WordPress Admin Panel Security tips & Hacks
Protect Your WordPress Admin Panel Security tips & Tricks.
There are quite a few times that a WordPress website are prone to hackers. These guys like you enter your WordPress admin panel, deface them or ruin your work. This can be troublesome for you as this is for us, but we have some tips and tricks that can save you from the agony of getting your site hacked.
WordPress Admin panel is what we should focus on protecting, this is the area which controls all the features that can make changes to your website. If you protect the Admin panel effectively then there will be very less chances that your website can be hacked easily.
There are many tips on this list by which you can make your WordPress admin panel security tips & hacks, you can choose the one you like to have on your website. Having more security features enabled to your website will give you more protection against hackers.
1 – Have a strong Password
This is one of the most common mistake that people does by having a weak password, weak passwords are one of the biggest culprit in getting your site hacked. Weak passwords are easy to guess, when the hackers likes to hack they start entering passwords one after another. It will take more combinations to hack a complex password than a simple one.
Don’t make your password easy to guess, don’t use the password you use for login into your email or anywhere else. Try to use a different password, make it harder by using lower and upper case for letters, you should also include numbers and special characters like “@$%&” etc.
There is a WordPress password indicator present while choosing a password, you can use that to know whether your password is strong or not. You should make a practice that to change your password periodically, if some how someone gets you know your password then by changing it will make the earlier password useless.
2 – Limit Login Attempts
This is another way to make you website secure from hackers, you can limit the login attempts made by a user. This can be achieved by using a plugin names as
With the use of this plugin you can set the number of time a user is allowed to make login attempts before getting locked out. You can even set the time for which you want a user to limit a user from making another login attempt.
From setting page of limit login attempts plugin you can set the number of login attempts and time you like to limit.
3 – Custom Login URL
Its very easy to find out that you are using a WordPress as your CMS. When a hacker finds out that you are using WordPress then they know about your login URL. By default the username assigned by WordPress go by the word “admin“, once they know that they only have to guess you password and they are entry the admin area of your website.
To protect this you should change the login and admin file address. You can use a plugin known as iThemes Security (formerly Better WP Security) to change the URL for your login and admin area.
This plugin will help you to change the login URL to the any URL you like. This plugin is very essential for your website security. (Note: This plugin also in the list of best free WordPress security plugins.)
4 – Keep away from “Admin” Username
When you install wordpress CMS the default username allotted by WordPress is “admin“. Most of the people don’t change this or make another user account and leave that as it is. This is bad for your blog security, hackers can easily know that your blog is running on WordPress CMS, if you leave the username “admin” as it is then they only have to do is get the password.
To get the password they can try some guess-work or a script that can try the password one after another. There is seen that hackers use brute force attack to get into your account.
You should create a new user with a username that is hard to guess, while creation of new user you have to give the administrator rights. After creation of new user you should delete the one with username “admin“, then hacker have to know your username in order to use the hack script.
5 – Limit access via IP
You can limit the access to your wp-admin by assigning rights to login from certain IP addresses. To this you have to place some code in your .htaccess file. You don’t already have a .htaccess file the you have to place it in your /wp-admin/ folder. Now you have to past the following code in it.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic &lt;LIMIT GET&gt; order deny,allow deny from all allow from xx.xx.xx.xxx allow from xx.xx.xx.xxx allow from xx.xx.xx.xxx &lt;/LIMIT&gt;
This xx.xx.xx.xxx is where you have you put the IPs you like to allow access to, Keep in mind that if you have dynamic IP then you should keep away from this method. As when the IP changes then you won’t be able to login to your website.
6 – Password Protect wp-admin Directory
As you must be knowing by now that all the crucial data is in your wp-admin directory, having it password protected will only help in adding a layer of security to your website core information. You can do it easily by going to your cPanel of your hosting and look for security tab, there you will find an icon with name “password protects directories“.
After clicking the icon you will see a window asking to select the directory you want to password protects. here you have to click the root, then navigate to wp-admin directory.
After selecting the directory you will see the window where you have to put the name for the directory you are protecting. then after you have to select a username & password for the wp-admin directory.
That it you are done, you have successfully password protected your wp-admin directory.
7 – Remove Error Message
Whenever you put a wrong password the you get the error message on your WordPress login screen that you have wrong password for the username, in case or wrong username the error will be invalid username. This way the hacker will get to know that the username is correct and all they have to find is password.
In such case the hacker will try a brute force attack and try random password to get access to admin panel of your website.
To protect you from sharing this kind of information you have to remove the error message, you can do it manually or with the use of a plugin.
Manual way is by adding a code to the functions.php file. All you have to do is open your functions.php file and past the below code in it.
add_filter('login_errors',create_function('$a', "return null;"));
After inserting this code in functions.php file your error message will be blank.
The other way is by using a plugin, there is a plugin called secure WordPress that will help you remove error massage with an ease
8 – Use SSL Security encryption on Login Page
With this you will be able to add SSL encryption to your login page. What this means is that whenever you enter your information like username or password, it will get encrypted. To have SSL encryption on your login or any page you like to secure you must first check with your webhost for shared SSL certificate.
If you don’t have the SSL certificates then you have to buy it. There are many companies from where you can purchase SSL certificates. After owning it you have to put it in your website, easy way of doing it is to use a plugin. there is a plugin named WordPress HTTPS, this will help you to add SSL certificates with an ease.
9 – Use Firewall
A firewall will help you to intercept the suspicious activities that can harm your website. You can add a firewall to your WordPress website with the help of a plugin, it will detect and intercepts the suspicious activities, it will also keep a log file for your reference.
There is a plugin called All In One WP Security & Firewall, this will provide a firewall with some additional security features to your website.
This will protect your WordPress Admin panel from security breach.
10 – Use Antivirus
Many people confuse antivirus with firewall, when firewall protects your website for suspicious activities, an antivirus scans your website for infected files and removes them to keep your website secure.
There are many plugins out there by which you can have Antivirus protecting your website, One of such plugin is named as Antivirus, This plugin will scan and protect your website form virus,
This plugin has a feature to do manual scanning to find infected files, with this plugin you don’t have to worry about spam injections as this plugin will protect you from that too.
11 – Latest WordPress version
WordPress releases the updated version of WordPress CMS from time to time, with these updates they also release the list of bugs and security fix which can harm your WordPress admin area. So it is very important to update the WordPress to the latest version.
With older version of WordPress hackers know that which vulnerabilities are there in that specific version and can target your website depending on the security flaw.
12 – Dual Security Login
To have a dual system for login into your WordPress admin panel gives Security addon to your site. What is a dual security login. In easy way i can tell you that in this you have confirm your login identity on two ways.
There is a plugin called Duo Two-Factor Authentication which will give you feature to add dual ways authentication to let you login to your website.
With the help of this plugin you will get mobile app from which you have to authenticate to login to your account. if you don’t like to install an app then you can opt for phone or sms conformation, you can also get a one time password on your mobile to login.
There is a tip that you should always have a backup for your site in case any thing goes wrong then you can get it back on track. You should check our list of best free WordPress backup plugins to make it easier to take backup automatically.
These are the WordPress Admin Panel Security tips & tricks which can save you from getting your site messed up by protecting your admin panel. If you know any other way then please drop us a comment in the section below.