WordPress is the most popular CMS around, so naturally, it is the one that is getting attacked the most as well. The majority of the attacks are just regular brute-force attacks against the admin page. Even if your password is strong, the constant attacks may cause another issue, that could cause a lack of shared hosting resources. For example, constant attacks against the admin page could just keep generating requests until you reach one of the shared limits. There are other ways to handle and protect the admin page, this tutorial will explain them.
One of the most simple ways to secure the admin page is to change the default username. User ‘admin’ is the default one, and the bots/hackers know it, they try to simply guess the password. In order to change the username follow the tutorial:
- Find ‘Users’ at your WordPress admin panel;
- Choose ‘Add new’ and then simply fill the new user form. Try to use some random or custom username and select ‘Administrator’ Role for the new user;
- After creating a new user, remove the original ‘admin’ username.
This way, you will have a new administrator user, with a custom username.
Limit Login Attempts
- On your WordPress admin panel, choose ‘Settings’ and then ‘Limit Login Attempts’;
- On the ‘Limit Login Attempts’ choose the ‘Settings’ tab and then you will find the configuration menu.
The image shows your configuration options, it is only an example. You can change it based on your individual tolerance level.
Change your admin page URL
In order to change the admin page URL, you need to install a plugin, this is the easiest way for this. There are various plugins for this, you can just search plugins by ‘admin url’ keywords on your plugin menu, in this article I recommend “WPS Hide Login”. It can be downloaded from the ‘Plugins’ menu as well. However, you can always find and use any other plugin that would do the same. It’s your own decision here.
Once the plugin “WPS Hide Login” installed, you can go to WordPress Settings, then choose > ‘WPS Hide Login’ menu:
This menu will appear on your panel like in the image above. Then there is a very simple menu where you can just change the admin login page to a new one. You can change it and save it.
Add Two-factor authentication(2FA)
I am sure the principle of 2FA is known, but in case you are not familiar with it, it works as a second authentication step for a login. This means that when you enter your username and password, you are asked to enter a unique code for the Authenticator app(For example Google Authenticator). It’s a randomly generated sequence of numbers that changes periodically and is known only by the person who set up the 2FA.
For this security option, you will need another WP plugin, I will use “Google Authenticator” in this tutorial, you can use it as well, or find any other 2FA plugin. They all work in the same principle. Once this plugin is installed, on your WP admin panel go to ‘Settings’, then there will be a separate menu ‘Google Authenticator. Its menu is very simple and straight forward:
The example shows that the Two-factor will be enabled for the ‘Administrator’ role. If there are any other users and roles, add them as well. Then if you refresh the saved page, you will see a menu where you will get a generated ‘Secret’ code, which you enter on your Google Authenticator app and create 2FA and that is it. Additional security option is enabled.
Password protect admin folder
There is an option to protect the ‘/wp-admin’ folder, so the person entering the admin page would first need to go through ‘/wp-admin’ folder protected by a password. You can use the following Directory Privacy tutorial to protect your admin folder by a password.
There could be other methods, like using .htaccess to limit access to login.php file and etc, but if you used at least a few of the suggested security methods here in the article, it should be enough for most of the regular WordPress websites.