WordPress is a secure-ish system by default but there are still several things that can be changed to make it a more secure environment. There is a lot of very valuable information stored in the admin areas of our WordPress sites, information we don’t want to fall in the wrong hands.
One thing that we can do to ensure the system is safer is to hide the WordPress admin (wp-admin) folder from prying eyes. The PHP files in that folder don’t need to be indexed by search engines, and the files don’t have to be made available to the public. We can beef up security by locking down the files in that folder, and possible renaming the login page while we are at it.
Introducing the Free Lockdown WP Admin Plugin for WordPress
Lockdown WP Admin makes it simple to hide the WordPress admin files. Let’s go through the steps for changing the path to the wp-admin folder now.
1. First, let’s get the plugin installed. You can download it from the above link then Upload it and Activate in your WordPress site.
2. To gain access to the Lockdown WordPress Admin, go to Lockdown WP >> Lockdown WP.
3. Simply check the box that says “Yes, please hide WP Admin from the user when they aren’t logged in.” at the top of the page. This will make it so that when accessing the /wp-admin/ folder when not logged in to WordPress, a 404 Page Not Found error will occur.
4. Optionally you can change the WordPress Login URL in the next box. You just have to type in a new name for the standard wp-login.php and that will be used instead.
As an example, say you typed in “jump-on-in,” the new path to the login screen will become: wp-website-example.com/jump-on-in/ rather than wp-website-example.com/wp-login.php
If using this feature along with a caching plugin, you will need to put the new URL into the plugin’s whitelist or else it won’t work.
5. HTTP Authentication can also be turned on with this plugin. It’s disabled by default. You can have it use the WordPress credentials for authentication, otherwise you can setup accounts in Lockdown WP >> Private Users. A new account created in the “Private Users” area would be more secure than using the WordPress credentials.
Video: Installing and Configuring Lockdown WP Admin
All of these steps (plus not using the default ‘admin’ username for WordPress) can essentially eliminate brute force attacks.
In general, during an attack, a script will attempt to navigate to the default location of the login page and try to login. Well, the page will be hidden AND password protected. And even if they got past that it will be difficult to guess the username AND password for WordPress authentication. For that reason it’s best to use the “Private Users” option to really keep things secure.
Lastly, a strong password will certainly bump the security up for the WordPress site another notch. A strong password can be a sentence with spaces and punctuation. Or, I like to use RoboForm and generate a random 15+ character password that is a combination of letters (upper and lowercase), digits, and special characters.