In our last blog post, covered two-factor authentication a very effective way to protect your site, as well as giving some tips to secure your website overall. However, if you are still worried about losing your admin login page, then there are still a few more tricks and tips you can apply.
1. Use two-factor authentication plugins
There is a reason why we dedicated one whole post for this useful tool; they are really handy in securing your site. Two-factor authentication basically means that your account will be linked to your mobile device, and every time you log in, a unique code will be sent to your device and without it, you can never gain access.
However, this method will not be as sufficient if you have to log in and log out through multiple sites or switch between devices. So even though we strongly recommend you to use this tool, of course there are other ways to secure your admin login page.
2. Don’t use the “admin” username
Though this may sound like an old record repeating again and again in every single WordPress security article, sometimes people fall for the most obvious mistake they can find. We cannot stress this enough: Don’t ever use the ‘admin’ username. Never! You will save your site from a brute-force attack just by this one simple act of choosing your username a bit carefully.
If you are already using the “admin” username, then we would advise you to create a new admin WordPress account with a new username and then delete the original “admin” account.
3. Use stronger passwords
Another obvious mistake that many people make is using a short, weak password. You should have a unique password for every single site, and it should be a nonsensical sequence of letters and numbers. Avoid using your name, your username or any particular word in any language, as they are easier to detect.
If you find it hard to remember all those passwords you created, especially when they are nonsensical, a password manager app will be the thing you need. LastPass is a handy web extension that will help you in both generating a unique password and remembering it for you.
4. Hide your username
Logically, if you don’t want hackers to know your “admin” username, you will not want them to know your usernames at all, so of course showcasing your username via author archive or page title would not be a smart move.
Normally WordPress displays your username in your author archive page’s URL, e.g. http://websiteurl.com/author/username/. There is a field in your WordPress database called user_nicename, populated by your log in username, and WordPress uses this field to put together author page permalink. To change it to something else, you need to access your database directly, possibly via phpMyAdmin.
Also remember to check “Nickname” and “Display name publicly as” in the user profile section and make sure they are not your username. By default, your username will be your nickname, and if you forget to change it, your username will eventually appear on the Page Tittle.
5. Create a custom login link
Normally, when you access the admin WordPress panel, you will go through the “wp-login” URL, and it is alright until your admin account is hacked. On the other hand, having a custom login link will make hacking your site a more difficult business.
Stealth Login is there for you to solve this problem. It allows you to create custom URLs for logging in and out instead of using the default page. You can also prevent other users from being able to access “wp-login” directly. This is not a perfect way to secure your site, but if hackers do succeed in getting your username and password, they will not know where to log in. This will also prevent you from brute force attack by bots.
And remember that we can play with the admin WordPress page for more than just security reasons. Here we have found an interesting article covering how to pump up your admin page, so check it out.
Play With WordPress Login Page from InnoGears on Vimeo.
6. Limit the number of failed login attempts
One good way to prevent your site from being hacked through a brute force attack is by limiting the failed login attempts. This act is done by blocking the IP address after they have tried to login a specified number of times, rendering attack through bots nearly impossible.
Two plugins worth mentioning for this technique are Limit Login Attempt and Login Lockdown. Both of them have similar functionality, disabling requests from IP range after attempting to login too many times, with customization available in the Options panel for your special needs.
7. Limit access to only your IP address
If you are not on the move a lot and only manage your site from a certain place (e.g. your office), then you might want to limit the access to your administration page to only your IP address. To do this, you need to create a .htaccess file in your “wp-admin” folder and paste the following code:
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Change the IP address of those who are whitelisted and you are ready to go.
If you don’t want to limit your site to only some of the IP address, then you can create another protection wall through creating a .htpasswd file and then change your .htaccess file to the following code. In case you don’t know what is .htpasswd and .htaccess file is, please check this out:
AuthUserFile 'Path to htpasswd file'
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
Require valid-user
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Satisfy Any
By doing this, you will get another login panel before the WordPress administration login screen. Don’t reuse your username and password though.
8. Access your WordPress dashboard through a HTTPS connection
We have talked about the different ways to prevent a brute force attack for you website, but how about the malicious hacker who will track down your username and password through tapping in to the device where your data is routed and capturing your credentials? Accessing your WordPress account through a HTTPS connection is one good way to protect your site from this.
Normally when you are logging in on the Internet, your data is routed through a number of devices on the Internet (e.g. your wireless router), and if you are not accessing it through a HTTPS connection, your data will appear in clear text, which makes it easier for a hacker to find and see your login details.
What makes accessing through a HTTPS connection different is that it will encrypt your data, hence making it impossible for a hacker to sniff around and find your username and password. You can set up and run your WordPress site on SSL (HTTPS connection) through WordPress HTTPS (SSL) plugin.
9. Use WordPress security plugins
Last but not least, if you find that these actions above are too much, there are always more than enough security plugins for you to use. From Wordfence Security, iThemes Security to Exploit Scanner, plugins developers are there to fight the war against hackers with you.
So what have you done so far to enhance the security for your admin page? Do you find these tips above handy? Comment below and let us know!