• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Startup Hero

The Official Blog Of Name Hero

Learn To Fly Above The Competition Get Started
  • HomeWelcome
  • CoursesVideo Training Center
  • About UsWhat is StartupHero?
  • BlogGet the latest
  • Start HereStartup 101
  • SpeakingPodcast & Media
  • ResourcesTools to help You
    • Reselling WordPress Hosting
    • Resell Hero
    • How To Start A Blog
  • NameHeroCloud Web Hosting

How To Secure Your WordPress Admin Area

By Richard Gray on June 14, 2017 1

How To Secure Your WordPress Admin Area

Website security is a big deal to us here at Name Hero, some may even say we’re hyper obsessed with keeping your files safe. Since we highly recommend the WordPress content management system (CMS), we feel it’s also important we show you exactly how to keep your install safe from any potential threats.

In this blog, we’ll show you how to protect your WordPress administration area. It’s vital your WordPress admin area stay protected from people looking to gain unauthorized access, so there is not even a breach to mitigate.

Utilize a firewall

Our first tip is to utilize a website application firewall (WAP), an application that monitors website traffic and blocks suspicious requests from reaching your website. Plugins we recommend for this are CloudFlare and Sucuri.

Both services monitor your traffic and filter it through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

Add password protection to your WordPress Admin Area

By default, WordPress protects your admin area with your WordPress password, however, we recommend adding another layer of security by way of adding a password to your WordPress admin directory. To do this, login to your WordPress hosting cPanel dashboard and click “Password Protect Directories” or “Directory Privacy” icon.

Next, select your wp-admin folder, located by default inside the /public_html/ directory. On the next screen, tick the option next to “Password protect this directory” and provide a name for the protected directory. Click save to set the permissions.

Once this is complete, go back and create a user. You’ll then be asked to provide and username and password, click on the save button. Now when someone attempts to access the WordPress admin or wp-admin directory on your website, they will be be required to enter a username and password before they ever make it to the WordPress login screen.

Strong passwords are essential

While you should always utilize strong passwords online, it’s even more important that you do so for your WordPress site. Use a combination of letters, numbers, and special characters in your passwords. This makes it harder for the password to be guessed and for an unauthorized user to gain access. You don’t have to worry about remembering it either, as we recommend using a password manager application that you can install on your computer and smart phone.

Implement two step verification

Utilizing everything we’ve done is already going to provide you with multiple levels of WordPress admin security but we want to take it even further. Another layer that should be added is two step verification. Enabling this will require the user trying to access the admin area to enter a verification code generated by the Google Authenticator app on your phone.

This way, even if someone breaches your two layers of security, they’ll still need the Google Authenticator code to access your protected area.

Limit login attempts

WordPress allows users to enter passwords as many times as they want right out of the box, meaning if you just install WordPress and leave it alone, an unauthorized user could literally hit your admin area as many times as they want in attempt to crack your password.

To fix this, install and activate the Login LockDown plugin. Upon activation, visit the Settings » Login LockDown and configure the plugin.

Limit what IP addresses can access your Admin Area

We’re taking it to the extreme now, but we’re talking about your entire website here. This is something that you cannot afford for it to be easily accessible. A hyper-obsessive measure to utilize is to limit access to specific IP addresses, which can be done by adding the following code to your .htaccess file:

Make sure that you replace xx values with your own IP address. If you use more than one IP address to access the internet, make sure you add all additional addresses as well. If you don’t, you will not be able to access your WordPress admin area from that IP address.

Require strong passwords for all users

If you have multiple authors logging into your WordPress site, make sure to require strong passwords. You can do this by installing and activating the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

Reset the password for all users

If you’re already concerned about a potential breach, then there is an emergency option that you can take advantage of immediately.

Simply install and activate the Emergency Password Reset plugin. Upon activation, go to the Users » Emergency Password Reset page and click on the “Reset All Passwords” button.

Always keep WordPress updated

WordPress continually pushes new releases of their software out, often times releases that focus on specific security threats. Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are often updated by their developers. Keep them updated as well!

Log out idle WordPress users

By default, WordPress does not automatically log out users until they log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this on your website, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

All and all, we implore you to think about security with your WordPress admin area! You do not have to utilize all of these steps but we recommend multiple levels of security as it pertains to your WordPress admin area. These are simple things that you can implement to your WordPress website that could save you a major headache later.

Reader Interactions

Trackbacks

  1. How To Clean Up A WordPress Hack says:
    February 21, 2018 at 5:46 pm

    […] How To Secure Your WordPress Admin Area […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Connect With Us!

Superhero Resources

Fix Common Issues

  • How To Setup Free And Automatic SSL Certificates
  • How To Setup Cloudflare With Railgun
  • How To Fix Memory Exhausted Errors In WordPress
  • How To Edit PHP Version/Upload Limit/Add Extensions
  • How To Move/Migrate Your Business To Name Hero

Free Guides

  • How To Setup NameHero Hosting
  • How To Create A Web Hosting Business With WordPress
  • How To Start A WordPress Blog
  • How To Migrate WordPress To A VPS
  • How To Speed Test And Optimize Your WordPress Website
  • Magento 2.X Installation Guide
  • How To Clean Up A WordPress Hack

Training

Recent Posts

  • Why I Don’t Use AWS S3 For Website Backups
  • How To Add A “Vary: Accept-Encoding” Header To Apache
  • Managed vs Unmanaged VPS: The NameHero Difference
  • Why I Don’t Use Jetpack Backup
  • How To Share A Post Draft In WordPress
  • How To Use The Layout Grid Block By Automattic
Subscribe in a reader
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • VPS Hosting
  • Twitter
  • Facebook
  • LinkedIn
  • YouTube
  • FTC Disclosure
  • Earnings Disclosure
  • Privacy Policy

Copyright © 2022 · Smart Passive Income Pro on Genesis Framework · WordPress · Log in