/wp-admin is the WordPress administration area, and as such it’s a large target for attacks. Here’s how to protect it:
1. Delete the Default Administrator
When you install Wordpress the default administrator is given the predictable username of admin. This appears harmless but is a huge security flaw. Why?
Well, one way to gain unauthorized access to a system is through brute force cracking. This works by using a program to automatically guess possibly millions of different username and passwords combinations over and over.
Using the admin username basically speeds up the process for brute forcers because it’s just one less thing they have to figure out. In reality you should think of your Wordpress username as a second password, and therefore follow similar rules to that of strong passwords:
- Don’t tell people your username.
- Don’t choose an obvious username (like your real name).
- Use a mixture of numbers and letters.
How to delete the default administrator.
2. Encrypt Your Cookies
Open up your wp-config.php file, and scroll down to this code:
define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(’NONCE_KEY’, ‘put your unique phrase here’);
Now, go over to http://api.wordpress.org/secret-key/1.1/ and copy the randomly generated output. Replace the original 4 lines of code with this newly copied set.
3. Secure the Folder with .htaccess
Login to your server via FTP (or SFTP if you want to be extra awesome) and navigate to /wp-admin folder. If you haven’t done so already, create a .htaccess file and place this code in there:
order deny, allow
allow from xxx.xxx.xx
deny from all
But wait! You’re not done yet…
Head over to whatismyip.com and find out what your IP address is. Replace xxx.xxx.xx with your IP address and save the file.
The problem with this method is not all bloggers work from the same computer or IP address all the time. For those folk you’ll want to read the section about the AskApache Password Protect plugin.
4. Hide Login Errors
By default if you type your username or password incorrectly when trying to login, Wordpress lets you know what mistake you’ve made. This can provide a hacker with confirmation that they know one half of the login equation.
Edit the functions.php file in your /wp-content/themes folder and add this code to prevent these errors from showing up:
<?php add_filter(’login_errors’,create_function(’$a’, “return null;”)); ?>
5. Install Login Lockdown
Login Lockdown is an ingenious plugin that helps ward off brute force attacks. It works by temporarily blocking users by their IP address if they fail to login X amount of times.
Out of the box the default settings are pretty good but I still recommend you set the Lockout Length to as high as you feel comfortable with. The longer malicious users are blocked from the login page, the better.
6. Install Stealth Login
Stealth Login makes it easy to change the login address for the WordPress administration area, and prevent users form logging in via wp-login.php (just activate Stealth Mode). Even if someone cracks your username and password they’ll become stuck because there won’t be anywhere to login.
While it may not stop seasoned hackers from getting into your system, it takes just a few seconds to setup and is a worthy precaution to take.