How to Prevent Unauthorized Administrator Login Attempts in WordPress?

How to Prevent Unauthorized Administrator Login Attempts in WordPress?

How to Prevent Unauthorized Administrator Login Attempts in WordPress?

WordPress is arguably the most widely used Content Management System out there. Reportedly, it is used by over 400 million websites and blogs. To manage the backend, WordPress provides an admin dashboard by default. This saves you time from manual code editing. To gain access to this admin dashboard, you need to provide correct credentials. But there’s a chance of fraudulent or unauthorized logins. In this article, we’ll explain the ways you can prevent unauthorized admin logins in WordPress.

Protect Your Admin Area with a Strong Password

If you’ve built a website in WordPress, anyone can visit the admin page can be opened by using the “wp-/admin” or “/get-in” or similar path. To login, you’d need a Username and password. Password is actually the first layer of security. If your password is weak of guessable, then it makes your website vulnerable to unauthorized access. To prevent minor attacks, a strong password is usually more than enough.

The following steps will allow you to create strong passwords for your wp-admin directory.
  1. Navigate to the Security section of your WordPress account.
  2. Click on the “Password Protect Directories” and select “Document Root for” and then the admin path. Select Go to confirm.
  3. Click on wp-directory and tick the box that reads “Password protect this directory
  4. Now select “Password Generator” and click on “Generate Password” for 2-3 times. If a password looks strong enough to you, click on “Use Password”. You have to assign this generated password to user(s).
  5. Select “Create User” and provide the username and password generated.
  6. Save everything and log out.
This should password-protect the “/wp-admin” directory path. To confirm that the password is in place, try logging into your WordPress website’s admin dashboard. The browser should ask you the username and password. Provide the assigned username and the recently created password.

This should prompt you to the login page. If that’s the case, you have password-protected the path to admin dashboard.

You can use the same method discussed above to protect your wp-login.php script.

Redirect Loop Error

At this point, you may experience a redirect loop. To solve this, you need to add the following codes into your .htaccess file:
Code:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”
To access the .htaccess file, head over to your cPanel >> File Manager. The follow the steps:
  • Click on Settings
  • Select the Document Root for your domain
  • Check the “Show Hidden Files” option and click Save
  • Open the wp-admin folder where you’ll find the .htaccess file. Copy the codes from the file.
  • Now head back to file manager and select the Document Root folder and find its .htaccess file (yes, there are multiple .htaccess files). This one pertains to all the directories present in your WordPress website
  • Paste the content copied from previous .htaccess file into this file. The code should look like:
Code:
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/example/.htpasswds/root-directory/wp-admin/passwd”
require valid-user
Also add in the following code at the top of the current .htaccess file:

Code:
ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”

<filesmatch “wp-login.php”=””>
Allow Plugin Access

Finally, you need to allow plugin access to the admin-ajax.php file. Otherwise, you need to provide the username and password for every plugin installed on your WordPress website. You can do this by adding few more codes to the document root folder .htaccess file.

Paste the following code:

Code:
#allow plugin access to admin-ajax.php around password protection

<files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>
Now your job is done and the wp-admin .htaccess is protecting your /wp-admin directory. Your Wp-admin path is now protected against unauthorized access.

Limit login Attempts

If someone is trying to break into your website, then they’ll try again and again to guess your password. This activity is known as brute force attack. By default, WordPress places no restrictions on how many times you can attempt to login to the dashboard. But you can -- and should -- change this to a certain number.

To set a login limit, you need to navigate into Settings>Login LockDown. You’ll see the following options:
  • Max Login Retries
  • Retry Time Period Restrictions (minutes)
  • Lockout Length (minutes)
  • Lockout Invalid Usernames?
You can set them as per your requirements.
Author
bhawanisingh
Views
3,027
First release
Last update
Rating
0.00 star(s) 0 ratings
Top