10 Superb Tips to Protect WordPress Admin Area

Among 8,000 infected websites known by Sucuri, 74% of them are WordPress based, according to its Hacked Website Report for 2016. This serious statistic partly helps you realize the abiding and ongoing concern of web security on your site.

Malicious third parties use various methods to attack your WordPress website. Admin dashboard would be the most vulnerable target. It’s like the hub of your site containing important data. Once breaking into your admin dashboard, they take dangerous actions that will significantly damage your site.

To effectively prevent suspicious attacks, you need to protect WordPress admin. Our article today centers on 10 ways to tighten your login area. Before digging into details, let us briefly explain some reasons for securing your admin login.

Why Securing WordPress Admin

When talking about website exploits, we definitely think of hackers breaking into your server using sophisticated computer systems.

In fact, the process is much easier than that. They can simply gain access to your website’s backend and control it. Then, you suffer the consequences of losing data, facing legal issues, and spending money on cleaning the website.

In most cases, hackers leave malware on your site to steal credential customer data like phone numbers or credit card details. Once this private information is stolen, not only do your customers lose money and get bothered, but it also damages your brand reputation.

Buyers will never go back to your online store to purchase since they’re not sure if their information is fully secured. You may be dragged into litigation for not protecting customer data carefully as well.

Plus, cleaning up the website due to a cyberattack is costly. You have to hire WordPress maintenance services to deal with this.

There are multiple techniques you can apply to protect WordPress admin. Below are the 10 easiest solutions for any site owner, from non-techy to tech-savvy people.

#1 Change Default Admin Username

WordPress assigns admin to all websites’ default usernames. And cybercriminals know this, for sure. They easily guess your password to log into your site. They can either acquire it somewhere or try to brute force attack.

You should take another username rather than the admin to secure the admin login. Fortunately, changing usernames in WordPress is a piece of cake.

  1. Visit Users in your website admin menu
  2. Choose All Users and open the admin profile
  3. Update the username and password
  4. Save your changes

#2 Use Strong Passwords to Protect WordPress Admin

It’s estimated that 8% of hacked WordPress sites are derived from weak passwords. So bear in mind to use a strong password for your account. The password must contain at least 8 characters, combining letters, numbers, and special characters. You can enter the new password right on the Users page where you change the username.

Password generators greatly assist you in creating random and strong passwords. Simply pick elements you want to include in the password and let the tool handle the job.

However, memorizing all your passwords is painful as you own tons of passwords and accounts to manage. Luckily, you have password manager apps at hand, supporting you to store your passwords safely without worrying about getting hacked.

#3 Create Custom Login URL

Besides the username, WordPress also provides you with a default login link by adding /wp-login.php to the website domain. For instance, www.example.com/wp-login.php. If you remain both the default login URL and username, hackers are halfway gaining access to your site admin.

Although you can create a custom admin login URL by editing the wp-login.php file, we highly recommend using a plugin. You don’t have to touch the server or make changes to files and folders which may destroy the website.

Take WPS Hide Login into consideration when choosing a plugin to customize the WordPress login link. The plugin gains trust from over 1 million users worldwide and proves the most popular solution in this niche so far.

Follow the 4 steps below to get started with the plugin.

  1. Install and activate WPS Hide Login on your site
  2. Head to Settings in the admin menu
  3. Select WPS Hide Login
  4. Enter the new login link into the Login URL box

Remember to save your changes. Once done, only users with the new login link and correct account details can reach your admin page.

#4 Password Protect wp-admin Folder

The wp-admin folder consists of vital administrative files, located in the root directory. You can create an additional security layer for your admin by password-protecting this wp-admin folder.

  1. Log into your hosting cPannel or connect with an FTP client
  2. Hit Password Protect Directories or Directory Privacy
  3. Find the wp-admin folder under the /public_html/ directory
  4. Enable the option Password protect this directory
  5. Provide a username and a password
  6. Click Save

This is what users see anytime trying to obtain your WordPress admin page. They have to enter the right User Name and Password to pass the first authentication layer before submitting admin credential data.


#5 Reset Passwords for All Users

Another way to protect WordPress admin comes by forcing every user to reset their passwords, especially on multi-user websites. To quickly achieve this, you need help from the Emergency Password Reset plugin.

Upon activation, it will enable admins to reset passwords and email them the reset link automatically with just one click. Take the below steps:

  1. Install the Emergency Password Reset plugin
  2. Go to UsersEmergency Password Reset
  3. Press the Reset all passwords button

That’s it!

#6 Limit Login Attempts

WordPress permits users to enter login information as many times as they like until they successfully gain access to your admin area. Still, this option gives hackers a chance to brute force attack your site.

These ill-intentioned users often have a password library of the most common ones. Hackers will use an automated script and go through thousands of potential passwords.

To reduce the risk, you can limit login attempts with the Wordfence Security plugin. It’s more than just a plugin to prevent brute force attacks, which is in charge of site security and WordPress firewall. We’ll discuss the usefulness of this plugin in upcoming sections.

  1. Install and activate the Wordfence Security plugin for your site
  2. Open Wordfence and select All Options
  3. Turn on Enable brute force protection under Firewall Options
  4. Enter the time users are allowed to submit failed login information

If they can log in even though they’ve reached the maximum number of attempts, the plugin will block their IP address immediately.

#7 Restrict Login Access by IP Addresses

This method is advantageous in case you have a few users that need access to your admin area. It requires you to edit the .htaccess file via File Transfer Protocol (FTP) or your web host’s file manager.

Add the code below to the file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist IP address
allow from xx.xx.xx.xxx

Replace xx.xx.xx.xxx with the real IP address.

Modifying the .htaccess file is seriously dangerous. Keep in mind to create a backup of your site before editing the .htaccess file. In that way, you can reverse the previous version if anything wrong happens to the site.

#8 Set up Two-Factor Authentication

Two-Factor Authentication (2FA) lets you add an extra security layer to your WordPress admin. For example, enter the security code sent to your mobile device, or use your face ID.

If you’ve installed the Wordfence plugin we introduced above, you can make use of this function without the help of any additional solution.

  1. Visit Wordfence and open the Login Security section
  2. Scan the QR codes with your authenticator app

#9 Disable Login Hints

When users fail to log in to the admin dashboard, WordPress will display an error message informing them whether their username or password was incorrect. This gives users hints about the login credential.

Take an example of hackers using a random username and password to access the admin page. If they know one of the details, they just need to seek the right other.

You can stop this by editing your theme’s functions.php file. Head over to AppearanceTheme Editorfunctions.php in the WordPress backend. Then, enter the following code into your functions.php file.

function no_wordpress_errors(){
return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' );

#10 Use a Website Application Firewall

A firewall is never an old solution to secure your WordPress admin. It monitors the site traffic and blocks malicious requests from accessing your site. Some popular plugins you can try out include Wordfence, iThemes Security, and Sucuri.

Not only do they keep suspicious users away, but these plugins also scan for malware. There are a bunch of login protection options to select, from brute force attack prevention, two-factor authentication, CAPTCHA, etc.

Time to Protect WordPress Admin

The consequences of WordPress exploits are devastating. You will lose customers, brand reputation, and money due to admin login cybercrimes.

Prevention is always better than cure. You’ve gone through the 10 best tips to secure your WordPress admin area with and without plugins.

It takes you a few clicks to change the admin username and password. You can install plugins to generate a custom login URL, limit login attempts, set up 2FA, and apply a firewall. You must use code to password protect the wp-admin folder, restrict login by IP addresses, and disable login hints.

How many of these methods have you applied? Share with us in the comment section below.