WordPress Admin Area Security Best Practices

The backbone of any website is the administrative area and in fact, the most intriguing zone for hackers. Whenever you install WordPress, it creates a password protected administrator user which has access to the admin dashboard; which btw is hidden behind a login page.

Unfortunately, for every security provision, there exist hacks capable of breaking through; given a sufficient level of time and effort. However, by employing a multifaceted approach to admin area protection, you can minimize the chances of a severe security attack. Keeping your WordPress admin area safe is incredibly important.

As I continue with the security series, I think it’ll be great to start with the core. So, let’s dig deep and discuss some of the must have security practices for your WordPress admin area or as we like to call it the WordPress Dashboard.

WordPress Admin Area

In a new install, WordPress admin area is hidden behind a login screen and can be accessed at Domain.com/wp-admin/. With right credentials in hand, you can log in to the dashboard and perform all sorts of admin actions. E.g. Creating, deleting, editing posts or pages, dealing with comments and media. To ensure a consolidated security for your WordPress admin account, you can take the following steps.

Implementing SSL

Encrypting your admin area with an SSL certificate can secure the admin panel. SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client. SSL protection adds https:// to your web URLs instead of https://. With an SSL implemented, a safe data transfer between a user and a browser is ensured. All the communication like server passwords and login credentials are encrypted, and you are safe from network spoofing hacks. All that means is any action you perform inside your WordPress admin area will be encrypted so that a hacker cannot perceive any secret info that may be harmful in wrong hands. The best way to get an SSL certificate is to contact your web hosting provider. If they offer shared SSL plan then, you must go for it. Otherwise, you can purchase your own SSL certificate and get your hosting company to install it for you.

I recommend using the Let’s Encrypt free & open source SSL certificate because I use it on most of my websites. Let’s Encrypt is a new automated and free SSL certificate that can help you secure your website traffic. One of the major sponsors of LE is Automattic — the company behind WordPress.com.

However, many notable hosting companies like SiteGround and WP Engine. Already offer SSL certificates with their hosting packages. That, by the way, is a sign of a good hosting company.

Once you are done, add the following command to the wp-config.php file i.e.

define(’FORCE_SSL_ADMIN’, true);

Another easy way is to use plugins like Really Simple SSL which implement SSL on all pages of your website. The plugin requires almost no setup, but if you are not a developer, the wise thing to do here is hire one to implement these plugins for you. You just need to know that an SSL certificate is quite important for your web security plan.

Secure wp-admin Directory

There is a folder called wp-admin which contains files that are being served when you browse your WP admin dashboard. If it gets spoofed or hacked, then you can lose control to your site. So, safeguarding this folder should be a priority. A quick way to do that is to protect it with a password which will ramp-up the security level.

Adding another password would mean that the user will login to his dashboard account by entering two different passwords. You can also restrict the access to users inside the admin dashboard, but that’s out of the scope of this series.

While this can be done by using an old plugin called AskApache Password, I’d recommend contacting your host and asking them to do that for you. If you are a developer, you can create a .htpasswds file by using this generator. And then uploading the generated file outside your public directory, in a place like


After that, you can create a .htaccess file and upload it to /wp-admin/ directory. This file should contain the following info:

AuthName “Admins Only”
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user AddYourUserNameHere

This will add an extra layer of security, anyone without this right login credentials, wouldn’t even be able to access the admin login page.

Modifying the admin Username

While installing WordPress, many users create the main administrator account with the username admin. This can be very dangerous for their website security. You should never create the admin user with a guessable username. Moreover, the admin user should have no public activity. This way a hacker cannot guess the admin username which in turns reduces the impact of a brute force attack. So, your admin username should be something hard to guess.

Despite all these measures, you might still find brute force login attempts with variable usernames in the website logs. Such attempts can be curtailed with the iThemes Security plugin by immediately banning any IP address that tries to log in with a username E.g. admin. You can also restrict the login attempts to 5, that is after 5 wrong login attempts, iThemes Security plugin can ban that IP.

Use Custom Login URL

WordPress architecture is open source, which is why everyone knows about the URL for accessing admin dashboard. We all know how to do it. Just type in the website domain followed by “/wp-admin” or “wp-login.php”. Such an easy-to-guess login URL is approachable for hackers. Consider your login username is still admin, now a hacker only needs to know the password and your entire site can get hacked.

A simple solution is to this is creating custom URLs for logging into your WordPress dashboard. This makes your website a bit more secure, and only an authorized person with the exact login URL can access the account. The iThemes Security plugin is once again quite helpful in this matter. This plugin can let you change the login URLs from /wp-admin to anything you want e.g. my_new_login and from /wp-admin/ to e.g. my_new_admin. That way, you’ll access your admin area at Your_Domain.com/my_new_admin/. Makes sense? By doing this, you are secured from a good number of automated attacks that only look for wp-admin URL.

Choosing Strong Passwords

Choosing strong passwords for admin and users’ accounts is a necessary step towards admin security. Especially, if you are running a blog where multiple people are accessing the admin panel; there are increased chances of vulnerabilities.

Do not keep same passwords for different people. Instead, every single password should be unique and hard to guess. Plugins like Force Strong Passwords can help you enforce stronger passwords for your users. Not to overstate the obvious but another step which you can take is changing the passwords regularly.

Wrapping Things Up!

WordPress admin security should be a priority, and it can’t be emphasized enough. Use secure passwords, change the login URL and never use a guessable admin username. These three simple tricks help you avoid almost 60% of hacking attempts.

If you think I missed an important technique that you know off, I’d love to hear back from you. Share your way of securing the admin panel. Contribute a technique that is not on my list.

Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.

Ahmad Awais

Ahmad Awais

I am a senior Full Stack WordPress Developer, WP Core Contributor, Front-end Fanatic and an accidental writer. I love to write, talk, build, and share everything about WordPress. You can reach out to me at Twitter @MrAhmadAwais.

Related Articles


5 thoughts on “WordPress Admin Area Security Best Practices”

    • I agree with what you wrote. But what about when there are mass admin-ajax.php and admin-post.php POST and GET requests. I have seen that many times. Most of the times users do NOT need these, but if they do, they can follow your solution as well. But it wouldn’t help when there are brute-force attacks.

      This is where I would recommend users to get in touch with a security consultant. I cannot recommend a generic solution to a custom issue like that. But hey, thanks for dropping by. I have tried SecuPress, looks pretty good.

Comments are closed.