{"id":32080,"date":"2021-11-23T15:00:57","date_gmt":"2021-11-23T14:00:57","guid":{"rendered":"https:\/\/qodeinteractive.com\/magazine\/?p=32080"},"modified":"2022-01-11T11:19:45","modified_gmt":"2022-01-11T10:19:45","slug":"how-to-protect-wordpress-admin-area","status":"publish","type":"post","link":"https:\/\/qodeinteractive.com\/magazine\/how-to-protect-wordpress-admin-area\/","title":{"rendered":"How to Protect Your WordPress Admin Area: 15 Tips"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]Internet security concerns are rising across the board, and your very own WordPress admin area <strong>may be open to security threats<\/strong>. Some of these security threats are alarmingly common, but, fortunately, the fixes for the most common issues are very easy. In this article, we will be addressing several easy ways of protecting your <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-admin-bar\/\">WordPress admin<\/a> area from attacks.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Here\u2019s what you can do to keep your admin area safe:<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#always-use-strong-password\">Always Use a Strong Password<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#introduce-two-factor-authentication\">Introduce Two-Factor Authentication<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#limit-login-attempts\">Limit Login Attempts<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#add-captcha-to-your-login-page\">Add CAPTCHA to Your Login Page<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#remove-the-error-message-from-the-login-page\">Remove the Error Message From the Login Page<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#change-any-compromised-passwords\">Change Any Compromised Passwords<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#restrict-login-access\">Restrict Login Access<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#use-ssl\">Use SSL<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#create-custom-login-url\">Create a Custom Login URL<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#limit-dashboard-access\">Limit Dashboard Access<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#log-out-idle-users\">Log Out Idle Users<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#emergency-reset-passwords\">Emergency Reset Passwords<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#use-firewall\">Use a Firewall<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#password-protect-your-wordpress-admin-directory\">Password Protect Your WordPress Admin Directory<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#update-everything\">Update Everything<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"always-use-strong-password\"><\/a>Always Use a Strong Password<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"553\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Always-Use-a-Strong-Password.jpg\" class=\"attachment-full size-full\" alt=\"Always Use a Strong Password\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Always-Use-a-Strong-Password.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Always-Use-a-Strong-Password-300x171.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Always-Use-a-Strong-Password-768x438.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Always-Use-a-Strong-Password-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]This should be a given: <strong>you should not ever rely on a default password<\/strong> for anything, let alone anything important, and the same goes for weak passwords. Most alarmingly, <a href=\"https:\/\/nordpass.com\/most-common-passwords-list\/\" target=\"_blank\" rel=\"noopener\">millions of people use <em>123456<\/em><\/a> for a password.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]So, always use a strong password. But what is a strong password, exactly?<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]If you have been on the internet at all these past decade or so, you must have seen a meme about a website insisting that a password must contain \u201cat least one digit, one special character, one Egyptian hieroglyph\u201d and so on. That\u2019s actually not that far removed from the truth of the matter: <strong>avoid using dictionary words, names, birth dates, and other personal data<\/strong> which may be readily accessible online. Use a<strong> password generator<\/strong> (there are plenty of those online), and, if you are worried about remembering a password which makes no sense to you, we suggest <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-password-manager-tools\/\">using a password manager tool<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You should also require all your users to use strong passwords, especially users with admin credentials.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"introduce-two-factor-authentication\"><\/a>Introduce Two-Factor Authentication<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Introduce-Two-Factor-Authentication.jpg\" class=\"attachment-full size-full\" alt=\"Introduce Two-Factor Authentication\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Introduce-Two-Factor-Authentication.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Introduce-Two-Factor-Authentication-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Introduce-Two-Factor-Authentication-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Introduce-Two-Factor-Authentication-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Another easily installed hurdle for would-be hackers is to <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-two-factor-authentication\/\">add two-factor authentication<\/a>. In the simplest of terms, two-factor authentication requires <strong>user identification in addition to the password<\/strong>, so that, even if your login data is compromised or becomes known to a malicious user, they still cannot access your admin area.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]This involves a unique identifier in the form of another code sent via text to the user\u2019s mobile phone, or an additional one-time password or similar.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"limit-login-attempts\"><\/a>Limit Login Attempts<\/h2>\n<p>[\/vc_column_text][vc_column_text]To further safeguard your login page, we suggest you <a href=\"https:\/\/qodeinteractive.com\/magazine\/limit-login-attempts-in-wordpress\/\">limit the number of login attempts<\/a> on your website. Sometimes, a hacker will use something called a brute force attack to gain access to your website. This is basically the act of guessing your password. Of course, this is not done by a human: hackers use scripts to take thousands of guesses hoping they stumble upon your password. This is the reason why you should avoid dictionary words, by the way.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Everybody forgets a password or makes a typo from time to time. So <strong>use a login limiter<\/strong> judiciously, but do use it. If a well-meaning user still manages to fail to log in too many times, that\u2019s not the end of the world \u2013 <a href=\"https:\/\/qodeinteractive.com\/magazine\/complete-guide-to-handling-too-many-failed-login-attempts-in-wordpress\/\">handling multiple failed login attempts<\/a> can cost you some time, but the consequences of a hacker gaining access to the back end of your website are far worse.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"add-captcha-to-your-login-page\"><\/a>Add CAPTCHA to Your Login Page<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Add-CAPTCHA-to-Your-Login-Page.jpg\" class=\"attachment-full size-full\" alt=\"Add CAPTCHA to Your Login Page\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Add-CAPTCHA-to-Your-Login-Page.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Add-CAPTCHA-to-Your-Login-Page-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Add-CAPTCHA-to-Your-Login-Page-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Add-CAPTCHA-to-Your-Login-Page-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. What it boils down to is an easy way of differentiating human input from machine input. This means that, if you <a href=\"https:\/\/qodeinteractive.com\/magazine\/add-captcha-to-wordpress\/\">protect your website with CAPTCHA<\/a>, that you will <strong>render brute force attacks even more difficult<\/strong> and otherwise add an extra layer of security to your website.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"remove-the-error-message-from-the-login-page\"><\/a>Remove the Error Message From the Login Page<\/h2>\n<p>[\/vc_column_text][vc_column_text]By default, WordPress will inform a user who enters wrong input data if they have attempted to log in using a wrong user name or an incorrect password, and which of these is wrong. Assuming a human hacker attempts to log in using some of your genuine data known to them, this is a useful hint. You can<strong> remove the error message<\/strong> by adding the following code to your <em>functions.php<\/em> file:[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">add_filter('login_errors',create_function('$a', \"return null;\"));<\/pre>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You can access your <em>functions.php<\/em> file by navigating to <strong>Appearance\/Theme Editor<\/strong> and selecting it from the right hand-side menu. Paste the above line of code, but make sure not to disturb any other code which might already be there.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"change-any-compromised-passwords\"><\/a>Change Any Compromised Passwords<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"553\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Change-Any-Compromised-Passwords.jpg\" class=\"attachment-full size-full\" alt=\"Change Any Compromised Passwords\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Change-Any-Compromised-Passwords.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Change-Any-Compromised-Passwords-300x171.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Change-Any-Compromised-Passwords-768x438.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Change-Any-Compromised-Passwords-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]For a very long while, it was conventional wisdom to change all passwords periodically \u2013 often in three month intervals. That way, in case your password is compromised, the possible damage is contained to the time period for which the password is valid.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]These days, it is typically recommended that, unless you are aware of a security breach, you <strong>hold on to a strong password.<\/strong> You can use a website like <a href=\"https:\/\/haveibeenpwned.com\/\" target=\"_blank\" rel=\"noopener\">Have I Been Pwned?<\/a> to check for known user data breaches.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"restrict-login-access\"><\/a>Restrict Login Access<\/h2>\n<p>[\/vc_column_text][vc_column_text]Another thing you can do to protect your admin area is to<strong> restrict login access to a closed set of IP addresses<\/strong>. Of course, there are ways to mask an IP address, but this is another hurdle for a hacker to jump over.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Furthermore, we can only recommend this for users with static IP addresses. If you are not sure whether your users are <a href=\"https:\/\/qodeinteractive.com\/magazine\/static-ip-vs-dynamic-ip-in-wordpress-explained\/\">using static or dynamic IP addresses<\/a>, make sure to find out beforehand.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]In order to allow login access to an IP address, add this code to the<em> .htaccess<\/em> file which is located in the <em>wp-admin<\/em> folder of your website:[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">order deny, allow\r\nallow from XX.XX.XX.XX\r\ndeny from all<\/pre>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Of course, you need to replace the placeholder IP (XX.XX.XX.XX) with a proper IP address. To add another address, simply add another allow line to your file.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Bear in mind, though, that some files may be hidden, and that you may have troubles <a href=\"https:\/\/qodeinteractive.com\/magazine\/find-htaccess-file-on-wordpress-site\/\">finding the .htaccess file<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;80px&#8221;][vc_widget_sidebar sidebar_id=&#8221;new-top-picks-banner&#8221;][vc_empty_space height=&#8221;80px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"use-ssl\"><\/a>Use SSL<\/h2>\n<p>[\/vc_column_text][vc_column_text]SSL stands for Secure Socket Layer, and it boils down to a standard data encryption protocol used online. On a technical level, it involves <strong>using the HTTPS transfer protocol<\/strong> instead of the HTTP one, but that means next to nothing to the average user.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]What can and does mean a lot to the average user is our tutorial on <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-add-free-ssl-certificate-wordpress\/\">how to add an SSL certificate for free<\/a>. Not only does it ward off malware, it has a positive effect on website speed.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"create-custom-login-url\"><\/a>Create a Custom Login URL<\/h2>\n<p>[\/vc_column_text][vc_column_text]WordPress powering about 40% of the internet, it should come as no surprise that a lot of the websites end up having the same basic architecture: add wp-login.php to a website URL, and you\u2019ve reached the login page.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You can <strong>create a unique login URL<\/strong>, specific to your website instead, and so thwart some of the less canny hackers, or at least deny them the opportunity to automate their attacks easily. You don\u2019t even need to know how to code: <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-create-wordpress-frontend-login-page\/\">creating a custom login page<\/a> is easily done using a free plugin such as <a href=\"https:\/\/wordpress.org\/plugins\/theme-my-login\/\" target=\"_blank\" rel=\"noopener\">Theme My Login<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"limit-dashboard-access\"><\/a>Limit Dashboard Access<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Limit-Dashboard-Access.jpg\" class=\"attachment-full size-full\" alt=\"Limit Dashboard Access\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Limit-Dashboard-Access.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Limit-Dashboard-Access-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Limit-Dashboard-Access-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Limit-Dashboard-Access-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]While your users may need to register to use your website,<strong> not all of your users need to be able to access your dashboard<\/strong>. Also, the more users you have, the more likely you are to get a user who will not stick to the guidelines and use an easily breakable or compromised password.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]The solution is to limit the access to your dashboard to trusted users by role: the<strong> super admins, admins,<\/strong> and <strong>editors<\/strong>. The requisite functionality is provided with (for instance) <a href=\"https:\/\/wordpress.org\/plugins\/remove-dashboard-access-for-non-admins\/\" target=\"_blank\" rel=\"noopener\">Remove Dashboard Access<\/a>, a free and user-friendly plugin.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"log-out-idle-users\"><\/a>Log Out Idle Users<\/h2>\n<p>[\/vc_column_text][vc_column_text]Like most of the tips described above, this one deals with user error. The type of user error, however, is different. Whatever you do to keep unauthorized users from logging in will amount to nothing if a user grants access to their device to an unauthorized person instead.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>Logging out idle users is a safeguard<\/strong> against this exact eventuality: a person losing their device while logged on, or a person using a device other people have access to and forgetting to log out. WordPress has no upper limit on a session by default, so a user can theoretically be logged on indefinitely. This is remedied with a plugin such as <a href=\"https:\/\/wordpress.org\/plugins\/inactive-logout\/\" target=\"_blank\" rel=\"noopener\">Inactive Logout<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"emergency-reset-passwords\"><\/a>Emergency Reset Passwords<\/h2>\n<p>[\/vc_column_text][vc_column_text]If a certain user is compromised, you may be able to<strong> reset their password and make it safe again<\/strong>. You could try <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-reset-admin-password-localhost\/\">several methods for resetting passwords on localhost<\/a>, or <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-reset-wordpress-password\/\">reset a password from the database<\/a>. You could also try a plugin such as <a href=\"https:\/\/wordpress.org\/plugins\/mass-users-password-reset\/\" target=\"_blank\" rel=\"noopener\">MASS Users Password Reset<\/a>, especially in case a large number or a group of users was affected.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]This should be followed by choosing a strong password immediately after the compromised user had logged on again.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"use-firewall\"><\/a>Use a Firewall<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Use-a-Firewall.jpg\" class=\"attachment-full size-full\" alt=\"Use a Firewall\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Use-a-Firewall.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Use-a-Firewall-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Use-a-Firewall-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Use-a-Firewall-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]A firewall is a filter for the traffic your website gets, and there are plenty of those. Your hosting provider might already be offering a firewall, or you could<strong> install your own firewall<\/strong> and filter out any unwanted traffic.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]There is nothing stopping you from using both, though: even if your hosting provider has a firewall, you could double down on your protection and install a <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-firewall-plugins-for-wordpress\/\">WordPress firewall plugin<\/a> to keep out unwanted traffic that somehow pushes through your provider\u2019s defenses.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"password-protect-your-wordpress-admin-directory\"><\/a>Password Protect Your WordPress Admin Directory<\/h2>\n<p>[\/vc_column_text][vc_column_text]You could <strong>add an additional layer of protection<\/strong> to the back end of your website by password-protecting your<em> wp-admin<\/em> folder, which contains some critical files. To do this, use your hosting\u2019s cPanel dashboard, where you should be able to find the <em>Directory Privacy<\/em> folder icon.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Once you get there, navigate to <em>public_html\/wp-admin<\/em> and check <strong>Password protect this directory<\/strong>. You will then be prompted to create login credentials for the directory, and, from then on, anyone attempting to access the <em>wp-admin<\/em> folder will have another hoop to jump through.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"update-everything\"><\/a>Update Everything<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Update-Everything.jpg\" class=\"attachment-full size-full\" alt=\"Update Everything\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Update-Everything.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Update-Everything-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Update-Everything-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/11\/Update-Everything-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Obsolete themes and plugins, as well as WordPress itself, are a liability. In fact, part of the reason why WordPress, themes and plugins are often updated is to <strong>repair vulnerabilities<\/strong>. A developer may go out of business and simply choose to abandon a piece of software entirely, and leave many users vulnerable.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]This is why you should <strong>never use an out of date piece of software<\/strong>. If an update is available, take it. <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-update\/\">Update WordPress<\/a>, <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-update-a-wordpress-theme-without-losing-customization\/\">update your theme<\/a>, <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-update-a-wordpress-theme-without-losing-customization\/\">update your plugins<\/a> \u2013 update everything.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\">In Conclusion<\/h2>\n<p>[\/vc_column_text][vc_column_text]There you have it, our list of tips on how to protect your WordPress admin area. Much of these tips take literally less than a minute or so to implement and are free, so if you are looking for ways to protect your admin area from less than conscientious people, you have a full toolbox. And finally, if all else fails \u2013 revert to the latest backup.<br \/>\n[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Looking to keep your website safe? Take a tip from us &#8211; take 15 tips, in fact &#8211; and protect your WordPress admin area from attacks.<\/p>\n","protected":false},"author":16990,"featured_media":32126,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[34,4,13],"class_list":["post-32080","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-resources","tag-security","tag-tips","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/32080","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/users\/16990"}],"replies":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/comments?post=32080"}],"version-history":[{"count":0,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/32080\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media\/32126"}],"wp:attachment":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media?parent=32080"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/categories?post=32080"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/tags?post=32080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}