Have you been observing many attacks on your WordPress admin region? Don’t worry. The best way to block many of the common security hazards is to prevent the admin area from unauthorized access.

Here, you will learn about 8 essential tips to protect your WordPress admin area:

Essential Tips to Protect Your WordPress

1. Password Protect your WordPress Admin Directory

WordPress admin area has been given ample protection by WordPress password. However, it is still advisable to supplement this by adding another password protection. Start with logging in to the cPanel dashboard of WordPress hosting. Next, click on either ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

The next step is to select your wp-admin folder located inside /public_html/ directory. Check the box on the next screen adjacent to ‘Password protect this directory’ option. Now give a name for the protected directory. In order to set permissions, simply click on ‘save’ button.

Hit the ‘back’ button. Create a user. Give a username / password. Click on the ‘save’ button. So now whenever someone tries to visit the ‘WordPress admin’ or ‘wp-admin’ directory on your website, they will be asked to enter a username and password.

2. Website Application Firewall (WAF)

WAF or website application firewall can keep close tabs on traffic directed to your website. It will also prevent any suspicious appeals from getting to your website. Although there are many WordPress firewall plugins, experts recommend Sucuri, a highly efficient website security and monitoring service. It offers a cloud based WAF to ensure protection for your website.

The website traffic will first get through cloud proxy. Here, each request is assessed thoroughly and suspicious ones are blocked from reaching your website. WAF is very effective in preventing your website from all possible hacking attempts, malware, phishing, and malicious activities.

3. Use Strong Passwords ONLY

Take special care when handling online accounts. ALWAYS use only strong passwords. The same rule will apply for your WordPress website. You can make use of a combination of numbers, special characters, and letters in your passwords. Hackers will face tough time guessing or cracking down your password. In case, you face difficulty in remembering all those passwords; use one of those password manager apps. Simply install the app on your computer and mobile phones.

4. Restrict Number of Login Attempts

There is no restriction on how many times a WordPress user can enter passwords. This also means someone can try and guess your WordPress password. They can do this via entering different combinations. So hackers can use automated scripts for cracking down passwords.

You can fix this by installing and activating the Login LockDown plugin. Once the activation is done successfully, visit Settings » Login LockDown page. This will configure the plugin settings. If you need assist then feel free to ask us: wpwebsitemaintenanceservices.com

5. WordPress Login Screen Verification

You can use two-step verification to add a strong security layer to your passwords. Here, you would not use the password alone. You must enter a Google Authenticator app generated verification code on your phone.

In the event where someone guesses the WordPress password, they cannot get access. They would require Google Authenticator code to get access.

6. Limit Login Access to IP Addresses

This is a great way to ensure protection to WordPress login. You can restrict access to specific IP addresses. This tip is mainly useful when you or only a few trusted users require access to the admin area.

To ensure restriction, you just need to add the following code to your .htaccess file.

1
2
3
4
5
6
7
8
9
10
11
12

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic

order deny,allow
deny from all
# whitelist Tina’s IP address
allow from xx.xx.xx.xxx
# whitelist Christine’s IP address
allow from xx.xx.xx.xxx

Make sure you replace ‘xx’ values with your own IP address. In case, you use more than one IP address for accessing the internet, add all of them too.

7. Encourage Users to Use Strong Passwords

It is possible for users to edit profile with a multi-author WordPress website. The problem is that they may use a weak password that can be easily cracked. Someone can access to WordPress admin area without your permission. You can fix this by installing and then activating a plugin. This is a ‘Force Strong Passwords’ plugin. The plugin works really well and you don’t need to configure any settings. Once it is successfully activated, it will prevent users from saving weaker passwords.

8. Disable Login Hints

WordPress will display errors on each failed login attempt. This will let your users know about the incorrect entry (username or password). However, these login hints may also be used discreetly by someone for malicious attempts. The fix is to hide the login hints via adding the code to a site-specific plugin or functions.php file of your theme.

1
2
3
4
function no_wordpress_errors(){
return ‘Something is wrong!’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );