Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Protect Your WordPress Admin Area

September 5, 2017
How to Protect Your WordPress Admin Area

Guarding your WordPress admin area and login page against attack is vital. However, while hackers are a major security risk, they’re not the only one. For sites providing user registration, you’ll also need to secure the admin area against the users themselves. Security issues that result from approved users are called ‘non-malicious intrusions’.

Fortunately, you can shore up your website quickly and easily by implementing a few common sense tips, and installing some plugins to help. By considering aspects such as your login credentials and cutting malicious attacks off at their source, you’ll make your site more secure for everyone who uses it.

In this article, we will first discuss why you should protect your admin and login pages, then provide you with five tips to help protect your site for good. Let’s get started!

Why You Should Protect Your WordPress Admin Area (and Login Page)

A WordPress login screen showing an error.

Much like the front door of your house, your WordPress login page is probably the weak link in the chain when it comes to accessing your website. Your admin screen represents the first room anyone will enter, which means locking down both is crucial for security. The consequences of not doing so are numerous, including a loss of customer, user, or personal information, harm to the functionality of your website, and even its complete removal. What’s more, the erosion of customer trust can be catastrophic for your bottom line.

Finally, it’s worth pointing out that brute force attacks are a popular way of gaining unauthorized access to a website, so a number of the tips here focus on keeping your site safe from that.

If you are new to WordPress, understanding how to secure your site can be daunting. To demystify the process, we’ve outlined five tips you can implement to secure your site. Let’s take a look!

1. Choose Strong Usernames and Passwords

Ultimately, strong credentials are a lengthy string of random characters, sometimes containing numbers and symbols. Compared to short passwords, strong examples are difficult for a hacker to guess, thus making it more difficult for them to access your account. It’s a pressing concern, as 69% of online adults don’t consider how secure their passwords are. In short, weak credentials leave your site open to an easily avoidable risk.

What’s more, every one of your site’s user credentials matter – it’s no good for you to have a strong username and password if another admin account has a weak one.

The 1Password website.

Fortunately, making sure your usernames and passwords are up to scratch is fairly easy:

  1. Obscure your username. Change any default usernames from admin to something harder to guess.
  2. Use a long and difficult-to-guess password. You can use a website such as Strong Password Generator – although WordPress also contains a stellar password generator, and many browsers have their own systems in place. Remember that length is a primary factor in a secure password.
  3. Store your password in a secure location. While this is not strictly necessary for creating strong credentials, securely storing your passwords is just as important. To that end, take a look at LastPass or 1Password to help you manage all of your passwords easily.

Of course, this isn’t the only method at your disposal for protecting your admin area. Let’s look at another way to restrict access.

2. Add Two-Factor Authentication (2FA) to Block Unauthorized Logins

2FA is a method of protecting your account by asking you for a unique code or token via your smart device. It means that whenever you log in, WordPress can be sure it’s you, and not a hacker or other undesirable.

The Keyy plugin.

As with other security methods, there are plenty of plugins that can help you implement 2FA:

  1. Two Factor Authentication: This plugin works with Google Authenticator to provide time-limited codes for login access.
  2. Keyy: This unique solution looks to do away with credentials altogether, using your smart device exclusively for logging in.

All in all, you’ll want to experiment first with a standard 2FA plugin, then gravitate to other solutions such as Keyy when you’re comfortable. Also, some plugins such as Wordfence and Jetpack include this feature, so they’re well worth checking out too.

3. Limit the Number of Login Attempts to Restrict Brute Force Attacks

Simply put, brute force attacks look to guess your credentials by iterating through every possible combination. It’s a popular method of hacking a website, and it means limiting the number of times a user can log in is a simple and effective way to hinder them.

The Wordfence website.

As for how to prevent them, once again plugins come to the rescue. Here are our recommendations:

  1. Jetpack: Among other features, Jetpack offers multiple modules that will restrict brute force attempts, and monitor your site for them.
  2. Solid Security: This all-in-one plugin not only lets you limit login attempts, it will enable you to ban suspicious users too.
  3. Wordfence Security: Along with brute force attack restrictions, this comprehensive plugin also features a myriad of other vital security-related features.
  4. BruteGuard: This plugin guards you against brute force attacks by connecting its users to track failed login attempts across all WordPress sites that use it building a protective network which learns and gets more powerful than more people are using it.

There’s another method to stop intrusive attacks on your website – cutting them off at the pass. Let’s look at this in more depth.

4. Implement a Website Application Firewall (WAF) to Protect Your Site from Code Injections

A code injection is what it sounds like: code that’s used to alter the functionality of your site, and it can be devastating. In a nutshell, a WAF offers a barrier to your site to block these and other types of attacks before they reach your files.

The All in Once WP Security & Firewall plugin.

Some plugins (such as Wordfence), include a WAF as standard. However, there are many other options to choose from, such as:

  1. NinjaFirewall: This dedicated plugin is a standalone firewall that sits in front of WordPress, and is touted as a “true WAF”.
  2. Anti-Malware Security and Brute-Force Firewall: Not only does this plugin include a solid WAF that is continuously updated, it also protects against brute force attacks.
  3. All in One WP Security & Firewall: The name says it all – it includes a password generator, checks for weak usernames, protects against brute force attacks, and also has a strong WAF.

In short, there’s no excuse for not protecting your site, and implementing a WAF is one of the best ways you can do so.

5. Use WordPress User Roles to Limit Account Capabilities on Your Site

For every account accessing your site, you can set a defined user role with a set of capabilities that limits what the user account can do. It means users will only have access to what they need to carry out their job – clearly a key aspect of site security.

The User Role Editor plugin.

As with the other tips on this list, getting started is a breeze:

  • Set the right user roles upfront, to only offer access to what a user needs and nothing else.
  • Use a plugin such as User Role Editor or WPFront User Role Editor to customize the access certain roles have.
  • Regularly check for unused accounts and delete them.

All in all, setting user roles doesn’t have to be hard, and it could potentially offer more security to your admin area.

When it comes to security, your primary concern should always be keeping unauthorized access at bay, regardless of where it comes from. The consequences of not doing so could be catastrophic for your site, search ranking, and potential income.

In this article, we’ve discussed five tips to expertly protect your admin area. Do you have any more tips to help protect your WordPress admin area? Tell us about them in the comments section below!

Article by WordCandy guest author
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


  1. markhenry

    Thanks for sharing. I want to recommend User Activity log Pro plugin. It helps you to monitor and keep track of all the activities occurs on the admin side.

    • John Hughes

      You’re welcome! And thanks for the recommendation. 🙂

  2. Chuks Amobi

    All in one WP Security has been a life saver for me since 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.