All Collections
How To Secure Your WordPress Admin (wp-admin) Folder
How To Secure Your WordPress Admin (wp-admin) Folder
Jamie G. avatar
Written by Jamie G.
Updated over a week ago

Website security is a big deal to us here at Name Hero, some may even say we’re hyper obsessed with keeping your files safe. Since we highly recommend the WordPress content management system (CMS), we feel it’s also important we show you exactly how to keep your install safe from any potential threats.

In this blog, we’ll show you how to protect your WordPress administration area. It’s vital your WordPress admin area stay protected from people looking to gain unauthorized access, so there is not even a breach to mitigate.

Utilize a firewall

Our first tip is to utilize a website application firewall (WAP), an application that monitors website traffic and blocks suspicious requests from reaching your website. Plugins we recommend for this are CloudFlare and Sucuri.

Both services monitor your traffic and filter it through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

Add password protection to your WordPress Admin Area

By default, WordPress protects your admin area with your WordPress password, however, we recommend adding another layer of security by way of adding a password to your WordPress admin directory. To do this, login to your WordPress hosting cPanel dashboard and click “Password Protect Directories” or “Directory Privacy” icon.

Next, select your wp-admin folder, located by default inside the /public_html/ directory. On the next screen, tick the option next to “Password protect this directory” and provide a name for the protected directory. Click save to set the permissions.

Once this is complete, go back and create a user. You’ll then be asked to provide and username and password, click on the save button. Now when someone attempts to access the WordPress admin or wp-admin directory on your website, they will be be required to enter a username and password before they ever make it to the WordPress login screen.

Strong passwords are essential

While you should always utilize strong passwords online, it’s even more important that you do so for your WordPress site. Use a combination of letters, numbers, and special characters in your passwords. This makes it harder for the password to be guessed and for an unauthorized user to gain access. You don’t have to worry about remembering it either, as we recommend using a password manager application that you can install on your computer and smart phone.

Implement two step verification

Utilizing everything we’ve done is already going to provide you with multiple levels of WordPress admin security but we want to take it even further. Another layer that should be added is two step verification. Enabling this will require the user trying to access the admin area to enter a verification code generated by the Google Authenticator app on your phone.

This way, even if someone breaches your two layers of security, they’ll still need the Google Authenticator code to access your protected area.

Limit login attempts

WordPress allows users to enter passwords as many times as they want right out of the box, meaning if you just install WordPress and leave it alone, an unauthorized user could literally hit your admin area as many times as they want in attempt to crack your password.

To fix this, install and activate the Login LockDown plugin. Upon activation, visit the Settings » Login LockDown and configure the plugin.

Limit what IP addresses can access your Admin Area

We’re taking it to the extreme now, but we’re talking about your entire website here. This is something that you cannot afford for it to be easily accessible. A hyper-obsessive measure to utilize is to limit access to specific IP addresses, which can be done by adding the following code to your .htaccess file:

Make sure that you replace xx values with your own IP address. If you use more than one IP address to access the internet, make sure you add all additional addresses as well. If you don’t, you will not be able to access your WordPress admin area from that IP address.

Require strong passwords for all users

If you have multiple authors logging into your WordPress site, make sure to require strong passwords. You can do this by installing and activating the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

Reset the password for all users

If you’re already concerned about a potential breach, then there is an emergency option that you can take advantage of immediately.

Simply install and activate the Emergency Password Reset plugin. Upon activation, go to the Users » Emergency Password Reset page and click on the “Reset All Passwords” button.

Always keep WordPress updated

WordPress continually pushes new releases of their software out, often times releases that focus on specific security threats. Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are often updated by their developers. Keep them updated as well!

Log out idle WordPress users

By default, WordPress does not automatically log out users until they log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this on your website, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

All and all, we implore you to think about security with your WordPress admin area! You do not have to utilize all of these steps but we recommend multiple levels of security as it pertains to your WordPress admin area. These are simple things that you can implement to your WordPress website that could save you a major headache later.

Did this answer your question?