The administration of WordPress is a critical component of this content management system, which is often targeted by various attacks. These attacks can range from brute-force attacks on login credentials, to DDoS attacks, and even attempts to add a user with root privileges. Therefore, any additional security measures you take are desirable and contribute to the greater security of the most important aspect – the administration and administrator access. In this article, we will take a closer look at how to better secure the administration of WordPress.
How to better secure WordPress administration?
Basic elements that you can do for greater security are:
- Always use a strong password: Your password should be complex and include at least 8 characters, including upper and lower case letters, numbers, and special characters. Such a password is more resistant to dictionary attacks on login credentials.
- Set unique usernames: Instead of using the default administrator name (e.g., admin), use a unique name that is not easily guessable. It could be your name or nickname. The robot attempting a dictionary attack will always try the admin first.
- Activate two-factor authentication: Two-factor authentication requires not only a password but also a one-time code sent to your mobile phone to log in.
- Keep the CMS, plugins, and templates up to date: Old versions can be vulnerable and easily attacked, so it is important to keep them updated to the latest versions.
- Change the administration URL: The default WordPress administration URL is “http://yourdomain.com/wp-admin/“. Changing this address to an unknown URL can discourage potential attackers from attempting to access it.
- Install any security plugins: There are many free and paid plugins that can help secure your website and WordPress administration. These plugins may include features such as IP address access restrictions, protection against brute-force attacks, data backup, two-factor authentication, and more.
- Use an SSL certificate: An SSL certificate encrypts information transmitted between your website and the visitor’s browser, protecting this information from misuse.
- Regularly backup your website: Backing up your website allows you to restore it if it is attacked and damaged.
Which plugins to choose for better security of WordPress?
Here’s a basic list of plugins that can help you secure access to your WordPress administration:
Wordfence Security: This widely used solution offers a firewall, protection against brute force attacks, backups, and other security features. You can download plugin here.
iThemes Security: This plugin offers many features including protection against brute-force attacks, backup, file modification control, and more. You can download plugin here.
Jetpack Security: This plugin from Automattic developers offers features such as protection against brute-force attacks, monitoring and notification of security threats, and more. You can download plugin here.
All In One WP Security & Firewall: This plugin offers a firewall, protection against brute-force attacks, backups, and other features for better security of the system and the administration itself. You can download plugin here.
Sucuri Security: This service, available for both free and paid versions, offers a comprehensive security solution that includes a firewall, monitoring, and backup features. You can download plugin here.
How to enable two-factor authentication for WordPress administration?
If you want to secure your access to the administration interface with more elements, one of the options to contribute to greater security is also two-factor authentication. After entering the login and password, thanks to this feature, you will not move directly to the administration interface, but you will be prompted to enter a second code, usually using an external application that generates these codes. For such use, you can, for example, use the Google Authenticator application.
Google authenticator on Google Play
Google authenticator on App Store
Furthermore, to enable this feature, a plugin is needed that performs the two-factor authentication. Personally, I use a plugin for these purposes. Wordfence.
Plugin Wordfence on wordpress.org
To enable two-factor authentication, follow these steps in the Wordfence plugin:
- In the WordPress administration, click on the plugins section and search for the Wordfence plugin, then install it.
- After activating the plugin, a separate section for Wordfence will appear. Click on it.
- From the Wordfence menu on the left, select “Login Security.“
- Open the Google Authenticator app on your mobile phone and scan the QR code provided.
- The Google Authenticator app will generate a six-digit code, which you will then enter into the field that says “Enter the code from your authenticator app below to verify and activate two-factor authentication for this account.“
- To complete the process, click the “activate” button.
Is it possible to restrict access to WordPress administration only for certain IP addresses?
Yes, it is possible. This is done on a Linux server using the .htaccess file. So log in to your FTP to manage your website’s data. Find the wp-admin folder. Create a text file and name it .htaccess. Insert the rules below into it and upload it to the wp-admin folder. Replace the IP addresses in the example with your own.
# Blocking administration for the below-listed IP addresses. Order Allow,Deny Deny from all # 1. address Allow from 18.104.22.168 # 2. address Allow from 22.214.171.124 # end of list
How can I change the WordPress administration URL?
This can be done in several ways. For beginners, I will provide the easiest method, which is using a plugin. You can use, for example: WPS Hide Login.
The WPS Hide Login plugin for WordPress is used to change the URL of the WordPress login page. This increases the security of your website because attackers won’t have access to your original admin URL, which can then allow them to attack your password.
Additionally, the plugin allows you to redirect the login URL to any address of your choosing, even during the runtime of your website, without the need for updating or modifying the code. This can be useful if you want to prevent brute-force attacks.
The advantage of the WPS Hide Login plugin is that it is lightweight and easy to use, so even less technically savvy users can easily change the admin URL of their website.
How to better secure WordPress administration? Conclusion
In this article, we have only used a few methods to protect the WordPress administration, and as an example, I have used basic and most commonly used plugins that can help you with this problem. Regularly checking your website, new users, and their permissions is up to you. The best protection is always a carefully updated system and well-organized data, strong passwords, and occasional checks of the website’s status.
More content about WordPress
Je mi líto, že pro Vás nebyl článek užitečný.
Jak mohu vylepšit článek?
Řekněte mi, jak jej mohu zlepšit.