A Guide on How to Secure WordPress Admin


Secure WordPress Admin: Did you know that every single minute of the day on WordPress websites, over 90,000 hack attempts are made? What it means is that there are imminent hack attempts on your websites, regardless of whether the site is big or small. Security is one of a website’s most important concerns.

In order to hack a WordPress website, hackers use different techniques and brute force attack is one such technique. This involves trying out a combination on the website login page of commonly used username and passwords.

A successful attack by brute force gives you access to the admin of WordPress. The administrative centre of a WordPress powered website is the WordPress admin area. The site will be fully controlled by anyone who has full access to the admin. It’s important, therefore, to protect your WordPress admin from attacks by brute force.

How to Secure WordPress Admin?

We have come up with a number of methods that will help you secure your site’s WordPress admin against hacking attempts.

Use Strong Passwords

Using weak passwords is one of the most common mistakes that website owners make. Password cracking techniques have matured over the course of the years. In a few minutes, passwords that are easy to guess are cracked. Strong passwords help defend your website against cracking techniques for savvy passwords. Here’s an excellent article on how your WordPress site can create really strong passwords.

Remembering strong passwords, however, can be a problem. How to manage strong WordPress passwords is explained in this post.

Another very common mistake many individuals make is when on multiple sites they use the same password. If one password is compromised, all password-associated accounts are compromised. Therefore, using various account passwords can help avoid this situation.

Avoid Using Common Username

An important step towards securing WordPress login credentials is the security of WordPress passwords. A login credential’s second component is the username. If it is easy to guess your username, then the hacker only needs to concentrate on the password.

One of the most common usernames for WordPress is “admin.” WordPress auto-suggested “admin” as a username until a few years ago. Although WordPress has stopped recommending “admin”, it is still used by many site owners. Several new user accounts are being created using a username called “admin”. All these websites are becoming an easy target for themselves.

Because WordPress does not enforce the use of unique usernames, you need to make sure that none of your users use common usernames, and that “admin” does not create a new account. Take a look at this comprehensive list of commonly used usernames to help you understand which usernames you should avoid.

Hide Your WordPress Login Page

In a pre-determined way, WordPress websites work. In this case, all WordPress websites have a default login page that looks like “www.anysite.com/wp-admin.” This makes a hacker’s job easier because they can simultaneously launch an automated attack on several targeted WordPress sites. But if you modify the login page by hiding it, you can prevent attacks of this kind on your website.

You can use many plugins to change your login page and use the URL suggested by the plugin. It is likely that the same URL will be used by other websites using the same plugin. And if the URL format is known by hackers, hiding your login page will amount to nothing. Use a tool that allows you to create your own custom login page URL, therefore.

Implement HTTP Authentication

You can password-protect your entire wp-admin folder in order to secure the WordPress admin. There are administrative files in the wp-admin folder that power the WordPress dashboard. The whole site can be controlled by anybody who has access to this folder. If your password protects the entire folder, the server kick starts the authentication process every time someone asks for the admin section. The browser will ask the user for a password for HTTP authentication. You can use many tools to enforce HTTP authentication on your WordPress administrator, such as HTTP Auth, AskApache Password Protect, etc.

Use Google Authenticator

With website hacking techniques becoming more and more sophisticated these days, along with strong user credentials, it is common to add another layer of login protection. This method is known as two-factor authentication (2FA). The technique involves sending a code on your smartphone that only you can receive. You need to enter a unique code on your site before you are granted access to your WordPress dashboard. The advantages of this strategy are that they still need the code sent exclusively to your device, even if hackers manage to crack your credentials.

For 2-factor authentication, there are many WordPress plugins that you can use. Using Mini Orange to secure WordPress admin, we enabled 2FA on our site and wrote a guide on it.

Limiting the Number of Failed Login Attempts

Hundreds of failed login attempts are experienced by websites under brute force attack. You can limit the number of failed login attempts made on your site to prevent this relentless assault on your WordPress admin. After 3 failed login attempts, the MalCare security plugin prevents users from attempting to log in. Before being allowed to access the WordPress login page again, they need to resolve a CAPTCHA. This helps determine whether the user is a human being or an automated bot attempting to carry out a brute force attack on the site.

Install SSL Certificate

Look at our URL on the website! Can you see a green lock beside it with the word ‘Secure’? Our site has installed an SSL certificate, which means that no one can snoop around and read our users’ login credentials. A website without an SSL certificate is in danger of exposing the website’s sensitive information unintentionally.

SSL certificates were either for payment pages or WordPress admin areas back in the old days. But now you can use an SSL certificate to secure your entire site. Google has clearly stated in its drive to make the Web a safer place that SSL certificates are a ranking factor. Providers like Comodo, Let’s Encrypt, and your web host can obtain an SSL certificate to help set up the certificate on your site.

Blacklist Malicious IP Address

Everybody who uses the web has an IP address. Even the hacker launching attacks has an IP address on WordPress websites. You can block them from accessing your site if you keep a record of these IP addresses. MalCare, one of the best security plugins for WordPress, offers details of failed login attempts made on the site (IP addresses). You can block these suspicious IPs from accessing your websites by simply placing the following codes in our .htaccess file if you observe a lot of failed attempts being made almost regularly from the same IPs:

order allow,deny 

deny from 

allow from all

“” is the IP address we wanted to block on one of our sites. You can replace it with the IP you want to block.

Change Security Keys

Each time you need to login to your site, you don’t have to enter your login credentials. Ever wondered how these credentials are stored by your browser? After you sign into your account, your login information is stored in the browser cookie in an encrypted manner. Security keys are just random variables that help this encryption to be improved. Changing the secret keys will invalidate the cookie and force every active user to automatically log out if your site is hacked. Once thrown out, access your WordPress administrator for hacker losses.

Over to You

There is no way to secure a WordPress admin, so make sure multiple methods are used. Some of the most recommended ways to secure the WordPress admin have been shared with you. But you have to backup your site before implementing any of these techniques. You can simply restore a backup if something goes wrong and get our site up and running in no time.

In addition to these, you can take a few more security measures, such as blocking IP, protecting the login page, securing wp-config.php sites, following this complete WordPress security guide, and installing a security plugin like MalCare for WordPress.

Some of the measures we have mentioned above will help you implement MalCare. For example, the MalCare Security Plugin will help you change security keys, limit the number of failed login attempts, and, among other things, keep your website updated.