Hacking is a common and prevalent phenomenon today. A lot of hackers are exploiting various techniques to attack and break into WordPress based websites. Once your site is hacked, it becomes mighty difficult to recover it. It is worth noting that WordPress is a really popular CMS that provides service to nearly 26% of all websites. It is easy to use and has a popular source base making it a great and popular solution for many e-commerce solutions. The popularity makes it a very viable target for lots of bad guys trying to compromise the safety of the web server for malicious purposes.
Therefore it is essential to secure website and specifically, the WordPress admin panel remains safe and immune to hackers. There have been lots of instances of attacks on websites, therefore it is important to ensure the overall protection of your WordPress admin panel. We have compiled a fully detailed article that lists out some of the security measures for your WordPress Admin Area.
You don’t require to follow all tips, but you need to implement at least some of them to ensure your site is secure. This is basically done to prevent your website from being a victim of hacking.
Here are a few tips to strengthen your Admin area:
1. Custom Login URL
To protect your WordPress Admin area,It is highly compromised when all you open /wp-login.php page with site URL. This becomes even more evident as using When you keep same password in multiple locations, it can make easy target for hackers to hack into your site.
You should use “Change WP Admin Login” – A WordPress plugin, which allows you to add custom URLs for WordPress Login, Logout, administration and Registration pages to create security layer.
This plugin will encrypt your WordPress admin login pages and prevent someone to crack your password or accessing your WordPress wp-login.php file. This plugin also ensures that no bots are used as malicious intents breaking in WordPress admin area.
2. Make your password strong
You should not be overemphasized. You need to be discrete about using your passwords and should use different passwords in different places. You also need to use a long and good enough password that is difficult to guess. For this purpose, a password should be more than 8 characters long, include a mix of alphabets, numbers, and special characters. You also need to ensure that your password is changed periodically to prevent others from finding out your password before you change it.
3. Lookout for Multiple Login Attempts
It is highly probable for hackers to crack your password by developing a scripting application. It is really important for you to limit multiple login attempts using a plugin called “Limit Login Attempts Reloaded“. This plugin will lock users out of the wp-admin page, if they exceeds attempts to login. You can also restrict user for login attempts by setting through /wp-admin panel.
4. Use Secure Sockets Layer Authentication for your Login Pages
You can add Secure Socket Layer authentication on specific pages on your WordPress site. First of all you need to buy SSL certificate from Certificate Authority (CA) authorized provider. Some hosting provider also offers free SSL certificate with their plans. Once you purchased a SSL certificate, you need to install it on your web server.
Next step is add HTTPS on entire wordpress site by going to General Settings and update site URL address fields with https://.
Another way is you need to update following code in .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
</IfModule>
This goes without saying, but you need to ensure all your communication channels with your website has an SSL authentication. This can be ensured by checking that all your URLs have https://. You need to confirm with your web hosts that you have shared SSL or own an SSL certificate. You could do this by pasting bellow code in Wp-config.php file:
define(‘FORCE_SSL_ADMIN’,true);
5. Use an added level of password protection for your WP-Admin Directory
You could have 2 passwords to give an added level of security with Password Protected – a WordPress plugin, which allows you to protect your password and create htpasswd file. You could also use Password Protected Directory tool in cPanel to protect your passwords on wp-admin directory.
6. Limit Access via IP Address
You are required to restrict access to your WordPress admin panel to allow only certain IP addresses to access your server, which is possible by creating .htaccess file, where you need to add following code:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>
Upload .htaccess file in your /wp-admin/ folder.
If you allow to access admin panel of WordPress from some other place, you need to add particular IP address in .htaccess file.
7. Don’t use an admin Username
Don’t use or keep the default “admin” username because it is the first user that is created when WordPress is installed. Previously, Brute Force Attack disctionery-based attack that aim to crack password for “admin” username of every WordPress site. Hence, you need to remove admin user and make difficult to remember username which is helpful to stay on safe side from hackers or restrict Brute Force Attacks.
8. Remove error messages on the Login Page
When user enters incorrect username or password, then Login hints will be displayed on WordPress Login pages. This error message could help the hacker from getting right the password. Therefore, it is important to remove the entire Login error message. So, you need to update following code in functions.php file, which is located under theme folder:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
9. WordPress Antivirus Protection
Antivirus is an effective protection mechanism for protecting your WordPress site against viruses, malware and spam injections. So, you can use “Antivirus plugin” WordPress plugin, which is easy to use, and allows daily scan with email notification to detect malware and phishing attacks.
11. Stay Updated with the Latest WordPress Version
You need to stay updated with the latest version of WordPress to ensure the latest updates are in place to protect your WordPress Admin area from un. The updated version ensures the latest version includes the latest updates giving you enhanced protection.
12. One-time Passwords
OTPs ensure a secure 2-factor authentication (2FA). 2FA provides an extra layer of security to login to your website for the session. This is 2-step verification method used to protect your site from steal your personal data or identity by potential intruders in unsafe areas as well such as internet cafes. You can use plugins to create OTP process in your website.
BONUS:
All in one WP Security & Firewall plugin helps to intercept and log suspicious looking parameters that compromise the security of WordPress. It also protects similar attacks. You could also configure the first plugin to load for maximum security. This also gives you an option to send an email to you with useful information dump for blocking a potential attack and much more.