How to Protect the Admin Area of your WordPress Site

Line25 is reader supported. At no cost to you a commission from sponsors may be earned when a purchase is made via links on the site. Learn more

More and more of us are using WordPress for personal and professional purposes. Its easy-to-operate platform and a wide variety of themes and templates make it suitable for multiple uses. However, its accessibility also means that it is vulnerable to potential attacks by outside agents, such as hackers.

Protecting your WordPress site and, specifically, its Admin area is essential if you are to continue using it in confidence. Fortunately, you can take several easy steps to secure it and reduce your site’s vulnerability.

1. Secure your WordPress login page with a lockdown feature

You access the backend of your website from your login page. Ensuring that unauthorised users cannot force their way in is relatively simple if you set up a lockdown feature, which will activate itself if a hacker makes multiple attempts to access the site. You should be able to specify how many incorrect logins are allowed before the site locks and you receive notification of the unauthorised activity.

2. Use an email address as your username to login

The default login system for WordPress requires you to input a user name. As many user names are easily predicted, this can pose a risk. Replacing a user name with an email ID is more secure as email addresses are usually much harder to guess.

3. Use two-factor authentication

Two-factor authentication, or 2FA, requires a user to provide two separate login details. As a website owner, you decide what you want to require. Typically, it’s a password followed by a secret code or question, a pre-defined set of characters or an authentication code, such as that offered by Google’s authenticator plugin, sent to your phone.

4. Change your login URL

By default, your WordPress login page is accessed by adding wp-login.php or wp-admin to the site’s URL. Changing your login URL to something much less predictable puts another obstacle in the way of hackers who want to access the site using so-called Guess Work databases that contain millions of combinations of user names and passwords.

5. Ensure password security

Making sure that your password is not easily guessable is such a simple step but also one that many users neglect. A combination of upper and lower case letters, numbers and symbols can add to its complexity. The use of a password manager, which will generate strong passwords and store them safely, is even better.

6. Virtual Private Networks

Much of the traffic on the internet is visible to anyone who cares to look at it. Using a Virtual Private Network, such as Tunnelbear VPN provides you with much stronger levels of privacy, especially when you need to administer your site via a public Wifi connection. VPNs encrypt your data and route it via the VPN server, making it unintelligible to observers as well as disguising both its origin and its destination.

7. Automatic logout of idle users

It can be annoying to have to log back into your site if you’ve only popped away for a cup of tea or to answer the phone. However, it would be considerably more annoying if someone else took advantage of your absence to change your website’s information or disable the site altogether. Various plugins allow you to customise the time for which the site is allowed to remain idle before locking the user out.

8. Password protect your wp-admin directory

Your wp-admin directory is essential for the running of your site, and hackers who manage to access it can damage or disable the entire site. Using a plugin to protect the wp-admin directory means that users must submit two passwords in order to access the dashboard. The first guards your login page while the second secures the admin area.

9. Get an SSL certificate

A Secure Socket Layer (or SSL) certificate will ensure that you can transfer data securely between your user browsers and your server. Some hosting companies provide SSL certificates as part of their package or you can buy one from a third-party provider. As an added bonus, sites with an SSL certificate tend to rank higher in Google searches.

10. Never choose “Admin” as the user name for your administrator account

It may be tempting or easy to overlook but using “Admin” is far too predictable. It’s the first login guess for many hackers, which means you should always choose something different. In addition, consider adding a plugin that will automatically ban any IP address that tries to login using the term.

11. Use caution when adding new user accounts

Some WordPress accounts have several users and this may be unavoidable. Using caution when considering if it’s really necessary to add a new user is a wise precaution. Where it is, you should reduce the site’s vulnerability by installing a plugin that forces each user to choose a strong password.

12. Use an endpoint firewall and malware scanner

A good firewall will identify and block malicious traffic. Meanwhile, an effective malware scanner will monitor your site’s core files, plugins and themes for malware, code injections, malicious rewrites, SEO spam, bad URLs and other similar threats.