Get FAST WordPress Support
World’s Fastest WordPress Support Since 2009  
10 Tips For Protecting WordPress Admin From Attacks

10 Tips For Protecting WordPress Admin From Attacks

Protecting WordPress admin will keep your site safe…

The flexible, open source and convenient nature of WordPress has made it one of the most well known CMS for web development attracting all types of users, whether looking for a new interface or existing owners hoping to convert website to WordPress.

Protecting WordPress Admin

This popularity has also made it the target of hackers who want to gain unauthorized access to the backend of the website and some valuable tips for protecting the WordPress Admin area are being presented for the benefit of owners.   

1. Make It A Habit To Use Strong Username And Passwords

A common mistake that most people commit is to choose easy to remember combinations as the password which makes it easy for any person with malicious intent to crack it. Always use strong passwords which are a combination of letters, special characters and numbers in addition to adopting a similar strategy for creation of the username.

Another frequently committed error is to use the same password for accessing various areas and anyone indulging in such a practice should discontinue it immediately. The problem of memorizing passwords can be solved by installing a password manager app on your system or smartphone where all of them can be safely stored.

2. Implement Password Protection

The WordPress admin directory can also be secured by giving it password protection and adding another security feature to the website. This can be done by logging in to the cPanel of your hosting service and finding the “Directory Privacy” or “Password Protect Directories” option and clicking it.

A popup will be visible now asking for the location of the directory and you should choose the “public_html/www” option. You will now be guided to another screen where you must select the “password protect this directory” option and save all the changes made. The system will ask you to provide a username and password and choose strong terms for both of them and save the details to complete the process.

3. Add Two- factor Authentication To The Login Screen

Most of us are aware about two- factor authentication which is a part of almost every online monetary transaction and the same feature can be used to increase the safety of the WordPress admin. This can be done with the help of the Google Authenticator app and plugin.

The app needs to be installed on your smartphone while the plugin must be downloaded and activated in your WordPress setup. Choose the mode for time duration for which the generated code will remain active and save the settings followed by adding the account and synchronizing it with the phone app. After the completion of the process, you will see the field for Google Authenticator code is added to the login page.  

4. Secure The Login Pages With SSL

Investing in an SSL certificate for your website is another good option for increasing its security but the feature needs to be incorporated in the WordPress setup. Ask your hosting service provider for an SSL certificate for the interface if you do not possess one and then the SSL certificate must be enabled so that the “https” protocol is visible on the website instead of “http”.

The following line of code when added to the “wp-config.php” file will configure the SSL and force the https in the admin area :

define('FORCE_SSL_ADMIN', true);

Another method to do so is to use plugins which can help people who do not have sufficient knowledge of coding.

5. Implement A Website Application Firewall

One of the most vital tips for protecting WordPress admin is to implement a Website Application Firewall which will block any attack such as a code injection which will modify the functionality of the interface and cripple its operations.

There are a number of firewall plugins available which can help in protecting a website by monitoring all the traffic and assessing their threat perception and stopping suspicious requests from reaching the interface.

6. Limit The Number Of Login Attempts

A user can enter username and password as many time as he/she wishes to in order to access the admin area and this makes the setup vulnerable to malicious person who can keep attempting to login in an unauthorised manner until they succeed. Using a plugin which limits the number of login attempts will be helpful in minimizing such a risk.

7. Disable Hints For Login

Any user entering the wrong username or password is notified by WordPress about the error and specifying which of the two fields received the incorrect input. This can help people with malicious intent and disabling these hints on the login page will negate the possibility of such individuals using them for guessing the correct input terms.

Adding this code to the functions.php file located in the theme folder will do the needful :

function no_wordpress_errors(){
return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' );

8. Permit Access To Limited IP Address

The access to the wp-admin area can be controlled  by limiting the permission to some specific IP addresses.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic

order deny,allow
deny from all
# whitelist Joe's IP address
allow from
# whitelist John's IP address
allow from

Adding the above code to the .htaccess file by replacing the values signified by “xx” in the highlighted part with your own IP address will help in controlling the IP addresses that can access the admin.

9. Make Custom Login And Registration Pages

A number of websites have a feature for registration of members which requires them to create an account which they can use to log in to the admin and perform the functions which they have been authorized to do. If the owner wishes, this access can be limited by creating custom login and registration pages using any of the numerous forms plugins.

10.Update And Use The Latest Version Of WordPress

The team behind WordPress keeps releasing new versions regularly which contain the latest features, security updates and bug fixes. With hackers developing new tactics to find loopholes in security, it becomes essential for owners to update their set-up and use the latest version so as to remain protected from any possible attacks.  


WordPress is a robust and secure platform but its popularity makes it vulnerable to attacks and these tips for protecting WordPress admin area will help owners in making their websites safer and provide users with a fulfilling experience.


  • Just FYI the plugin “iThemes Security” can help you do all these things and more. I started using it on all of my sites after one of them got hacked a couple years ago and haven’t had an issue since. Be warned though, once you start using it and you look at the logs and see just how many times a day someone is trying to hack into your site, you might have a heart attack. It’s actually pretty insane.


Leave a Reply

Your email address will not be published. Required fields are marked *