don't do anything, they will not stop trying.

This leads us to our next point.

Create Custom Login Links

It is very obvious that in order to access the WordPress admin panel, all one has to do is type in the URL of the site with /wp-login.php. Now if you used the same password in more than one location, and it was jeopardized then it is easy for the hacker to hack your site.

A plugin called Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access wp-login.php directly. You can then set your login URL to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually log in. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.

Change login URL

Change login URL

Limit Login Attempts

As I end the previous point by saying, WordPress doesn't ban any user from trying unsuccessfully to login in to an account. Hence you have to limit the login to your admin area and ban the user for a certain time or else they will endlessly keep on trying to guess successfully for your WordPress blog or website.

For this purpose, you can use plugins such as Wordfence Security, WP Limit Login Attempts, and Login LockDown. Below is a screenshot of WP Limit Login, as I am currently using it. So, when you enter any wrong credential this is how it looks like,

limit login attempts

Limit login attempts

ban for too many login attempts

Ban for too many login attempts

Let’s move on to our next point which is:

Force SSL on Login Pages and Admin Area

There are times when you log in to your WordPress website through a public network. This is one of the cases where you might be exposed to be a "Man-in-the-middle attacks". The hackers can listen to the traffic and can access your HTTP request. After accessing your request on WordPress, they can see your WordPress credentials in plain text.

This can be prevented by using SSL login. SSL login enables your WordPress website to be accessible over HTTPS. Usually, your hosting services provide that in your subscription. If not, then you need to buy an SSL certificate and set it on your website server. You may want to check out some options from some SSL certificate shops like Cheap SSL Shop. Or you can follow this guide to install SSL on your server if you own it.

If your website already has an SSL certificate and runs on HTTPS, then open your wp-config.php file and edit it with the following code:

// Use SSL (HTTPS) for the login page.
define('FORCE_SSL_LOGIN', true);
// Use SSL (HTTPS) for the whole admin area.
define('FORCE_SSL_ADMIN', true);

The constant FORCE_SSL_LOGIN ensures that the login page opens only on HTTPS. The constant FORCE_SSL_LOGIN put in 2nd place secure connection throughout the WordPress admin area.

Password Protect WP-Admin Directory

There is nothing wrong with having two passwords. It just adds another level of security to your WordPress Admin Area. This can be done by using a plugin called AskApache Password Protect. It encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both. You can also use cPanel Password Protection on a Directory if you are using a cPanel Web Host to password protect wp-admin directory.

Password protect WordPress admin area

Password protect WordPress admin area

Put in place a CAPTCHA in the login page

Using a CAPTCHA in the admin area can reduce hacking attempts as it prevents automated scripts to brute-force or any other automated possibility of an attack on your login page. Go to your dashboard and then to the Plugins → Add New and then type, 'CAPTCHA'. You’ll get loads of WordPress Plugins to enable CAPTCHA in your login page.

I currently use Captcha plugin by BestWebSoft. This plugin has over 300,000 active installs and a good rating. This plugin creates a new area on your login page. Simply activating this plugin will create a CAPTCHA image, without which no one can log in even by knowing the username and password. This effectively blocks the automated scripted brute force attacks. Have a look at the given screenshot of the plugin utility.

login captcha

Using CAPTCHA for login

Other than this, you can also opt for captcha plugins such as SI CAPTCHA Anti-Spam, Really Simple CAPTCHA, and Math Captcha.

Remove Error Message on the Login Page

When you enter a wrong password or an invalid username, you get an error message in the login page. So if a hacker gets one thing right, the error message will help them identify that. Therefore you should remove that error message entirely. Open your functions.php located in your theme folder and paste the following code:

add_filter('login_errors',create_function('$a', "return null;"));

A plugin called Secure WordPress also accomplishes this and it has other features as well. And this is the result:

Remove login error messages

Remove login error messages

Allow Only Specific IPs to Log In.

Before taking this point any further, I want to be clear. I recommend this step only for those who have static IP address.

If you know your IP address, then whitelist that IP using the .htaccess file from your wp-admin folder. Yet you can allow many IP addresses to log in to your admin area but still, my recommendation is for only static IP owners.

To whitelist an IP, you have to open your wp-admin folder and edit a file named .htaccess and just add the following codes:

order deny,allow
# Replace with the desired IP address
allow from
# Allow more IP addresses to access the wp-admin area by uncommenting the line below and editing the IP address
# allow from
deny from all

As you can see, change from your desired IP address, similarly for the second IP as well.

When you don’t add any IP address and they try to access your admin area, they will get this message:

Block access by IP address

Block access by IP address

Add Extra Layer by Two-Factor Authentication

You can use two-factor authentication to add an extra layer of security in your WordPress admin area. To apply it on your website, you just have to install and activate a plugin. When you search for Two-Factor Authentication in the WordPress website’s plugins page, you will see the following results:

Two-factor authentication plugins

Two-factor authentication plugins

Read this article to know exactly how to set up two-factor authentication.

Use a Security Plugin

WordPress security plugins are designed to provide complete website protection and not just from brute force attacks. There are many free and paid security plugins like Sucuri, MalCare, and Wordfence that offer protection through 24/7 malware scanning and removal.

That said, not all security plugins are built for WordPress login security. Among the many WordPress security plugins in the market, MalCare has in-built login page safety features like brute force prevention, CAPTCHA tool, 2-factor authentication, user role management, dynamic firewall with IP blacklisting, geo-blocking, and more. Another advantage of using a security plugin is that the security plugin keeps the malicious traffic out without slowing down your site.

Also, The dashboard and WordPress management feature lets you set up better WordPress login protection from all your sites — from a single place.

Use Encrypted Password to Login

When you don’t have SSL enabled, this method comes in handy. There is a plugin that lets you do this job, and it is called Semisecure Login Reimagined. Semisecure Login Reimagined increases the security of the login process using an RSA public key to encrypt the password on the client-side when a user logs in. The server then decrypts the encrypted password with the private key. JavaScript is required to enable encryption.

One Time Password

One Time Password plugin enables you to log in to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.

Update WordPress to the Latest Version

Last but definitely not the least is to stay updated with the latest version of WordPress because after each version is released, WordPress also releases the bugs and exploits of the previous version which puts your Admin Area in risk if you don’t upgrade.

In the end

WordPress is very easy to use, and that’s why everyone loves it. But, we forget that this ease of functionality can be brutal if someone else found access to your website. So, my recommendation is to follow all the steps I had mentioned above in the article.

If you face any trouble just let me know via comments, and I will help you in tackling that issue.

Author Bio - Kerin Miller is a passionate blogger and WordPress enthusiast. She is associated with Stellen Infotech and provides optimum solutions for custom WordPress Website development. She also likes to dedicate her time to blogging about her area of expertise. You can follow her on Facebook, and Twitter!

Leave a Comment

Scroll To Top