14 ways to protect wordpress admin area - Technology tips

Do you see a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some important tips and hacks to protect your WordPress admin area.

Tips to protect wordpress admin area

1. Use the Firewall site application

Website application firewall or WAF monitors website traffic and blocks suspicious requests from accessing your website.

There are many WordPress firewall plugins, but you should use Sucuri. This is a website security and monitoring service that provides cloud-based WAF to protect your website.

Sucuri powerful firewall for wordpress

All your website traffic goes through their cloud proxy first, where they analyze each request and block suspicious people from ever visiting your site. It prevents your site from hacking, phishing, malware and other malicious activities.

2. Password protect WordPress admin directory

Your WordPress admin area is protected with your WordPress password. However, adding password protection to your WordPress admin directory will add another layer of security to your site.

First log into the cPanel dashboard on your host and then click on the ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Next, you will need to select the wp-admin directory, usually located in the / public_html / directory.

On the next screen, you need to check the box next to the ‘Password to protect this folder’ option and provide a name for the protected folder.

Then click the save button to set permissions.

Next, you need to press the back button and then create users. You will be asked for your username / password and then click the save button.

Now when someone tries to access the WordPress admin or the wp-admin directory on your website, they will be asked to enter their username and password.

3. Always use strong passwords

Strong Password

Always use strong passwords for all your online accounts, including your WordPress website. We recommend using a combination of letters, numbers and special characters in your password. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don't need it. There are some really great password management apps that you can install on computers and phones.

4. Use two-step verification to the WordPress login screen

Login with Google Authenticator

Two-step verification adds a security layer to your password. Instead of just using a password, it requires you to enter the verification code generated by the Google Authenticator application on your phone.

Even if someone can guess your WordPress password, they will still need the Google Authenticator code to login.

For details step by step tutorial, see our tutorial on how set up 2-step verification in WordPress with Google Authenticator .

5. Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can continue trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the plugin Login LockDown . After activation, please visit Settings »Login LockDown to configure plugin settings.

For detailed instructions, see our guide about The reason you should restrict login attempts in WordPress .

6. Restrict access to log into the IP address

Another great way to secure your WordPress login is by restricting access to specific IP addresses. This tip is especially helpful if you or just a few trusted users need access to the admin area.

Just add this code to your .htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx

Don't forget to replace the xx value with your own IP address. If you use more than one IP address to access the internet, make sure you add them too.

For detailed instructions, see our guide on limiting access to WordPress administrators using .htaccess.

7. Disable login hints

On a failed login attempt, WordPress displays errors telling users that their username is incorrect or password. These login hints can be used by someone for login attempts.

You can easily hide login suggestions by adding this code to your theme's functions.php file or a specific website plugin.

function no_wordpress_errors(){
  return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' );

8. Require users to use strong passwords

If you run a multi-author WordPress site, those users can edit their profile and use weak passwords. These passwords can be cracked and give someone access to the WordPress admin area.

To fix this, you can install and activate the plugin Force Strong Passwords . It works out of the box and there are no settings for you to configure. Upon activation, it will prevent users from saving weaker passwords.

It will not check password strength for existing user accounts. If the user has used a weak password, they will be able to continue using their password.

9. Reset passwords for all users

Concerned about password security on many of your WordPress sites? You can easily ask all your users to reset their passwords.

First, you need to install and activate the plugin Emergency Password Reset. After activation, please visit Users »Emergency Password Reset and click on the ‘Reset All Passwords’ button.

10. Always update WordPress

WordPress usually releases new versions of software. Each new release of WordPress contains important bug fixes, new features and security fixes.

Using an older version of WordPress on your site helps you uncover known exploits and potential vulnerabilities. To fix this, you need to make sure you are using the latest version of WordPress.

Similarly, WordPress plugins are often updated to introduce new features or fix security bugs and other issues. Make sure your WordPress plugins are also up to date.

11. Create login page and customize registration

Many WordPress websites require users to register. For example, member websites, learning management websites, or online stores need users to create an account.

However, these users can use their account to log in to the WordPress admin area. This is not a big deal, as they will only be able to do things that are allowed by the user's role and ability. However, that prevents you from restricting access to the login and signup pages because you need those pages for users to register, manage their profile and log in.

An easy way to fix this is by creating custom login and signup pages so that users can register and log in directly from your site.

12. Learn about the Roles and Rights of WordPress Users

WordPress comes with a powerful user management system with different user roles and capabilities. When adding new users to your WordPress site, you can choose the user roles for them. This user role determines what they can do on your WordPress site.

Incorrect user roles assignment can give people more capabilities than they need. To avoid this, you need to understand which capabilities have different user roles in WordPress.

13. Restrict access to control panel

Some WordPress websites have some users who need access to the control panel and some users do not have access. However, by default, all of them can access the admin area.

To fix this, you need to install and activate the plugin Remove Dashboard Access . After activation, please visit Settings »Dashboard Access and choose which user roles will have access to the admin area on your site.

14. Log out the idle user

WordPress does not automatically log off users until they explicitly log out or close their browser windows. This could be a concern for WordPress websites with sensitive information. That's why financial institutions' websites and apps automatically log out of users if they're inactive.

To fix this, you can install and activate the plugin Idle User Logout . After activation, please visit Settings »Idle User Logout and enter the time later you want the user to automatically log out.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see 21 security steps for wordpress to enhance wordpress security

If you like the article "14 ways to protect wordpress admin area" please comment below and share it for everyone to read. Thank you for following the article. And if you want to copy the article, please cite the source: https://tipstechvn.com/14-cach-bao-ve-khu-vuc-quan-tri-wordpress/