Skip to Main Content

7 ways to protect your WordPress admin area

Divi: the easiest WordPress theme to use

Easily create your website with Elementor

Elementor allows you to easily create any website design with a professional look. Stop paying expensive for what you can do yourself. [Free]

Your WordPress admin area is the hub of your website. Simply log into your account and you will be able to access your customers' data, connect with visitors, install new plugins, modify your site code, and much more. Unless you take steps to protect your dashboard, a hacker can too.

If a malicious third party manages to gain unauthorized access to your admin dashboard, the results could be devastating. Fortunately, there are several ways to secure this area from hackers and minimize threats against it.

In this article, we'll share seven techniques to protect your WordPress admin area from malicious attacks. By following our tips, you can make it more difficult for hackers to access your account, even if they have your username and password. Let's get started!

Why it's important to protect your WordPress admin area

If a malicious third party manages to hack your WordPress account, they will have access to all of your data. This includes the private information of everyone who has already registered on your website. If you accept payments, it can even include financial information such as credit card details.

This type of data breach could cause irreparable damage to your reputation. Depending on your local laws, this could even lead you to legal hot water, as your website has an obligation to protect confidential customer data.

Even if you manage to avoid losing all of your customers and face legal repercussions, the cost of cleaning up after a cyberattack is enormous. It is best to avoid having to go this route.

Many attacks specifically target the WordPress admin area, including brute force attacks. These involve a hacker bombarding your login page with common combinations of password and username in the hopes of finding a match.

WordPress is particularly vulnerable to brute force attacks because by default the WordPress administrator username and login URL are the same for every installation. If you use these defaults, an attacker only has to guess your password.

By making a few changes to your WordPress login screen, you can help protect your account from a wide range of attacks.

Divi: The best WordPress theme of all time!

With over 901.000 downloads, Divi is the most popular WordPress theme in the world. It is complete, easy to use and comes with more than 62 free templates. [Recommended]

7 ways to protect your WordPress admin area

If a hacker breaks into your dashboard, they could potentially steal your confidential customer data, install malware, kick you out of your own account, or even delete your website completely. To help protect your visitors, data, and content, it is essential that you take steps to protect your WordPress admin area.

1. Never use the default administrator username

By default, the username is assigned to the first user account for each new WordPress installation admin. If you stick to it, hackers already know your username and only have to acquire or guess your password to break in.

If you are currently using admin as username, it is strongly recommended to change it. You can do this by selecting Users> All users in the sidebar of your dashboard, then open your profile to edit it:

While you are here, you should also make sure that you are using a secure password that includes a combination of upper and lower case letters, numbers, and symbols.

You can also create a completely random password using WordPress' built-in generator or a third-party tool such as Last pass. If you're worried about forgetting it, consider storing your credentials using a password manager.

2. Protect your password wp-admin dossier

Any third party can request your wp-admin folder and login page without passing any type of authentication. the wp-admin The folder contains important administrative files, so you need to protect it with a username and password.

You should be able to add that extra layer of security through your hosting control panel. In cPanel, open the Directory confidentiality folder:
The privacy icon for the cPanel dashboard file directory.
Then go to public_html / wp-admin. Here, select the Password protect this directory check box:
The directory privacy record, as it appears in cPanel.
When prompted, create credentials for your wp-admin folder and click Save. Now every time someone tries to access the wp-admin directory, WordPress will ask for this username and password.

3. Create a custom login URL

You can access the login screen of any WordPress website by adding /wp-login.php at the URL of this website. For example, if your domain is, then your login page is at

If you are using the WordPress default, your website login page is common knowledge. Worse, if you use the standard /wp-login.php URL and default admin username, then a hacker already has two of the three pieces of information required to access your admin area.

You can create a custom login URL using a plugin such as Hide WPS connection. Once installed, select Settings> Hide WPS connection from your dashboard menu. You can then enter a new URL in the Login url field.

Save your changes and your WordPress admin area will now only be accessible through this new URL. Even if a hacker has your username and password, they will not be able to access your login screen.

4. Limit connection attempts

WordPress does not prevent users from attempting to log in, even if they enter an incorrect password multiple times. This makes your website vulnerable to brute force attacks. Hackers could potentially use an automated script to bombard your account with hundreds or even thousands of potential passwords.

Are you looking for the best WordPress themes and plugins?

Download the best plugins and WordPress themes on Envato and easily create your website. Already more than 49.720.000 downloads. [EXCLUSIVE]

You can limit connection attempts using the Wordfence Security Plugin. Once you've installed it, navigate to Wordfence> All options. Under Firewall options, select Protection against brute force:
The settings of the Wordfence plugin.
Then make sure to turn on the Activate brute force protection setting. You can then specify the number of failed login attempts that WordPress should allow before blocking the offending IP address.

5. Configure two-factor authentication (2FA)

2FA is a security system where users need to pass additional verification before accessing your WordPress admin area. You can add it to your WordPress account using a security plugin like Wordfence.

As part of Wordfence's 2FA feature, you'll install an authenticator app on your smartphone or tablet. When you try to log into your WordPress admin area, a security code will be sent to your mobile device.

You can verify your identity by entering this code on your WordPress login screen. Assuming the hacker doesn't have access to your personal smartphone or tablet, 2FA is an effective way to secure your account.

You can also protect your ManageWP account using 2FA so that attackers cannot access your sites in this way either. To activate this function, Sign into your account. You can then click on your username, followed by Settings> Security:
ManageWP security settings.
ManageWP will then walk you through the process of setting up 2FA. ManageWP uses the Google Authenticator app, available for iOS et Android.

6. Use a website application firewall (WAF)

A WAF monitors your website traffic and prevents suspicious requests from reaching your site. You can configure one using a plugin such as Wordfence.

When installing Wordfence web application firewall for the first time, it is recommended to leave it in learning mode for at least a week. This allows Wordfence to monitor your website and learn how to best protect it, while still allowing legitimate visitors to pass.

You can also optimize the firewall by going to WordPress> Firewall> Click here to configure. As part of the optimization process, Wordfence will select a recommended server configuration for your website. However, you can manually select your server configuration if necessary.

7. Restrict login access to specific IP addresses

If only a few users need to access your WordPress admin area, you can limit connections to specific IP addresses by changing those on your site..htaccess drop off. This allows you to block users from all unknown IP addresses.

It is recommended that you create a full backup before changing your..htaccess drop off. You can access it via the file transfer protocol (FTP) or by using the file manager of your host:
CPanel file manager.
Once you have found .htaccess and opened it for editing, you can add the following code:

AuthUserFile / dev / null AuthGroupFile / dev / null AuthName "WordPress Admin Access Control" AuthType Basic order deny, allow deny from all # whitelist IP address allow from

Be sure to replace with your own IP address and save your changes. Now users will only be able to access your WordPress admin area from the specific IP addresses listed here.


Malicious third parties want to gain access to your WordPress administrative area, but there are steps you can take to protect your website from these attacks. This can help you avoid damaging your reputation, incurring legal consequences, and paying for expensive site cleanups.

Easily create your Online Store

Download free WooCommerce, the best e-commerce plugins to sell your physical and digital products on WordPress. [Recommended]

To help protect your website, data and visitors, we recommend that you make it as difficult as possible for hackers to gain access to your login page, overriding the standard. wp connection URL with a custom link, using a WAF and limiting login access to specific IP addresses if you can.

Do you have questions on how to protect your WordPress admin area? Let us know in the comments section below!

Image Credit: Unsplash.

Source link

This article features 0 comments

Leave a comment

Your email address will not be published. Required fields are marked with *

This site uses Akismet to reduce unwanted. Learn more about how your comments data is used.

Back To Top