Securing WordPress Admin Section

Securing WordPress Admin Section

The WordPress admin section is the heart and sole of your WordPress site so not surprisingly it is the most attacked section of the platform. The aim of this article is to show you a couple of easy to implement methods of securing WordPress against hackers.

Now firstly no website is completely secure. That’s asking the impossible. The aim here is to stop the low hanging fruit or what is commonly referred to as script kiddies. These are people that use known attacks quite often using freely downloadable tools. If you come under attack from a skilled hacker they may still get in even with the below precautions. The upshot here is that skilled hackers tend to target specific sites. So unless you’re high profile like Google or Amazon you are very unlikely to attract a skilled hacker so securing WordPress is generally fairly simple.

Methods of Securing WordPress

Thankfully securing WordPress is not that difficult. There are plenty of freely available plugins that will assist plus the traditional methods are either free or very affordable.

The number one way of keeping your site hacker free is to keep it up to date.  The second is to pick a strong password and to not use something obvious like admin as your username.

Knowing when your site is under attack

Intelligence is the first part of defending against any attack. After all how are you going to to know what methods you need to defend against if you don’t know when you are being attacked.

Thankfully there are some straight forward plugins to assist you with this. An example of this is Sucuri Security.


This will prevent anyone eaves dropping on your traffic. What SSL does is encrypt or scramble the traffic while in transit. While it used to be both expensive and difficult to implement it is now reasonably straight forward and very cheap to SSL enable a website.

While it is common to just secure the admin section it is now recommended that you SSL enable the entire site. This will prevent you accidentally dropping out of secure mode.

To obtain an SSL certificate either look here or try

Brute Force

This is a systemised way of guessing the password. What an attacker can to is either run through a list of known passwords (called a dictionary attack) or just start going through sequences of numbers (i.e.  1, 2, 3, 4 etc). Computers can cycle through numbers blindingly fast. This is the reason you should not use short, easy to use and anything that is a common word. It is very easy and fast to break simple dictionary style passwords.  WordPress also rates the strength of your password so you would be advised to make sure it rates highly.

There are many plugins that will assist in preventing a Brute Force attack however the best way to stop this is to have a very strong password. The minimum recommended is 10 characters with uppercase, lowercase, numbers of symbols within the password.

An easy to way to combat a brute force if you have a static or fixed IP address is to only allow your public IP address to connect. This can be done easily in the .htaccess file. An example would be:

Require ip
Require all denied

Another option is to use a plugin that will block repeated login attempts. An example would be Loginizer Security which blocks the IP address of any machine that has repeated login attempts.  This can be used if the .htaccess option isn’t feasible. It can also be used as a backup plan incase you occasionally need to option up your admin section to anyone.


A reCAPTCHA is a method of using images that display words or phrases a user has to type in. These are generally used on Contact Forms as it can stop quite a few automated attacks. A new version of this that appears to be quite good the one provided by Google. The “Login No Captcha reCAPTCHA” plugin implements this, though in testing on this site we still came under attack so somehow a way around it was discovered. I have found this method very effective on email forms though.

Rename URL

One way of slowing attackers down is the rename the admin URL. So instead of “yourdomain/wp-admin” you can rename it to “yourdomain/anotherfolder”.  This way can stop allot of the automated attacks as most WordPress sites have wp-admin as the admin folder as that is the default.

You can get plugins to change this and this is certainly a good way to slowing attackers down.

Backing Up

As with most things in life it is a good idea to have a backup plan. In case your site does get broken into you need a way to restore it to a clean condition once you stopped the attack. You would also be advised to backup your site before installing any of the tools mentioned in this article.


Securing WordPress is not a set and forget task. If you want to minimise the risk you need to take proactive action. The best method of security most sites is to take advantage of the Laziness of most attackers. That is if you are presented with multiple items to break into more than likely you are going to choose the “path of least resistance”, or the least secure site.

Leave a Reply