How to Secure Your WordPress Admin Page

By Purplebox Digital

Security for your website is a major issue and should not be ignored. Making sure your website is secure and has no vulnerabilities is vital as being the victim of a cyber-attack is the last thing you want. Not only can it render your website unusable but you could also lose potential customers. So what can you do to defend yourself from these unwanted hackers? We’ll be taking you through step by step on how to secure your WordPress admin page.

Why Protect Your WordPress Login Page?

wordpress target

By leaving your WP-Admin page unsecured hackers can run a brute force attack on your login page. This essentially means they keep guessing the password until it lets them in. This can be a long process but depending on the length of your password will depend how fast it is guessed. Having a long secure password that is not found in the dictionary is vital.

Obviously you want to make it as hard as possible for hackers to get into your website. By securing your WP-Admin page you are basically adding another layer of protection as people won’t be able to access the admin page without logging in first.

How Do We Do It?

In this tutorial we will be limiting access to the /wp-admin directory and the wp-login.php page itself. We will be protecting the WordPress directories using your web host’s control panel. It’s important to note that not everyone’s control panel will be exactly the same but we will give you an idea of what to look for on your end.

protect directories

The first step is to access your web host’s control panel as all the settings will be located there and not in the actual WordPress itself. Find the securities section on your control panel and look for the password protect directories icon.

add new password

Once in this section you want to select the directory you wish to secure, in this case it will be /wp-admin. When you’ve found it, select it and press save. When it asks for a password make sure you generate a secure one that contains letters, numbers and special characters.

In addition to a password some control panels might ask you to create a new username as well. Whatever you do make sure you don’t pick admin as this is the most obvious one and the first one hackers will be trying. Pick something more creative and longer with numbers.

secure login

Once this has been all setup and applied try to access your own /wp-admin directory in a browser and if everything works a new login screen should pop up. The details will be the previous ones you set up in the control panel earlier. Everything should now be setup, you now have a new login page that protects your WordPress login page!

If All Else Fails

If for whatever reason the steps above look too complicated for you or you got lost during the steps then don’t worry, there is another slightly easier way. Although this way doesn’t completely block the wp-admin page, it does protect your website against brute force attacks.

Instead of using the web host’s control panel to change the settings and set up a password protected page and directory, this method uses a plugin. The plugin is appropriately named Brute Force Login Protection and is available for free on the official WordPress website.

One of the main features of the plugin is that it limits the number of allowed login attempts using the normal login form. This means if a hacker is trying to run a brute force attack on your login page then after a number of failed logins the IP address will be blocked. In addition to this you can also set a login delay for that user after a failed login attempt in order to slow down the brute force attack. This means that even if the hacker is constantly changing their IP address the attack will be slowed as the user account they are targeting will have a delay.

Added Security For Your Website

In addition to this handy WordPress plugin there is also another free plugin available. This plugin titled Protect Your Admin aims to protect your website from hackers in a different way. The default address for the WordPress admin panel is very obvious and hardly anyone changes it. This leaves a glaring security hole as everyone knows where it is, including the hackers.

This plugin allows you to change the directory of the default admin login page, making it much harder to find. Using the plugin you can change the default address /wp-admin to something completely different and make all /wp-admin requests direct back to the main homepage.

If you’re looking for a custom built secure website free from any vulnerabilities then we can help. Here at Purplebox Digital we specialise in making tailor made websites for a range of businesses and industries. Contact us for more information on how we can help.

Get In Touch