wp-admin

As a Web Blogger We knows that Most of Websites and Blogs are running on One CMS That is “WordPress”. In this post we will discuss how we can protect own and Our Customers WordPress Websites and Blogs from online threads. Website and Blog is must Implemented like other Techniques we use for our Websites and Blogs.
Let’s Discuss the Best ways to Secure Our WordPress Website and Blog
Contents of Post
- 1 Keep WordPress Up to Date
- 2 Limit Login Attempts
- 3 Change the Database Prefix
- 4 Secure wp-config.php
- 5 Use Two-Factor Authentication
- 6 Protect Your .htaccess File
- 7 Install WordPress Security Scan Plugin
- 8 Use email as login
- 9 Limit The Number of Failed Login Attempts
- 10 Wordfence Security
- 11 Description
- 11.1 Securing /wp-content Directory
- 11.2 Securing wp-includes
- 11.3 Remove Error Message on the Login Page
- 11.4 Turn Off PHP Error Reporting
- 11.5 Disable WordPress XML-RPC
- 11.6 Hide Author Usernames
- 11.7 Hide wp-config.php and .htaccess
- 11.8 Disable directory Listing and Browsing with .htaccess
- 11.9 Disable PHP Execution in WordPress Directories
- 11.10 Disable Image Hotlinking in WordPress Using .htaccess
- 11.11 Protect .htaccess From Unauthorized Access
- 11.12 Protect Your WordPress Admin Area
- 11.13 Ban Suspicious IP Addresses
- 11.14 Did You Like This Please Share With others
- 11.15 Related
Keep WordPress Up to Date
The latest of WordPress is most likely more secure than the last one, and has less vulnerabilities. So keep it up to date—it’s a one-click operation. Make sure you back up your site first!
WordPress updates rarely cause problems, but if you like to be careful, update it on a test server first. Or, if you’d just like WordPress to auto-update itself, apply the following code to your wp-config.php
file:
#Enable all core updates, including minor and major:
define ( ‘WP_AUTO_UPDATE_CORE’, true )
Limit Login Attempts
By default, WordPress allows you unlimited login attempts. This can be highly dangerous if the hacker attempts to guess your password or has a script for this purpose. To protect your site from these brute-force attacks, it is essential to limit login attempts from a user along with having a strong username and password.
The WordPress plugin Limit Login Attempt makes these brute-force attacks almost impossible by setting a limit to login attempts.
Change the Database Prefix
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.

Secure wp-config.php
Lock down wp-config.php
—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.
To deny access to this file, you should add the code below at the top of the .htaccess
file:
Simply Adding this code to .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
Adding this to wp-config.php disallow file editing-
define(‘DISALLOW_FILE_EDIT’, true);
Use Two-Factor Authentication
Two-factor authentication is one of the strongest ways to keep your login safe, as it makes brute force attacks much more difficult to pull off.
There are a number of plugins that provide this service; We recommend this free plugin:https://wordpress.org/plugins/two-factor-authentication/
Protect Your .htaccess File
We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
<Files .htaccess>
order allow,deny
deny from all
</Files>
Hide the WordPress Version Number
Some versions of WordPress have known vulnerabilities. Someone familiar with those vulnerabilities can discover which version you’re using because it’s shown in the HTML head of every page.
This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.
Remove that information by adding the following line to your theme’s functions.php
file:
remove_action('wp_head', 'wp_generator');
Limit Login Attempts
Give hackers less opportunity to guess your password, and protect your site from brute-force attacks, by limiting the number of login attempts that are possible. This will automatically block the login screen after a configurable number of tries, and informs the administrator by email.
You can limit login attempts by using one of these plugins:
Install WordPress Security Scan Plugin
This is a good plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for below things:
- Passwords
- File Permissions
- Database Security
- WordPress Admin protection
Download the plugin from here.
Use email as login
By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.
The WP Email Login plugin works out of the box for this purpose. It starts working right after the activation and it requires no configuration at all.
To test it, just log out of your website and then log back in, but this time use the email address that you created the account with.
Limit The Number of Failed Login Attempts
This nice plugin can limit the number failed login attempts; Useful in case of someone is trying to guess your password manually or using a robot.
You can download plugin from here.
Use SSL to encrypt data
Enable SSL to secure your WordPress site. A Secure Sockets Layer encrypts all information sent to and from your site, keeping it private and preventing man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. As a bonus it can also boost your Google PageRank.
Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
The address of an SSL-certified site will start with an HTTPS, while a site that’s not SSL certified will begin with HTTP. It’s best to activate HTTPS before installing WordPress, but it’s possible to update your WordPress settings if you add it later.
Getting an SSL certificate for your WordPress website is not an issue. You can purchase one from some dedicated companies or alternatively ask your hosting firm to hook you up with one (it’s often an option with their hosting packages).
Wordfence Security

Description
THE MOST DOWNLOADED WORDPRESS SECURITY PLUGIN
WordPress security is all we do. Secure your WordPress website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised.
Securing /wp-content Directory
order deny,allow
deny from all
<files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all
</files>
Securing wp-includes
By block those scripts using mod_rewrite in the .htaccess file
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
# BEGIN WordPress
NOTE- Code should not been overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file, as wordpress can overwrite anything between these tags.
Remove Error Message on the Login Page
Add this in functions.php
function no_wordpress_errors()
{
return ‘Something is wrong!’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );
Turn Off PHP Error Reporting
Add the following lines to wp-config.php
error_reporting(0);
@ini_set(‘display_errors’, 0);
Disable WordPress XML-RPC
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Hide Author Usernames
add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}
Hide wp-config.php and .htaccess
<Files wp-config.php>
order allow,deny
deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>
Disable directory Listing and Browsing with .htaccess
Just add following in .htaccess
Options All -Indexes
Options -Indexes
Disable PHP Execution in WordPress Directories
<Files *.php>
deny from all
</Files>
Disable Image Hotlinking in WordPress Using .htaccess
#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER}!^http(s)?://(www\.)?feeds2.feedburner.com/yoursitename [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>
Protect Your WordPress Admin Area
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed’s IP address
allow from xx.xx.xx.xxx
# whitelist David’s IP address
allow from xx.xx.xx.xxx
# whitelist Amanda’s IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad’s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>
Ban Suspicious IP Addresses
Want to block an IP address from accessing your website.
<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>
https://pixelprivacy.com/resources/two-factor-authentication/