PHPMatters Help You Better Hosting Your PHP-based Sites
Top 10 Tips to Protect Your WordPress Admin Security

Top 10 Tips to Protect Your WordPress Admin Security

Due to the popularity of WordPress, the administrative area of your WordPress site can be regarded as the hot target of evil hackers. In this case, we have listed the top 10 tips concerning about how to protect your WordPress admin security, so that your backend configurations and valuable data stored in the wp-admin folder will not be destroyed or deleted.

Tip 1: Secure the Admin User Account

Upon the successful installation of WordPress, you can receive an admin user account by default with the user name of “admin”. This is a common sense for all the WordPress users, making your administrative panel an easy target for hackers if you do not change anything. After all, these malicious people only need to decode your password, and then they can achieve a successful attack.

For this, you need to replace the default username with a complicated one. You can do this via phpMyAdmin. Or, you can create a new account with your favorite username and the administrator user role, and then, delete the old one.

For better security, you can even create a second user that is used for article publishing. In this way, your actual administrative name can be protected from the webpages and the outside world.

Tip 2: Strengthen the Password

This step is a cornerstone for admin security that can’t be emphasized enough. Generally, a good password needs to be long and hard-to-remember, containing numbers, symbols, dashes and uppercase/lowercase characters. You can use some password generators if you have no idea for the creation of a strong password. Also, the Password Strength Detector is helpful for you to know whether your password is good or not.

Besides the strong password, the regular password change is also important. Generally, we recommend you change the password once a month.

Tip3: Change the Login Link with a Customized One

Generally, the login link of a WordPress website is http://www.youradmin.com/wp-login.php. Therefore, if the hackers know your username and decode your password, they can enter your admin easily via this link. In this case, a customized login link is essential.

Here, you can make use of the WordPress plugin named as Custom Login URL, with which you can create a custom link for WordPress login. Or, you can check this page to know some alternative methods.

Custom Login URL

Besides, you also need to pay attention to your wp-login.php file, preventing anyone else from accessing it to change your login configurations.

Tip 4: Limit the Login Attempts

Sometimes, hackers may need to guess your password for many times to enter your admin. In this case, if you limit the login attempts, these unwanted people can be locked out of your admin when they use out all the allowed attempts.

This tutorial introduces all the steps about how to carry out this practice.

Tip 5: Hide the Error Feedback from the Login Page

Generally, when you login to your WordPress admin, you only need to enter the right username and the corresponding password. If one of them is wrong, you must fail to access your backend. For this, WordPress is smart enough to release an error message when you enter an invalid username or a wrong password.

To be frank, this kind of function is useless for the true website owner, but is helpful for hackers as they at least can confirm either your username or your password.

WordPress Login Error Message

In this case, you need to hide that error feedback entirely. For this, you should add the following line of code into your theme file of functions.php.

add_filter('login_errors',create_function('$a', "return null;"));

Tip 6: Double Authentication

To better secure your WordPress admin, a single password may not be enough. You also need another authorization code that is known by you only. For this, we highly recommend you to use the Stealth Login Page plugin, with which you can create a random but secret code for admin access, effectively blocking the external login requests.

Tip 7: Use WP Secure Login

This is a special WordPress plugin used for the generation of one-time password. The password can be created and sent to your smartphone, and is only valid for one time. The next time you enter your admin, you need another fresh password.

Frankly, the utilization of one-time password effectively prevents some malicious intruders from entering your WordPress dashboard.

Tip 8: Password Protect the wp-login.php File or wp-admin Folder

This practice simply adds an additional layer of security to your backend. To do this, you can resort to the utilization of . htpasswds file or the Password Protect Directories function from your control panel. This tutorial found from the knowledge base of InMotion Hosting demonstrates the detailed steps for you.

Tip 9: Install Anti-Virus Tools

Some hackers access your backend via virus and spam injections. Therefore, you’d better use the anti-virus tools to scan and monitor your WordPress admin, detecting any potential dangers effectively. As for this aspect, we highly recommend the AntiVirus plugin.

Tip 10: Keep WordPress Updated

The best way to avoid potential loopholes and vulnerabilities is to keep everything of your WordPress site up to date. This is because every time WordPress is updated, the bugs and loopholes of the previous versions are released for the public, putting your WordPress admin in danger if you do not upgrade.