WordPress Admin Login – Tips for Securing It

| November 15, 2017 | 2 Comments

WordPress Admin SecurityWe all know hackers love to exploit the WordPress admin login page. I was reminded of how tenacious hackers are when I reviewed the settings on the Limit Login Attempts plugin (which logs the number of unsuccessful attempts). In total I have 54 pages worth of unsuccessful login attempts among my various blogs. Each page contains 21 rows of IP addresses. On average each IP address has 5 or 6 lockouts. One industrious hacker, however, got locked out 66 times!

BTW, the most frequently used username hackers use to access your account is “admin.” If you are using admin as your username stop reading this now and change it to something else! After you’ve changed it, come back and finish reading the rest of this post!

So far I’ve been fortunate, but I don’t want to press my luck. As such, I decided to look for reinforcements to protect the login page.

UNLOQ 2 Factor Authentication for WordPress Admin Security

In addition to my username and password I downloaded the UNLOQ app/plugin. It’s free for small-time users like me (free of charge for 100 or fewer users). The beauty of UNLOQ is it offers the option to hide the wp-admin login page. Hackers looking for the usual WordPress admin page will see the following if you opt to hide it:

Unloq - WordPress Admin

The other nice feature about UNLOQ is it requires either a one-time passcode, or approval from the app (push notification) or email to authenticate the login. The authentication type is configurable.

UNLOQ Authentication Methods to Secure WordPress Admin

I find this all to be great for securing the admin page, but for me it was cumbersome. The push notification meant I needed to have my cell phone accessible every time I logged in. Nine times out of ten I don’t know where my cell phone is. Having to locate it in order to log into my websites became problematic.

I didn’t use the email or time-based password option (maybe I should have). I guess I just didn’t like having to use two programs to access one. The whole UNLOQ process wasn’t seamless enough for my tastes so I decided to try something else.

Securing WordPress Admin Like the Big Dogs

I read somewhere that master blogger Pat Flynn of Smart Passive Income password protects his WP-admin folder. Doing so protects everything in that folder and adds an additional layer of security. The only problem I have with that is there are certain functions  that are that reside in the WP admin folder (admin-ajax.php) that are required for the smooth running of a WordPress blog. Allowing access to the admin-ajax file after password protecting the directory requires modifying the .htaccess file.

WordPress Admin Protector

Not wanting to create another potential problem, I decided to leave that option to the folks who know what they’re doing. I don’t so I’ll leave it alone.

Searching for Another Blog Security Option

I went back to the drawing board in search for a protection option that fits my blogging habits. I was fortunate enough to come across Lisa Irby’s blog post How WordPress Exposes Your Admin Username & How to Fix It!  In the post Lisa shares information about how a linkable byline on a blog gives hackers a potential username to try while hacking the WP admin page.

Give it a try. Hover over any linkable byline (try the one of my name on this post for example) and you’ll discover the blogger’s username in the status bar at the bottom of the web browser. Lisa’s blog post gives instruction on how to change the username display. I won’t get into details here or reinvent the wheel. Go to her blog post and follow her user-friendly instructions.

WordPress Admin Name

By the way, I followed her instructions so the “webmaster” you see when you hover over my byline is not my admin username.

Blog Security Going Forward

Incorporating Lisa’s advice in addition to coming up with long passwords of at least 16 characters, is what I’ll continue to do for now. It’s a shame that we have to spend so much time and effort securing our blogs, but that’s a sign of the times in which we are living.

I’m curious to know what measures you’re taking to protect your WordPress admin page.

Tags: , ,

Category: Wordpress

About the Author ()

Felicia A. Williams is a freelance writer and blogger. She spends the majority of her time with her family and writing. If she’s not writing or commenting on NJFM, she’s either outside smelling the roses or writing articles for one of her other sites.

Comments (2)

Trackback URL | Comments RSS Feed

  1. Loretta says:

    I enjoy blogging because it enables me to connect with people, share information, and when reading the comments people leave concerning some of my subjects, I often learn something new. Killjoy hackers take the joy out of blogging.
    I appreciate the useful information that you share. It enables us, blogger-lovers, to remain cognizant of potential threats and to be proactive in preventing intrusion. I just want to thank you, Felicia.

    • Felicia says:

      Us bloggers must stick together. I’ll continue to share what I learn. Plus, now that I’m back writing again, I can’t help but share what I learn. 🙂
      Not only that, I live in a world surrounded by non-bloggers. Who else will listen? 😀

Leave a Reply

Your email address will not be published. Required fields are marked *