Home Digital marketing WordPress Admin Security: A Complete Guide

WordPress Admin Security: A Complete Guide

WordPress is leading the field of CMS by hosting over 455 million websites all over the world. It means that WordPress currently holds 35% of the total websites available on the internet today. The popularity of WordPress has paved the way for unwanted notice. Hackers are on the lookout for security loopholes in your WordPress website 24*7. The results are unpleasant at best when statistics show that more than 70% of WordPress installations are susceptible to hacks. The admin area of WordPress is the prime target of most hackers as they can benefit more by taking control of the admin panel. In this article, we will discuss some steps to ensure WordPress Admin Security.

You can read more about this here: https://www.getastra.com/blog/cms/wordpress-security/wordpress-security-guide/

Steps to follow for WordPress Admin Security

1. Change the Admin URL

Anyone can find your default login page by simply adding ‘wp-login.php’ or ‘wp-admin’ to your website’s URL. A brute-force attack is the absolute favorite form of attack of the hackers to gain access to a website’s admin area. They will bombard your admin page with different combinations of usernames and passwords until they hit success. So it is better to safeguard your admin page by hiding it. Changing the URL of your backend is the best way to achieve this.

The steps to do this are as follows:

Use a plugin: The WP-hardening plugin comes with a one-click feature to change the admin URL. Go to the ‘Security Fixers’ tab and just enter a new slug of your choice in the ‘Change login URL’ field and toggle the button beside it. Log into your backend with the new URL and you’re done.


Or do it manually: The manual process is a little trickier and not suited to everyone. Besides, this process includes changes to your WordPress core files so a mishandling could cause a disheveled website, hence be careful with this method.

  • Create a new file: As the first step create a new file in the text editor of your choice and save it in the root folder. Give the file a unique name or whatever you want to see in your admin URL.
  • Copy and paste the code: Now open your wp-login.php file and copy its entire content and then paste it into the newly created file.
  • Find and replace the ‘wp-login.php’ string: Find all the occurrences of the wp-login.php string in all the files and replace them with the name of the newly created file.
  • Upload the file: Now for the final step, log in to your website’s admin area and go to the file manager. From there click on the upload button to upload the newly created file. Then delete the original ‘wp-login.php’ file.

2. Restrict access to wp-admin

Restricting access to the administrator area is another way to enhance WordPress admin security. Restrict access to your website by allowing selected IP addresses to access your admin page. In your .htaccess file copy-paste these codes:


Change xx.xx.xx.xx to your required IP address. For allowing multiple IP addresses repeat the third line with a different IP every time. You can also disable the registration form on your login page to discourage access to your admin page.

3. Use secure admin login credentials

Most of the WordPress users still use ‘admin’ or ‘administrator’ as their username. These usernames are so commonplace that they increase your chance to get brute-forced.

If you are still using the default login credentials, this might be the time to change it. Follow these steps to create secure admin login credentials for your website:

  • Navigate to Users >> Add New, from WordPress dashboard.
  • Create the new user and assign the new account administrator role. Click the Add New User button when you are done.

Source: hostinger

  • Now log in with your newly created username. Navigate to the Users section and delete the old admin account.

4. Use the password protection on the wp-admin directory

Although your admin area is already protected with a login password, there is no harm in adding an extra layer of security by using a second password for the wp-admin directory. For the first step, you need to log in to your WordPress hosting dashboard and select the ‘directory privacy’ icon.


For the second step, select your wp-admin folder located in /public_html/directory. Check the box next to ‘Password protect this directory’ and give a name to the protected directory.


The next thing you need to do after saving changes is to create a new user with a new username and password. Now, if anyone tries to visit your website’s directory, they will be asked to submit the required username and password.

5. Use a firewall

For overall security and 24*7 monitoring of your website, install a web application firewall on your website. Astra Security is one of the leading and trusted WordPress security solutions out there. It is a premium plugin with tons of useful and effortless security features such as firewall, malware scanning, one-click WordPress malware removals, country blocking, IP blocking, GDPR bar, and so on. It is a coding-free plug-and-play solution to keep you protected from all coming attacks round the clock.


There is no such thing as complete security, all you can do is take the necessary steps to reduce the chances of getting hacked. With the help of Astra Security, you can do it with just a click. Or, you can follow the above-mentioned steps to harden your WordPress admin security. For questions related to the steps and Astra, you can drop by some comments. We will be happy to help you!


Please enter your comment!
Please enter your name here