The WordPress admin area is a goldmine for hackers. Anyone able to access your dashboard gains the keys to your entire operation. Pages, plugins, themes, files, and admin levels are just a few of the items found there. And for eCommerce companies, unauthorised access compromises sensitive customer data, harming your business reputation and trust.
Keeping the area secure should be a primary concern for website owners. Thankfully, there are solutions to keeping threats at bay.
Shield Security PRO comes with a lock down WordPress admin feature, giving you advanced controls over backend access. Furthermore, the platform offers a range of premium security features to protect your site from malware, hacking, and login attacks.
With the plugin installed, webmasters can manage their website with ease, and no technical knowledge is necessary. Knowing your site is safe provides peace of mind, and allows you to concentrate on growing your business.
In this article, we’ll explain how to lock down your admin area using a manual WordPress method, and through the unique features found in Shield Security PRO. We’ll also cover common lock down troubleshooting, and the best practices to follow when implementing security measures across your site.
Locking down your WordPress admin area: two ways
Shield Security PRO is a premium website security solution. Including a malware scanner, AntiBot detection, and spam prevention, the platform has the highest consumer rating per download of all security plugins. It also boasts some nifty Security Admin Access Restriction features!
Let’s take a look at Shield Security PRO in action:
- Lock down admin area using Shield Security PRO admin access features
Anyone with access to your admin panel naturally has access to your security platform. Shield Security PRO adds an extra layer of authentication, allowing you to secure the plugin responsible for your overall security.
By restricting access to the plugin itself, even admins won’t be able to make changes without your permission. Webmaster access is managed through an Admin Access Pin. When enabled you can restrict changes to all key WordPress settings.
Shield Security PRO also comes with an ultra-secure two-factor authentication process for logins, alongside powerful bad-bot protection. This can tell bots and humans apart and distinguish fake web crawlers from legitimate ones. Such fortifications prevent unauthorised access across your whole site.
Most importantly, Shield Security PRO has been designed for anyone to use. Non-techies can install and set up the plugin straightaway. Take a look at some of our customer testimonials and see the difference we’ve made to over 11 million WordPress websites!
2. Lock down the WordPress admin area manually
If you prefer, you can secure your WordPress admin area manually, using the concept of ‘security through obscurity’.
Your default login page – typically set to yoursitename.com/wp-login.php – is an obvious target for hackers. Changing your login URL makes it harder to find, and therefore, harder to attack.
Follow our guide to modifying your WordPress login URL to shore up this particular area of your website. But be aware that manual security has limitations.
Obscuring a login URL won’t prevent access attempts, should a hacker or bot discover it through other means. Ensure you make backups before making any changes. And remain vigilant regarding password policies, two-factor authentication, and managing user permissions.
Quick guide to modifying your .htaccess files
If you’re comfortable directly editing code files, you can also modify your .htaccess files to add further layers of security.
Access your site’s .htaccess file via an SFTP client or through the control panel. You’ll find it in the root directory, via Files > File Manager. The standard cPanel interface looks like this:
Locate the .htaccess file in the list of files then right-click on it and select Edit or Code Edit from the context menu. Note that the .htaccess file might be hidden since files starting with a dot may be hidden by default. If that’s the case, there might be a setting or an option like Settings in the top right corner of the File Manager, which you’ll need to check the box for Show Hidden Files (dotfiles) and save the settings.
Scroll to the bottom of the .htaccess file and add the following lines:
| <Files “wp-login.php”> Require all denied # Whitelist Your IP address Require ip 123.123.123.123 </Files> |
Make sure to replace 123.123.123.123 with your actual IP address or any other IP address that you want to allow. This denies access to the wp-login.php file – and thus the admin area – for all IP addresses except the ones specified.
Care should be taken when enabling this restriction as your current IP address may change (common with most household internet providers). If it does, you may prevent even yourself from accessing the login page until you repeat the process above for your new IP address.
You can find further security info through our articles on WordPress system lockdown options, including how to disable the XML-RPC function.
How to manage a locked-down admin area
Managing a locked-down WordPress admin area means taking a different approach towards user access.
Here’s a guide to tightening control over admin privileges without interrupting your daily workflow. We’ll also take a look at what to do in the event of an accidental lockout.
Who should have access
Regarding access to the admin area, it’s best to adhere to the principle of ‘least privilege’. No one should be given access unless they absolutely require it. You can set user permissions through WordPress, and then add further limitations through Shield Security PRO’s Security Access Restriction Zones if you want to restrict access to particular areas for administrators.
Having a level of control beyond that offered by WordPress lets you tailor access to your precise requirements. You could allow a user to upload new content but not allow them to alter your site title or web address, for example.
What to do if you get locked out by mistake
Everyone can forget their login credentials or set their own access incorrectly. Should you find yourself locked out of your admin panel, don’t panic!
Shield Security PRO has a built-in website recovery process to allow for safe and secure re-entry. Assuming you have full administrator access to your site, you can regain access using following steps:
- Access File Manager by logging onto your site’s control panel, or through an SFTP.
- Locate your plugin folder, and find the following file: /wp-content/plugins/wp-simple-firewall/
- Within this file, right-click and select Create new file.
- Name the file ‘forceoff’ and click OK. This file will switch off all plugin features.
- Reload your site.
With the plugin disabled, you’ll be able to login to your WordPress site as normal and adjust any security settings that had locked you out – for example, removing your IP address from the blocklist – and only then remove the ‘forceoff’ file.
Drawbacks of locking down the admin area
Some users are naturally concerned about the inconvenience that locking down an admin area may cause. It can be time-consuming to regain access following an accidental lockout. Additionally, restricting admin access may affect overall workflows if managed incorrectly. However, leaving an admin area open may unnecessarily compromise the security of your entire site.
With minimal setup, Shield Security PRO offers the perfect balance between user convenience, and keeping your site safe as you tailor security to match the specific needs of your business.
More ways to secure your site’s admin access
Beyond admin access lockdown, it’s recommended to use the following strategies as a means of keeping the area secure:
Improving login security
Implementing multi-factor authentication (MFA) significantly reduces unauthorised access. Even if a password is hacked, another layer of authentication is used to verify access to the site.
All websites should also adopt a secure password policy. This should include requirements for strong passwords, and time limits for each password’s lifespan. Authentication apps – such as Authy – provide a time-limited verification code.
Shield Security PRO comes with both Advanced Password Policies and two-factor authentication. It also sets strict limits on login attempts as a means of deterring brute force attacks. Furthermore, you can set up login alerts through the platform, notifying you of any unauthorised access attempts.
Implementing security measures at other levels
Check your hosting provider’s security measures: Is your site on a shared or dedicated server? Do they provide a firewall, malware scanning, and up-to-date PHP versions?
Training your team on best practices: Conduct regular security training sessions for all of your team and update them on new issues. Reiterate best practices, such as securing personal devices and recognising phishing attempts.
Using Shield Security PRO to block bad bots: The AntiBot Detection Engine blocks malicious bots on your site, guarding against unauthorised access. It also prevents server resource drain through Distributed Denial of Service (DDoS) attacks.
Adopt the principle of least privilege: Setting privileges on an ‘as required’ basis reduces the number of users able to make major changes to your site. Shield Security PRO’s Security Admin controls can also help enforce the principle of least privilege for administrators, as discussed above.
Take the next step in WordPress security with Shield Security PRO
An unprotected WordPress admin area can allow unauthorised access through the likes of brute force attacks. Once inside, a hacker may unleash malware, change user access, uncover consumer data, or delete whole swathes of content.
Shield Security PRO’s Security Admin feature provides the perfect solution to protecting this gateway into your site. You’ll gain a further layer of security over admin access, allowing you to lock down important WordPress options, and limiting damage should a successful hack occur.
Furthermore, features like bad-bot detection, malware scanning, and login protection help to stop any unauthorised access attempts at the gate. Find the ultimate solution to securing your admin area by downloading Shield Security PRO today!
