How to Protect Your WordPress Admin Area: 15 Tips
Internet security concerns are rising across the board, and your very own WordPress admin area may be open to security threats. Some of these security threats are alarmingly common, but, fortunately, the fixes for the most common issues are very easy. In this article, we will be addressing several easy ways of protecting your WordPress admin area from attacks.
Here’s what you can do to keep your admin area safe:
This should be a given: you should not ever rely on a default password for anything, let alone anything important, and the same goes for weak passwords. Most alarmingly, millions of people use 123456 for a password.
So, always use a strong password. But what is a strong password, exactly?
If you have been on the internet at all these past decade or so, you must have seen a meme about a website insisting that a password must contain “at least one digit, one special character, one Egyptian hieroglyph” and so on. That’s actually not that far removed from the truth of the matter: avoid using dictionary words, names, birth dates, and other personal data which may be readily accessible online. Use a password generator (there are plenty of those online), and, if you are worried about remembering a password which makes no sense to you, we suggest using a password manager tool.
You should also require all your users to use strong passwords, especially users with admin credentials.
Another easily installed hurdle for would-be hackers is to add two-factor authentication. In the simplest of terms, two-factor authentication requires user identification in addition to the password, so that, even if your login data is compromised or becomes known to a malicious user, they still cannot access your admin area.
This involves a unique identifier in the form of another code sent via text to the user’s mobile phone, or an additional one-time password or similar.
To further safeguard your login page, we suggest you limit the number of login attempts on your website. Sometimes, a hacker will use something called a brute force attack to gain access to your website. This is basically the act of guessing your password. Of course, this is not done by a human: hackers use scripts to take thousands of guesses hoping they stumble upon your password. This is the reason why you should avoid dictionary words, by the way.
Everybody forgets a password or makes a typo from time to time. So use a login limiter judiciously, but do use it. If a well-meaning user still manages to fail to log in too many times, that’s not the end of the world – handling multiple failed login attempts can cost you some time, but the consequences of a hacker gaining access to the back end of your website are far worse.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. What it boils down to is an easy way of differentiating human input from machine input. This means that, if you protect your website with CAPTCHA, that you will render brute force attacks even more difficult and otherwise add an extra layer of security to your website.
By default, WordPress will inform a user who enters wrong input data if they have attempted to log in using a wrong user name or an incorrect password, and which of these is wrong. Assuming a human hacker attempts to log in using some of your genuine data known to them, this is a useful hint. You can remove the error message by adding the following code to your functions.php file:
add_filter('login_errors',create_function('$a', "return null;"));
You can access your functions.php file by navigating to Appearance/Theme Editor and selecting it from the right hand-side menu. Paste the above line of code, but make sure not to disturb any other code which might already be there.
For a very long while, it was conventional wisdom to change all passwords periodically – often in three month intervals. That way, in case your password is compromised, the possible damage is contained to the time period for which the password is valid.
These days, it is typically recommended that, unless you are aware of a security breach, you hold on to a strong password. You can use a website like Have I Been Pwned? to check for known user data breaches.
Another thing you can do to protect your admin area is to restrict login access to a closed set of IP addresses. Of course, there are ways to mask an IP address, but this is another hurdle for a hacker to jump over.
Furthermore, we can only recommend this for users with static IP addresses. If you are not sure whether your users are using static or dynamic IP addresses, make sure to find out beforehand.
In order to allow login access to an IP address, add this code to the .htaccess file which is located in the wp-admin folder of your website:
order deny, allow allow from XX.XX.XX.XX deny from all
Of course, you need to replace the placeholder IP (XX.XX.XX.XX) with a proper IP address. To add another address, simply add another allow line to your file.
Bear in mind, though, that some files may be hidden, and that you may have troubles finding the .htaccess file.
SSL stands for Secure Socket Layer, and it boils down to a standard data encryption protocol used online. On a technical level, it involves using the HTTPS transfer protocol instead of the HTTP one, but that means next to nothing to the average user.
What can and does mean a lot to the average user is our tutorial on how to add an SSL certificate for free. Not only does it ward off malware, it has a positive effect on website speed.
WordPress powering about 40% of the internet, it should come as no surprise that a lot of the websites end up having the same basic architecture: add wp-login.php to a website URL, and you’ve reached the login page.
You can create a unique login URL, specific to your website instead, and so thwart some of the less canny hackers, or at least deny them the opportunity to automate their attacks easily. You don’t even need to know how to code: creating a custom login page is easily done using a free plugin such as Theme My Login.
While your users may need to register to use your website, not all of your users need to be able to access your dashboard. Also, the more users you have, the more likely you are to get a user who will not stick to the guidelines and use an easily breakable or compromised password.
The solution is to limit the access to your dashboard to trusted users by role: the super admins, admins, and editors. The requisite functionality is provided with (for instance) Remove Dashboard Access, a free and user-friendly plugin.
Like most of the tips described above, this one deals with user error. The type of user error, however, is different. Whatever you do to keep unauthorized users from logging in will amount to nothing if a user grants access to their device to an unauthorized person instead.
Logging out idle users is a safeguard against this exact eventuality: a person losing their device while logged on, or a person using a device other people have access to and forgetting to log out. WordPress has no upper limit on a session by default, so a user can theoretically be logged on indefinitely. This is remedied with a plugin such as Inactive Logout.
If a certain user is compromised, you may be able to reset their password and make it safe again. You could try several methods for resetting passwords on localhost, or reset a password from the database. You could also try a plugin such as MASS Users Password Reset, especially in case a large number or a group of users was affected.
This should be followed by choosing a strong password immediately after the compromised user had logged on again.
A firewall is a filter for the traffic your website gets, and there are plenty of those. Your hosting provider might already be offering a firewall, or you could install your own firewall and filter out any unwanted traffic.
There is nothing stopping you from using both, though: even if your hosting provider has a firewall, you could double down on your protection and install a WordPress firewall plugin to keep out unwanted traffic that somehow pushes through your provider’s defenses.
You could add an additional layer of protection to the back end of your website by password-protecting your wp-admin folder, which contains some critical files. To do this, use your hosting’s cPanel dashboard, where you should be able to find the Directory Privacy folder icon.
Once you get there, navigate to public_html/wp-admin and check Password protect this directory. You will then be prompted to create login credentials for the directory, and, from then on, anyone attempting to access the wp-admin folder will have another hoop to jump through.
Obsolete themes and plugins, as well as WordPress itself, are a liability. In fact, part of the reason why WordPress, themes and plugins are often updated is to repair vulnerabilities. A developer may go out of business and simply choose to abandon a piece of software entirely, and leave many users vulnerable.
This is why you should never use an out of date piece of software. If an update is available, take it. Update WordPress, update your theme, update your plugins – update everything.
In Conclusion
There you have it, our list of tips on how to protect your WordPress admin area. Much of these tips take literally less than a minute or so to implement and are free, so if you are looking for ways to protect your admin area from less than conscientious people, you have a full toolbox. And finally, if all else fails – revert to the latest backup.