While the WordPress core software is inherently secure, the usernames and passwords that you and your site’s users choose might not always be. So if you want to keep your site safe from unauthorized access, you need to tighten WordPress security, especially when it comes to your wp-admin dashboard.
Why it’s important to secure your WordPress login screen and dashboard
When people think about hacking, they often imagine hackers breaking into their servers using sophisticated tools and computer ‘magic’ (as in the movies). However, more often than not, attackers get into websites and accounts the same way anyone else does – by somehow obtaining access to the login credentials of an account at your site.
After plugin vulnerabilities, brute force attacks and password theft are two of the most common ways hackers gain access to your site, accounting for ~20% of all hacked WordPress sites.
While WordPress’ login system is inherently secure, hackers can still gain access by:
- Repeatedly guessing username and password combinations until they find one that works (this is called a brute force attack)
- Stealing already-valid login credentials via other methods
But if you tighten WordPress security at your login page and WordPress dashboard, you can stop such attacks in their tracks.
Four ways to tighten WordPress security
The following methods will help you keep your WordPress dashboard area secure. You can even mix and match them for better results.
Keep in mind that some of these methods require you to make small modifications to your WordPress core files. The risks of something going wrong during that process are small, but it’s still smart to back up your website beforehand just in case.
1. Whitelist IP addresses
In some cases, you may want to ensure that only specific IP addresses can access your dashboard. This process is known as whitelisting, and it can be quite effective. Let’s talk about why:
- You can pick and choose who uses your dashboard. IPs are unique, so this method is perfect if you work with a small team of users (who have static addresses).
- IPs are nearly impossible to replicate. Unless someone gains access to your team members’ computers, they can’t easily get into your site.
- It’s easy to implement. This process involves adding a few lines of code to your .htaccess file, which is quite straightforward.
We previously devoted an entire article to guiding you through this process – check it out if you want to implement this method.
2. Protect your wp-admin directory with an additional username and password
Aside from handpicking who can access your dashboard, you can request an additional set of credentials before your dashboard even loads. In other words, you can create new user logins that aren’t tied to WordPress, but to your hosting panel instead.
This technique may sound redundant, but here’s why it works:
- It keeps your dashboard safe even if there are compromised accounts. If an attacker gains access to one of your team members’ accounts, they’ll still need to figure out a second set of credentials.
- You can change passwords periodically. If you want to go the extra mile, you can change the passwords tied to your team members’ dashboard credentials periodically, and remind them not to share those passwords.
To add such a password, you can use cPanel’s Password protect the directory function on your wp-admin folder.
Keep in mind that the passwords you use here should be different from those used to log in to WordPress itself. That way, you’re adding an extra layer of security.
3. Add two-factor authentication to your login screen
Two-factor authentication is a simple technique that adds an extra verification factor to your login process, along with your password. It often takes the form of a code sent via text message, email, or even an app, which a user has to enter in conjunction with their password to access your site.
Here’s why you should consider using this technique to tighten WordPress security:
- It’s safer than using just a password. In most cases, attackers will need physical access to your devices to receive your two-factor authentication code.
- There are several ways to implement it. Two-factor authentication is quite popular these days, so you can implement it using a variety of tools and methods.
As far as WordPress is concerned, we wrote a full guide on how to set up two-factor authentication for WordPress.
4. Limit the number of login attempts users can make
If you allow people to try and access their accounts over and over again via the login screen, you’re leaving a weak point in your security. In practice, it’s far safer to limit the number of attempts anyone can make during a specific time period.
Let’s break down why this method works:
- It prevents brute-force attacks. If users can attempt to log in over and over again, it lets hackers and bots try new passwords until they find the right one.
- It gives you time to respond to suspicious activity. Some tools inform you about unsuccessful login attempts, which gives you the opportunity to block those IPs or take other measures.
This protocol is so popular that a lot of security plugins enable you to implement it in a matter of minutes. Using something like Wordfence helps you add an extra safety layer to your login screen quickly (as well as a number of other helpful security tweaks).
Figuring out how to tighten WordPress security isn’t as complicated as you might think. In fact, it can be downright easy thanks to all the tools available for the job. The only question is what security methods you should use on your site. As far as we’re concerned, the most efficient approach is to focus on your login screen and dashboard, since those are a major target for attacks.
Here are four ways you can secure your WordPress admin area:
- Whitelist the IP addresses you want to have access to your dashboard.
- Protect your dashboard using a master password.
- Add two-factor authentication to your login screen.
- Use Wordfence or something similar to limit the login attempts users can make.