Quick Tips to Secure Your WordPress Admin Area


WordPress powers over 59% of all websites using a CMS and 25% of the world’s largest websites are based on it. Now you can imagine how inviting is WordPress environment for hackers.

It’s always good to take security enhancement steps unless it is too late, as you are responsible for protecting both your and your registered users’ data.

As far as WordPress is a quite intuitive platform, many users even don’t have any technical background. Therefore, the tips I’ll describe below do not require high level of technical knowledge, If you could create a WordPress website then you’ll be able to implement these small tricks that will make your it more secure.

Today the most attention I’ll pay to the “gates” of your website – that is admin panel.

Create Custom Login Links

Everyone who has once used WordPress knows that you just need to add /wp-admin or /wp-login.php to WordPress website’s URL and you’ll appear in the admin panel. Leaving admin link as it is, means to bring hackers one step closer to your website.

What can you do?

You can simply change the path of your admin panel. To do this is as easy as to install a simple plugin and give the swift settings. You can try to use Custom Login URL that will enable you to customize WordPress website’s URL without modifying any files

What the plugin can do:

  • change /wp-login.php to for example /user/login/
  • change /wp-login.php?action=register to for example /user/register/
  • change /wp-login.php?action=lostpassword to for example /user/remind/
  • change /wp-login.php?action=logout to for example /user/logout/
  • you can define your own custom paths for each URL above
  • set successfull login and logout redirect URLs

In order to make the plugin work you need to have Permalinks enabled in WP Settings.

Please pay attention that you can write your own path for login and any other page. So you can write a login URL that even you will not remember and will need to bookmark it.

Pick a Strong Password

It seems that this issue is discussed enough and there is no need to talk over it, but from my experience I can tell you that a lot of people still use passwords like: 123654, password123, etc, use the same password everywhere:

How to check whether your password is strong enough and how to make sure that the other users of your website set strong passwords?

Strong password should fit to the following criterias:

  • Contain special characters
  • Be at least 8 characters long
  • Have variation of capitalization and small letters

This way you can choose a strong password for you as an admin. For the other registered users of your website who may not care much about the security, you can consider the help of this plugin – Force Strong Passwords. The plugin duplicates WordPress JavaScript password strength check in PHP, and forces users with executive powers to use a strong password. In this way you’ll prevent other role users to be an open window for hackers.

Limit Login Attempts

Another wise decision is to limit user’s login attempts. Even if hackers have found a script for guessing your password, they’ll need to enter versions of possible passwords until they’ll find the exact one. This way you can prevent the unwanted guests from finding your password.

For this purpose you can use Limit Attempts plugin. This plugin is really powerful tool with a lot of nice features:

  • Block IP address when the limit of login attempts is reached
  • Add IP address to the blacklist.
  • Allows adding single IP addresses to black- and whitelists.
  • Sends email notifications to the administrator
  • Allows showing custom text for different situations
  • And finally, ability to hide the login form, the registration form and the lost password form for blocked or blacklisted IPs.

I think this plugin does the job and even more, so make sure to give a try.

Password-Protected Admin Area

Protecting the admin area with extra login will be an external gate against unauthorized users. Every user will have to enter 2 login info before trying to enter your website. Famous websites like Mashable use this technique.

You can do this easily if you use cPanel web-hosting. For this first create a .htpasswds file. You can do so easily by using Htpasswd Generator. Upload this file outside your /public_html/ directory. A good path would be: home/user/.htpasswds/public_html/wp-admin/passwd/ Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:

AuthName “Admins Only”

AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd

AuthGroupFile /dev/null

AuthType basic

Require user putyourusernamehere

You must update your username for the protected directory. Also don’t forget to update the AuthUserFile location path (Use the path above and change the username which you currently use on your server).If you will have difficulties with this, you can just contact your hosting providers and ask them to help you.

Stay Updated with WordPress and the Other Tools You Use

Make sure to always keep your WordPress updated. The same is true about the core files and plugins you use. One of the most common reasons for sites being hacked is outdated (vulnerable) software. WordPress usually prompts about updates but when using any plugin/theme you can contact the developers and ask them how you can be notified about new releases because for paid plugins WordPress doesn’t have any default alerts. For example we at Web-Dorado have developed a way to show our product updates on WordPress dashboard even for paid plugins, because we always want to make sure that our users have the most recent versions of our products but other companies have different approach so you may miss the update only because you didn’t know about it.

Dear reader these were my quick and easy tips about protecting your admin area. This will of course help you to enhance security of your website. If you use any other easy and smart tricks, feel free to share in comments.

Leave a Reply

Your email address will not be published. Required fields are marked *