How to protect your WordPress admin area


WordPress is a popular content management system (CMS) used by millions of people worldwide, and it’s no surprise that cyber-criminals are always on the lookout for new vulnerabilities in this platform.

As a WordPress user, you must know how to protect your website against unauthorized access and malicious attacks. In this blog post, we’ll share four simple tips to help you do that. By following these tips, you’ll be able to protect your wp-admin area from unauthorized access, protect yourself from malware attacks, and keep your website running smoothly. Let’s get going!

Securing WordPress admin area

1. Never use the admin username by default

Every fresh WordPress installation, by default, gives the username admin to the initial user account. If you keep the default one, hackers will already be aware of your username and will only need to get or guess your password to gain access. Easy to remember? Yes! Smart move? No!

If you kept the default one and now realize how unguessable admin really is, you will change it ASAP. You can achieve this by selecting Users > All Users in your dashboard sidebar, then opening your profile for editing:

While you’re here, make sure your password is safe by using a mix of uppercase and lowercase letters, numbers, and symbols.

Alternatively, you can use the WordPress platform’s built-in password generator to generate a totally random and strong password. Consider utilizing a password manager to store your credentials if you’re worried about forgetting them.

2. Password protect your wp-admin folder

Important administration files are located in the wp-admin folder. Any third party is able to request your wp-admin folder without requiring any authentication, unless you password-protect this folder. 

Since we’re talking about protecting a folder that lives on your server, you’ll need to do this through your hosting management panel. In cPanel, for example, you’ll have Directory Privacy, as shown in the images below. 

From there, go to public_html / wp-admin and select the Password protect this directory checkbox:

Pick your credentials, fill them out and hit Save when prompted. Now that you’ve done this, each time you go to, you’ll be prompted to fill in these credentials before being asked for your WordPress login details. 

3. Create a custom login URL

You can access the website’s login screen by simply appending /wp-login.php to the URL of any WordPress website. Using WordPress default login URL, your website’s login page is public knowledge. Worse, if you use the standard /wp-login.php URL and the default admin username, a hacker already has two of the three pieces of information needed to gain access to your admin area.

The easiest way to change this is to use a plugin like WPS Hide Login. Once installed, choose Settings > WPS Hide Login from the dashboard menu and fill out a new login URL you’d like to use. Save your changes, and from this point forward, only this new URL will be able to access your WordPress admin area. Even with your username and password, a hacker won’t be able to access your login screen.

4. Limit login attempts

Even when a user enters the wrong password multiple times, WordPress does not prevent them from attempting to log in. Hackers could use an automated script to flood your account with hundreds, if not thousands, of potential passwords. This exposes your website to brute-force attacks.

Using the Sucuri Security plugin, you can restrict password guessing brute force attacks. After the installation, go to Sucuri Security > Settings > Alerts > Password guessing brute force attacks and specify how many failed login attempts WordPress will permit before blocking the offending IP address.


Making your website entirely hacker-proof is expensive and takes time, and hard work, but taking these four simple precautions go a long way in protecting your WordPress website from the most common types of attacks and making it a bit more difficult for hackers to access your login page and take control of your website.