How to Make Sure You Have a Secure WordPress Admin
Last Updated March 8, 2021 · WordPress
To protect your WordPress website from security threats, you need to secure the admin dashboard. Research conducted by WP WhiteSecurity found that over two-thirds of all WordPress websites are vulnerable to breaches. Having a secure WordPress admin, however, will eliminate many common vulnerabilities that could otherwise lead to a breach.
Link Software provides custom WordPress development services and, over the years, we’ve learned a thing or two about WordPress security. Here’s a list of six simple steps you can take to keep a secure WordPress admin. These steps will help prevent hackers and other threats from taking advantage of your website.
Change the Default Admin Username
First and foremost, you should change the default admin username. All WordPress websites must have at least one admin user. When you initially install WordPress, it will automatically create an admin user with the username “admin.” Hackers realize that many WordPress websites use this default admin username, so they target their admin dashboards with brute-force attacks.
For a hacker to breach the admin dashboard, he or she needs two things: the username of an admin user and the password. Using the default admin username means hackers will only need to identify your password. Fortunately, you can change the default admin username by adding a new admin user with the administrator role, followed by deleting the default admin user. Creating a new admin user will allow you to choose any username.
Display a Nickname for the Admin User
In addition to changing the default admin username, consider displaying a nickname for the admin user. WordPress often displays usernames in multiple places. Depending on what theme your website uses, as well as its settings, WordPress may display them at the top of posts and pages, the comments section, category pages, author archives, and elsewhere. Therefore, even if you change the default admin username, hackers may be able to find your new username by scouring your website.
Fortunately, WordPress supports nicknames for all users, including admin users. After pulling up the admin user in the dashboard, find the field labeled “Nickname” and enter your preferred nickname. You can then select this new nickname from the “Display name publicly as” drop-down menu directly below. You’ll still have to log in to the admin dashboard with the actual username, but WordPress will only display the nickname.
Use an Auto-Generated Password
Using an auto-generated password will improve the security of your WordPress website’s admin dashboard. According to WP Manage Ninja, roughly 8 percent of all WordPress breaches are attributed to a weak password. With an auto-generated password, you can rest assured knowing that it’s strong and complex.
For many years, WordPress required users to create passwords manually. It wasn’t until the release of version 3.8 when WordPress introduced a password generator. When you create a new user, WordPress will give you the option of creating a password manually or using an auto-generated password. Auto-generated passwords contain numbers, upper-case letters, lower-case letters, and special characters. They are almost always more secure than their manually created counterparts.
If you’ve already created an admin user with a weak password, you can change it to an auto-generated password from the admin dashboard. Just pull up the user and click the “Generate Password” button at the bottom. When finished, click the “Update User” button.
Use a Login-Limiting Plugin
Another way to secure the admin dashboard is to use a login-limiting plugin. Login-limiting plugins live up to their namesake by limiting the number of login attempts to the admin dashboard. Login limiters are designed to protect websites from brute-force attacks by hackers. Some of the most popular login-limiting plugins include Limit Login Attempts Reloaded and WP Limit Login Attempts.
A brute-force attack occurs when a hacker tries to guess the username password to the admin dashboard using software. Brute-force attack software will spam thousands of usernames and passwords until it finds the right combination. With a login-limiting plugin, hackers will be limited to performing only a few username and password combinations. If they don’t guess the right combination within the limited number of attempts, they’ll be locked out from the admin dashboard.
Change the Admin Dashboard URL
Changing the URL to your WordPress website’s admin dashboard will result in a higher level of security. The admin dashboard URL is the address that contains the login field to your website. WordPress uses the “wp-admin” slug for this URL by default, meaning your website’s admin dashboard URL is probably formatted like example.com/wp-admin.
Like with the default admin username, using the default admin dashboard URL will place your website at risk for cyber threats. Hackers can easily access the login field by visiting this default URL. By changing the admin dashboard URL, you can keep them out of the login field.
You can change the admin dashboard URL manually by renaming the wp-admin.php file, this method isn’t recommended. If you simply rename the wp-admin.php file, the new admin dashboard URL will only remain present until the next time you update WordPress. Updating WordPress to a new version will revert it back to its original name.
Rather than renaming the wp-admin.php file, use a plugin to change the admin dashboard URL. The iThemes Security plugin offers this feature. After installing the iThemes Security plugin, you can enter a new URL for the admin dashboard.
Access Over HTTPS
Always access your WordPress website’s admin dashboard over Hypertext Markup Language Secure (HTTPS). Most WordPress websites use HTTPS. According to W3 Techs, in fact, HTTPS powers over 70 percent of the entire internet.
Even if your WordPress website uses HTTPS, though, you may be able to log in to the admin dashboard over Hypertext Transfer Protocol (HTTP). HTTPS websites typically support both types of connections. The problem with logging in to the admin dashboard over an HTTP connection is that it may expose your username and password. HTTP connections aren’t secure. Therefore, they can be infiltrated by a third party. And third parties will be able to see your username and password.
The WordPress admin is the digital gate to your website’s back end. A compromised admin will lead to your website becoming susceptible to security threats. You can secure the admin dashboard by changing the default admin username, displaying a nickname for the admin user, using an auto-generated password, installing a login-limiting plugin, changing the dashboard URL, and accessing over HTTPS.
Link Software has been providing WordPress services to our clients for years. If you have a question about WordPress or security concerns, contact us today.