Decided to block access to WordPress Admin for everyone except authorized users? That’s a smart thing to do! After all, the Admin section or dashboard provides back-end access to a website and administrator permissions on it. Moreover, a single dashboard may control other websites in a multisite environment, making unapproved access drastically more dangerous. Users often mistakenly think their website is too small to be targeted, and that’s how hackers or brute-force botnets infiltrate it. Even if that’s true, why take the chance? You don’t need to be an expert to learn how to prevent users from accessing WordPress Admin, and we’ll prove it.
Why should I protect WordPress Admin Section access?
We gave you a hint, but you should protect access to your WordPress Admin section because an authorized user with the correct username/e-mail address, and password combination can log in and wreak havoc. They can wipe your website clean and ruin your reputation forever. They may also add a backdoor in your code and monitor you for months, if not years. That lets them infect other websites with malware and steal confidential information. Any sort of information, including private data about anyone who created an account, is in their hands.
Even worse, if you accept payments or pay others, that financial information becomes available to them. We shouldn’t have to mention their ability to impersonate you and perhaps commit crimes. They may even lock you out of WordPress Admin to prevent you from stopping them in time. Even if you bounced back and regained control, content, and users’ belief in your website, you would have to invest in cybersecurity measures. Therefore, it’s best to act preemptively and immediately configure the protection of WordPress Admin access.
1. Change the WordPress administrator username to protect the WordPress Admin area
WordPress Admin account has an “admin” username after you install the CMS (Content Management System). While that’s beginner-friendly as it provides a uniform experience, it’s also a massive advantage to hackers. They have one piece of the puzzle and only need to figure out your password to get in. We assume such users also didn’t create a strong password, meaning brute-force software can crack the password in a few seconds, if not under a second. To prevent that, besides choosing a complex password, you should protect the WordPress Admin section by changing your WordPress admin account username like this:
- Log in to the WordPress Admin dashboard.
- Go to Users → All Users.
- Edit the existing account with the “admin” username. Add an e-mail address you can access, and make sure the password is complex.
- Note. You should also consider changing usernames such as “Editor”, “Administrator”, or “Editorial Staff”, or any generic ones.
- Save changes.
2. Prevent users from accessing WordPress Admin by adding a password to the wp-admin folder
Adding intricate credentials will stop basic brute-force or manual attempts to log in. However, it doesn’t stop users who know they can access the “wp-admin” folder in your website root without being authenticated. We understand rookie user base is why WordPress or web hosting providers don’t do so by default, but you should be wiser. Follow these steps to password-protect the wp-admin folder in your WordPress:
- Access the cPanel on your web hosting provider’s website.
- After logging in, head to the Files section and look for the “Directory Privacy” option. Your provider may change its name or use a custom tool, so look around.
- Go to root or public_html, then wp-admin.
- If there’s an option for “Enter a name for the protected directory”, enter wp-admin and put a checkmark in front of Password protect this directory.
- Enter the password for the folder and select the Save button. If anyone, including you, requests access to the folder with administrative information, they must enter a password.
3. Prevent all non-Administrator users from accessing WordPress Admin
A lot of themes have this option by default, but it doesn’t hurt to double down on your security. You can only permit Administrator users access to the WordPress Admin section like this:
- Go to your child theme’s folder via FTP (root/wp-content/themes/child-theme-name).
- Add the following code:
function block_wp_admin() {
if ( is_admin() && ! current_user_can( 'administrator' ) && ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
wp_safe_redirect( home_url() );
exit;
}
}
add_action( 'admin_init', 'block_wp_admin' );
This will redirect anyone who isn’t logged in or is signed in as a non-Administrator user role to another page, in this case, the home page. You can set a different user role slug here, or let multiple roles in. Additionally, you can choose to redirect them to a custom page.
4. Add a custom URL to the WordPress Admin Section
As you know, using a web browser to sign in to your WordPress admin requires you to enter your domain name followed by wp-admin or wp-login.php at the end, like this:
- example.com/wp-admin
- example.com/wp-login.php
But if you know the default means of access via URL, so do hackers and botnets. Thus, a good way to stop them or at least make them rethink their attack is to change the WordPress login URL. After installing the plugin from our guide:
- Head to General in the left sidebar of WordPress Admin.
- Replace “login” with something unconnected with administrators, logging in, or your website name.
- Save changes.
5. Prevent WordPress users with unrecognized IP addresses from accessing Admin dashboard
Is your website irrelevant to users in a specific country, yet malicious login attempts keep coming there? Do you notice a person with a specific IP address or range of IP addresses attempts to sign in? In both cases, you can block an IP address using .htaccess, adding this for specific IP addresses:
order allow,deny
deny from 192.168.22.205
deny from 225.36.165.14
allow from all
You can also forbid an IP address range from accessing your site this way:
order allow,deny
deny from 192.168.
deny from 225.36.
allow from all
Our guide blocks users from accessing your entire website, not only wp-admin. It also delves much deeper into security measures to eliminate bots, bandwidth leeches, ISPs (Internet Service Providers), and so on. Moreover, you may have an IP Blocker option in the “Security” section of cPanel. That is a newbie-friendly way to perform the IP ban.
6. Only allow users with a specific IP address to load WordPress Admin
We understand that staying on top of nefarious users can be exhausting. What’s worse, it may not work long-term. Luckily, you can flip the situation and block all IP addresses except yours. If you’re not using a static IP address from one device or have multiple administrators, you can allow several IP addresses or an IP address range. We explained that in our “how to create WordPress Admin IP restriction” guide. Here’s the basic version for the .htaccess file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist (permit someone’s address)
allow from xx.xx.xx.xxx
# whitelist a second IP address
allow from xx.xx.xx.xxx
</LIMIT>
If it isn’t clear, xx and xxx are placeholders for numbers such as 65 and 251. You can use the trick from above and enter 251.65. to allow that entire IP range. Alternatively, you can install a WordPress plugin and use more complex whitelists and advanced features.
7. Limit the number of login attempts to access WordPress Admin
Top-rated WordPress security plugins let you do most things we mentioned inside their settings. On top of those, they can block repeated login tries, which WordPress doesn’t do. For example, in Wordfence Security, which we have no ties to, you can do this to restrict WordPress Admin login attempts:
- Go to Wordfence in the left sidebar, then pick All Options.
- Toggle Brute Force Protection under Firewall Options.
- Put a number under “Lock out after how many login failures” and “Lock out after how many forgot password attempts” to prevent login abuse.
- Click Save Changes.