Secure WordPress Admin: Did you know that over 90,000 hack attempts are made on WordPress websites every single minute of the day? What it implies is that hack attempts on your websites imminent regardless of whether the site is big or small. Security is one of the topmost concern for a website.
Hackers resort to various techniques to hack a WordPress website and brute force attack is one such technique. It involves trying out a combination of commonly used username and passwords on the website login page.
A successful brute force attack gives you access to the WordPress admin. The WordPress admin area is the administrative centre of a WordPress powered website. Anyone who has full access to the admin will have full control over the site. Hence, it’s important to protect your WordPress admin from brute force attacks.
How to Secure WordPress Admin?
We have come up with a number of techniques that’ll help you secure WordPress admin of your site against hack attempts.
1. Use Strong Passwords
One of the most common mistakes that website owners make is to use weak passwords. Over the course of the years, password cracking techniques have matured. Easy to guess passwords are cracked within a few minutes. Strong passwords help defend your site against savvy password cracking techniques. Here’s an excellent article on how to create really strong passwords for your WordPress site.
However, remembering strong passwords can be an issue. This post explains how to manage strong WordPress passwords.
Another very common mistake many people make is when they use the same password on multiple sites. When one password is compromised, all accounts associated to the password is compromised. Hence, using different passwords for accounts can help avoid this situation.
2. Avoid Using Common Username
Securing WordPress password is an important step towards securing WordPress login credential. The second component of a login credential is the username. If your username is easy to guess then the hacker only needs to focus on the password.
One of the most common WordPress usernames is “admin.” Up until a few years ago, WordPress auto-suggested “admin” as a username. Although WordPress stopped recommending “admin”, many site owners are still using it. Several new user accounts are being created using with “admin” as a username. All these websites are making themselves an easy target.
Since WordPress does not enforce the use of unique usernames, you need to ensure that none of your users are using common usernames and no new account are being made with “admin”. Take a look at this exhaustive list of the commonly used username so that you know which usernames to avoid.
3. Hide Your WordPress Login Page
WordPress websites work in a pre-determined manner. Case in point, all WordPress websites comes with a default login page which looks something like this “www.anysite.com/wp-admin”. This makes the job of a hacker easier because they can launch an automated attack on several targeted WordPress sites simultaneously. But if you hide the login page by changing it, you can prevent such type of attacks on your site.
There are many plugins that you can use to change your login page and use an URL that the plugin suggests you. It’s likely that other websites using the same plugin is using the same URL. And if hackers know the URL format, hiding your login page will amount to nothing. Hence, use a tool that enables you to create your own custom login page URL.
4. Implement HTTP Authentication
To secure WordPress admin, you can password-protect your entire wp-admin folder. The wp-admin folder contains administrative files that power the WordPress dashboard. Anyone who has access to this folder can control the entire site. If your password protects the entire folder, everytime someone requests for the admin section the server kick starts an authentication process. The browser will ask the user for an HTTP authentication password. There are many tools you can use implement HTTP authentication on your WordPress admin like HTTP Auth, AskApache Password Protect, etc.
5. Use Google Authenticator
With website hack techniques becoming more and more sophisticated these days, it’s common to add another layer of login protection along with the strong user credentials. This technique is called 2-factor authentication (2FA). The method involves sending a code that only you can receive on your smartphone. Before you are granted access to your WordPress dashboard, you need to enter the unique code on your site. The benefits of this approach are that even if hackers manage to crack your credentials, they still need the code sent exclusively to your device.
There are many WordPress plugins that you can use for 2-factor authentication. We enabled 2FA on our site using Mini Orange to secure WordPress admin and wrote a guide on the same.
6. Limiting the Number of Failed Login Attempts
Websites under brute force attacks experience hundreds of failed logins attempts. To prevent this relentless onslaught on your WordPress admin, you can limit the number of failed login attempts made on your site. MalCare security plugin prevents users from trying to log in after 3 failed login attempts. They have to solve a CAPTCHA before being allowed to access the WordPress login page again. This helps determine if the user is human or an automated bot trying to execute brute force attack on the site.
7. Install SSL Certificate
Look at our website URL! Can you see a green lock with the word “Secure” beside it? Our site has SSL certificate installed which means no one can snoop around and read the login credentials of our users. A website without an SSL certificate is in danger of unwittingly exposing the site’s sensitive information.
Back in the old days, SSL certificates were either for payment pages or WordPress admin areas. But now SSL certificate can help secure your entire site. In its drive to make the web a safer place, Google has clearly stated that SSL certificates are a ranking factor. You can obtain an SSL certificate from providers like Comodo, Let’s Encrypt and your web host will help set up the certificate on your site.
8. Blacklist Malicious IP Address
Everyone using the internet has an IP address. Even the hacker launching attacks on WordPress websites have an IP address. If you keep a record of these IP addresses, you can block them from accessing your site. A security plugin like MalCare offers details (IP addresses) of failed login attempts made on the site. If you observe a lot of failed attempts are being made from the same IPs almost regularly, you can block these suspicious IPs from accessing your websites by simply placing the following codes in our .htaccess file:
order allow,deny deny from 192.168.20.10 allow from all
“192.168.20.10” is the IP address we wanted to block on one of our sites. You can replace it with the IP you want to block.
9. Change Security Keys
You don’t have to enter your login credentials every time you need to log in to your site. Ever wondered how your browser stores these credentials? After you sign into your account, your login information is stored in an encrypted manner in the browser cookie. Security keys are just random variables that help improve this encryption. If your site is hacked, changing the secret keys will invalidate cookie and force every active user to log out automatically. Once thrown out, the hacker losses access your WordPress admin.
Over to You
There is no one way to secure WordPress admin hence be sure to use multiple methods. We shared with you some of the most recommended ways to secure WordPress admin. But before implementing any of these methods, you must back up your site. If something goes wrong, you can simply restore a backup and get our site up and running in no time.