You may be surprised to know that your WordPress website’s admin panel is getting attacked 24/7 by automated bots in the hopes of gaining access to it. According to WordPress.org it is used by 43% of all websites online ranking it among the most popular web publishing platforms. As such the popularity of this platform makes it a frequent target for malicious activity. Regardless of what type of WordPress site you’re running there should only be a few people logging into the admin dashboard. But no matter how may admin users there are increasing your site’s security is always worthwhile.
In this post I will cover how to implement 5 easy ways to improve the security of your site’s WordPress admin area:
- Enable WordPress firewall
- Rename WordPress admin user
- Lockout invalid WordPress admin login attempts
- Configure WordPress admin login captcha
- Rename WordPress admin panel
Best of all these security measures can all be implemented with All In One WP Security & Firewall which is the best WordPress security plugin and an additional bonus is that it is completely free.
Installing All In One WP Security & Firewall
There are a few security plugins but the best WordPress security plugin is All In One WP Security & Firewall. In addition to being free to install it is an inclusive WordPress security plugin. This means that every feature is unlocked and does not require additional payment for upgrades. It is easily installed from the Plugins page of WordPress admin dashboard. Just click Install Now and then open the plugin properties to configure.
Enable WordPress firewall
After installing the All In One WP Security & Firewall (AIOWP) plugin, open the plugin settings and click on Firewall. Click the checkbox to enable the firewall feature and then save the setting. There are additional security settings you can enable from this screen so be sure to check those out too.
Every security feature in the plugin is given a score. The more features you enable the higher your score and in turn the better protected your WordPress site will be. Your site’s current score easy to see from the plugin dashboard.
Rename WordPress admin user
The next security upgrade will be to rename the default WordPress admin user. From the AIOWP dashboard and click on User Account. The tool makes it very easy to change the admin user account which by default with every WordPress installation is called admin. Enter new name that is not intuitive and be sure to make a note of it initially so you won’t forget later.
Also be advised that as soon as you click the Change Username button you will be logged out of the WordPress admin panel and be forced to login again with the new account name. One additional helpful feature on this page is that it display the current WordPress users configured as Admins. Be sure to audit the users and remove anyone who doesn’t need access.
Lockout invalid WordPress login attempts
Now that you have changed the default WordPress admin account the next security enhancement you should implement is to enable locking out any login attempts with that old account name or any other common name as well as setting lockout timeouts for users. These properties can be easily enabled on the User Login settings page.
Configure WordPress admin login captcha
I a previous article I covered how to add CAPTCHA to the WordPress admin login form but here is a quick summary. First register for a free Google reCaptcha account and then after adding your site to the admin console copy the Site Key and Secret Key to Notepad.
From the AIOWP settings menu click on Brute Force and then Login Captcha. Enter the Site Key and Secret Key you copied from the Google reCAPTCHA admin console and then save the settings.
Once this property has been configured every admin login request will be prompted to solve the reCAPTCHA puzzle which in turn will block malicious automated admin login attempts.
It’s also worth noting that you can enable the reCAPTCHA prompt for regular user login logins too. This can be set on the AIOWP User Registration screen.
The last WordPress admin security enhancement I am going to cover is renaming the admin login form. The default admin URL for every Wordpres site is …/wp-admin/login.php and because of this automated bots know exactly where to start their attack of your site. Fortunately AIOWP makes it easy to rename the admin login form thereby making it just a little bit hard for bots to attack your site.
Some people this is just security through obscurity but if it helps why not use it. As it clearly indicates in the warning on the page this feature has the potential to prevent you from logging to your own site. However, this would only be the case if you forget to make a note of the new value you set.
If you do happen to get locked out of the WordPress admin panel you can manually reset this feature by going to Cpanel and opening phpMyAdmin. Edit the aio_wp_security_configs record in the wp_options table. All of the security settings for the plugin are stored in this table. Look for the text aiowps_login_page_slug and then delete the value associated with it and then save the record. This will allow you to access the default WordPress admin login form again.
In Summary
The best WordPress security plugin All In One WP Security & Firewall is a powerful tool to protect your WordPress site and block malicious requests. And one of the best features of this plugin is that it’s completely free so there’s no reason not to start protecting your WordPress site today. Thanks for reading!