Protect your WordPress admin area

How to Protect Your WordPress Admin Area

Downloading WordPress and building a blog or e-commerce site is relatively easy. There are few—if any—barriers to getting started. All you need is a domain name and hosting, and you’re good to go.

But like any kind of real estate, you need to protect it. Your admin area or dashboard is—for the lack of better terminology—the control panel for your entire site. And anyone who has access to it can take over control of your site.

Thus it is critical to protect your WordPress admin area.

Unfortunately, thanks to WordPress’ popularity, it’s the most commonly hacked CMS. In fact, according to a report done by Sucuri back in 2018, WordPress attracted more than 90% of all hacking attempts against CMSs. And the latest statistics show that hasn’t changed much.

So protecting your admin panel is critical. Let’s discuss how.

IP Whitelisting

Every visitor to a website comes with an IP address. Whether they come with good intent or bad. And even if they’re hiding behind an address that isn’t their own, they’re identified by an IP address.

As a site admin, you may have a team of users who have access to your admin area. Or you may be the only one with access, but you access via a few different devices or networks. For example, you access from a home network address or work network address.

As long as you know those IP addresses—and they’re at least somewhat static—you can whitelist them. This identifies users as authorized to enter but blocks access to anyone not on the list. So all traffic that comes to your site—and anyone who tries to access your admin area—will be blocked if they don’t have a matching IP address.

Note that you will need to monitor IP addresses at times. Home IP addresses tend to change—some changes every six months or so—so you may find yourself blocked until you update your whitelist.

How to Whitelist IP Addresses

If you’re comfortable digging into your code, you can add a whitelist to your .htaccess file. You can find it in the root folder of your site via FTP, although your FTP client may have it hidden. Another alternative is to log into your cPanel, or whatever panel your host uses, and make the change via File Manager.

Whitelist IP Addresses Via File Manager

Before making any changes in your backend, I strongly recommend a full backup or, at the very least, a backup of your .htaccess file.

Here’s what it will look like via File Manager.

File manager

Once you’ve accessed and made a backup copy of your file, add the following code snippet. This will block access to your login page and your dashboard. Note that you’ll need to change the placeholder IP address to your own IP address, but make sure to just change the numbers and leave the slashes.

If you have multiple addresses to whitelist, add them to one of the 4 identical lines below. If you have more than four, copy/paste in a new line and use that. If you have less than four, simply delete the required number of lines. And if you don’t know your IP address, you can just do a Google search on “what is my IP address.”

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^012\.345\.678\.901$
RewriteCond %{REMOTE_ADDR} !^012\.345\.678\.901$
RewriteCond %{REMOTE_ADDR} !^012\.345\.678\.901$
RewriteCond %{REMOTE_ADDR} !^012\.345\.678\.901$
RewriteRule ^(.*)$ - [R=403,L]

Once you’ve added your IP addresses, save your changes.

Finally, verify that the setup is working as expected – both the good case of the whitelisted IP addresses and a different one to see the block in action.

Are all test cases working as expected? Great, now let’s see what else you can do to protect your WordPress admin area.

Use Strong Passwords

No matter how many times the need for strong passwords is reiterated, there are still people using passwords like admin or 12345. And no, also admin12345 is not a good password!

Some site admins have the mistaken idea that hackers would never look for their little site. And that’s true—because hackers are often looking for sites at the server level. So how important you are is irrelevant.

Always create and use strong passwords, the stronger the better. Think of it as a basic but important step to better protect your WordPress admin area.

Use Two Factor Authentication

What’s even better than strong passwords? Locking down that password with another layer of security by enabling two-factor authentication. This means logging in requires your password and another form of ID, which is often a code sent to your phone.

Download and install the WP 2FA plugin.

WP 2FA

This plugin is simple and intuitive to set up and use. It also offers universal support for a number of popular 2FA apps such as Google Authenticator, Authy, FreeOTP, and more.

Add Password Protection to the WordPress Admin Directory

WordPress installs with a number of files and directories, and one of the three main directories is your Admin folder. If you password-protect that as well, it’s another layer of security.

To add this, navigate to the Files section in your host’s cPanel, and then go to Directory Privacy.

Hosting dashboard directory privacy

From there, find your wp-admin folder within the /public_html/ directory and click the Edit link. Next, check the box beside the Password protect this directory option, enter a name for the directory, and then save.

Under the save button, click Back, and create a username and password. Once saved, anyone who tries to access that directory will need to provide the username and password you just created.

Congrats, you did a big step forward to protect your WordPress admin area!

Install Wordfence

Wordfence logo

Want to go with the nuclear option? You can install something like Wordfence that covers all your security basics with a firewall, malware scanning, login security, 2FA, and more.

Wordfence is one of the best, all-around security plugins for WordPress.

Install WP Admin Audit

Yes, of course, we mention it! Our plugin WP Admin Audit definitely belongs on the list as well.

Use it to monitor administrator activities and to have a full list of changes done to your WordPress site.
Having an audit trail of anything that happens on your site WordPress means you’re always aware of site activity and, if necessary, you can take immediate action to mitigate attacks or risks.

This WordPress event log also comes in handy for troubleshooting what was last changed before something on the site was broken. An activity log can help you find the cause of the problem.

Protect Your WordPress Admin Area (even more)

Out of the box, WordPress is very secure, but additional security is always a good thing.

Did you know there’s even something more you can do to protect your WordPress admin area?

Check out our articles on how to harden WordPress and our list of WordPress security basics.