Are you concerned about the security of your WordPress website? One of the most critical areas to protect is your WordPress admin dashboard. If an attacker gains access to your wp-admin, they could wreak havoc on your site. Fortunately, there are a number of vital tips and hacks you can implement to harden your WordPress admin security.
As a WordPress consultant who has helped secure dozens of high-profile websites, I‘ve seen firsthand the damage a compromised admin area can cause. In this in-depth guide, I‘ll share 11 essential strategies to lock down wp-admin against unauthorized access.
1. Deploy a powerful web application firewall
The first and perhaps most important layer of defense is a web application firewall (WAF). A firewall monitors all incoming traffic to your site and intelligently blocks suspicious requests before they reach your server.
There are a number of great firewall solutions tailored for WordPress. My personal recommendation is Sucuri. Unlike some other WordPress security plugins that rely on security-through-obscurity, Sucuri is a cloud-based service with an advanced WAF powered by a global network.
Once the Sucuri plugin is installed on your site, all requests are routed through Sucuri‘s servers where they are analyzed against threat signatures. Malicious traffic, like a botnet performing a brute force attack or a hacker attempting to exploit a known vulnerability, is rejected before it gets anywhere near your site.
Sucuri also has other valuable security features like malware scanning, security notifications, and expert incident response services, making it a comprehensive WordPress security solution. We use Sucuri here at WPBeginner and have seen it block hundreds of thousands of threats.
2. Add password protection to wp-admin
By default, anyone can access your wp-admin directory and WordPress login page if they know the URL. From there, a brute force attack can attempt to guess your password.
You can place an additional password prompt on the wp-admin directory itself by password protecting it at the server level:
Log in to your hosting control panel and open the "Directory Privacy" or "Password Protect Directories" tool.
Navigate to your WordPress directory and select the wp-admin folder.
Check the option to enable password protection and create a username and strong password.
Save your changes. The .htaccess file for the wp-admin directory will be automatically updated.
Now, anyone trying to access yoursite.com/wp-admin/ will be greeted with an HTTP authentication prompt asking for the username and password you set. Only after entering those credentials will the WordPress login page even load.
This simple step effectively blocks brute force bots and adds a second layer of security to your dashboard. Just be sure to choose a strong, unique password and definitely don‘t reuse your WordPress admin password.
3. Use strong passwords for all accounts
Speaking of passwords, a weak password is one of the easiest ways for an attacker to gain access to your site. Don‘t use anything obvious like "password123" or your birthday. And never reuse the same password on multiple sites.
Instead, generate a complex password at least 12 characters long containing a mix of upper and lowercase letters, numbers, and symbols. A password manager like LastPass or 1Password can create strong passwords for you and store them securely.
Be sure to update any existing WordPress user accounts with strong passwords as well. For accounts belonging to other people, you can enforce strong passwords with a plugin, as I‘ll show you in a later tip.
4. Enable two-factor authentication for wp-admin
Two-factor authentication, also called 2FA, adds an extra step to the login process. After entering the username and password, the user must also provide a time-sensitive code from a secondary device, usually their smartphone. This means an attacker can‘t get in with just the password alone.
The simplest way to add two-factor authentication to WordPress is with the free Google Authenticator plugin:
Install and activate the plugin from the WordPress.org repository.
Go to Users > Your Profile to configure 2FA settings.
Select "Google Authenticator" as the active two-factor authentication provider.
Open the Google Authenticator app on your phone and scan the QR code or enter the secret key to connect your device.
Enter the six-digit code from the app to verify the setup.
Save your user profile. You can also generate backup codes in case you lose access to the authenticator app.
Now, next time you log in to wp-admin, you‘ll be prompted for the one-time code after entering your password. This makes it nearly impossible for an unauthorized person to access your WordPress dashboard even if they somehow obtain your password.
I recommend enabling 2FA on any WordPress site, but especially for sites with multiple users like an eCommerce store or membership community. You can require 2FA for certain user roles in the Google Authenticator settings.
5. Limit the number of failed login attempts
By default, WordPress allows unlimited login attempts. A hacker could try guessing your password indefinitely. To prevent this kind of brute force attack, you need to limit the number of failed login attempts.
The free Login Lockdown plugin makes this easy:
Install and activate Login Lockdown from the plugin directory.
Go to Settings > Login Lockdown and review the settings.
Choose the maximum number of login retries before lockout (3-5 is reasonable).
Set the length of the lockout period in minutes. For more security, increase the lockout time with each failed login.
You can also configure the error message shown to locked out users, the lockout notification email, and trusted IP addresses to whitelist.
If a user exceeds the allowed number of failed logins, further attempts will be blocked for the duration of the lockout period. This quickly thwarts any brute force attack while still allowing a reasonable number of honest mistakes.
6. Restrict logins to specific IP addresses
In addition to locking out excessive failed login attempts, you can restrict access to wp-admin to specific IP addresses or ranges. This is especially useful for sites where only a small number of people need access to the back-end.
You can implement IP restrictions by adding a few lines to the .htaccess file in your WordPress directory:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
Order deny,allow
Deny from all
Allow from 12.34.56.78
Replace the IP address with the actual address(es) you want to allow. You can add multiple "Allow from" lines for additional IPs.
Now, any request to access the WordPress admin area from an IP not on the whitelist will be blocked. Just be careful not to lock yourself out accidentally. You may need to contact your hosting provider if your IP address changes.
7. Hide login error messages
You may not realize it, but by default the WordPress login page provides clues to attackers. When you enter an incorrect username or password, the error message tells you which of the two is wrong.
An attacker could use this to determine valid usernames on your site and then concentrate on guessing the password. With a plugin or simple code snippet, you can instead show a generic error message:
function no_wordpress_errors(){
return ‘Login failed.‘;
}
add_filter(‘login_errors‘, ‘no_wordpress_errors‘);
The ambiguous error message reveals nothing about what part of the login credentials are incorrect. A would-be hacker will have to guess both a valid username and its password.
8. Force strong passwords for all users
As I mentioned in tip #3, you should be using a strong password yourself. But what about other users on your site?
The free Force Strong Passwords plugin ensures all users have a hard-to-crack password:
Install and activate the plugin. There are no settings to configure.
When a user creates an account or changes their password, the plugin will verify the password strength.
If the entered password isn‘t strong enough, the user will be asked to try again with a more complex password.
You can customize the minimum required password strength and the message shown when a password doesn‘t meet that standard.
9. Automatically expire passwords after a set time
One further measure you can take is to automatically expire user passwords after a certain length of time, such as every 90 days. This forces users to change their passwords regularly and limits the window an attacker has to exploit a compromised password.
To set an expiration period on passwords, you can use a free plugin called Password Policy Manager:
Install the plugin and go to Settings > Password Policy Manager.
Check the box to enable password expiration and set the number of days until expiration.
Choose whether the expiration policy applies to all users or only selected roles.
Decide what will happen when a password expires – either allow login with a forced reset or block login entirely.
You can also set minimum password length and complexity requirements similar to the Force Strong Passwords plugin.
10. Keep WordPress core and plugins updated
New vulnerabilities in WordPress core, themes, and plugins are constantly being discovered. Responsible developers patch these flaws in updated versions of their software.
But if you don‘t keep your site updated, those flaws remain open for an attacker to exploit. According to a recent study, 61% of hacked WordPress sites were running an outdated version at the time of infection.
Always update to the latest version of WordPress core as soon as it‘s released. The same goes for your plugins and themes, with a caveat – first make sure the update is compatible with your current setup to avoid breaking your site.
I recommend enabling automatic updates for minor WordPress releases, as these are typically security fixes and have a low chance of causing issues. For major updates, create a complete backup of your site first, then test the update on a staging site before deploying to production.
11. Use alternative login and registration pages
If your WordPress site allows public user registration, by default those users could access the standard wp-admin login page at yoursite.com/wp-admin/.
With a custom login page separate from the WordPress admin area, you can provide a specific login experience for your users while still protecting wp-admin. Customization options include:
- Consistent branding elements to match your site
- Targeted messaging or promotions based on user role
- Additional login security, like a CAPTCHA to block bots
- The ability to restrict wp-admin access to certain user levels only
The free Theme My Login plugin lets you easily set up custom login, registration, and password reset pages and integrate them with your WordPress theme.
Putting it all together for bullet-proof WordPress admin security
Securing your WordPress admin area requires a multi-pronged approach. By implementing these 11 tips together, you can dramatically reduce the risk of unauthorized access.
While it does take some initial setup, the peace of mind knowing your site is well protected is worth it. Most of these strategies can be put in place with free plugins and minor configuration changes.
For customized, expert WordPress admin security setup tailored to your specific site and risk profile, consider reaching out to a WordPress security consultant or agency. An ounce of prevention now can save you a massive headache down the road.
){kind=link}