WordPress Security Tips – Protect Your WP-Admin Directory


WordPress Security

If you own a website, you will know how important website security is to protecting your blog.  You can never be too careful when it comes to securing a site, as you never know who is trying to gain access without permission.

If you run a WordPress site, then you will already be required to log in with a username and password to gain access to your WordPress dashboard.

WordPress Security

Quick note: Always remember to change your default log in details from “admin” to something else and choose a long password that contains both letters (upper & lower case), numbers and symbols (£, &, ?, /, ”, =, %, $, etc.).  It’s also useful to change your password regularly and of course never give it out to anyone!

You may think that your site is pretty secure this way, but you can make doubly sure by adding another layer of authentication.

Setting Up WordPress Security In cPanel

So, in order to do this, we will set it up in your (hosting) cPanel.  Log in and navigate down to the ‘Security’ tab.  You want to click on the ‘Password Protect Directories’ folder.

1. cPanel > Security > Password Protect Directories

WordPress Security

This will open a window asking you to select the folder that you wish to protect.  You want to select the folder that your WordPress files are stored on, which unless you moved it will be in the ‘wp-admin’ folder.

2. Select ‘wp-admin’ folder

WordPress Security

In the next window you can set up your security settings and create a username and password.  Firstly, you want to check the ‘Password protect this directory’ box and name it.  Then simply create a new user with a strong password.  Obviously, make sure this is different to your normal WordPress dashboard login details.

3. Check the ‘Password protect this directory’ box and name it.

4. Create a new user with a strong password.

WordPress Security

That’s all there is to it!  Now whenever you go to log into your WordPress dashboard, you will see a new authentication box where you enter in your newly created username and password.  This will then lead to your normal WordPress Dashboard login screen.

WordPress Security

Simple!  Now, you have a two tiered security set-up that will help prevent anyone from gaining access to your WordPress dashboard.

Have you set up security like this for your site? What other WordPress security measures do you use to protect your site? Please let us know in the comments section below!

Image by ‘Zebble’ [Source]

About Matt Smith

Matt Smith is the founder and editor of OnlineIncomeTeacher. He is a Professional Blogger, SEO Consultant & Web Developer, running a number of sites from the UK. Connect with him on Twitter, Facebook, Google+ and LinkedIn.

  • Andi the Minion

    Great post this, I needed this, WordPress security is a big thing and very often overlooked and left to the last minute by people. This is one thing I am going to implement this week or next… but you might need to remind me 🙂

    • Hi Andi,

      Yes, you can never be too careful with a site, so it’s always good to know that it’s got a good level of security. This is really simple to set up and has certainly made me feel a lot easier.

      I’ll remind you 🙂

  • Ehsan

    A short, but useful tutorial that a lot of WordPress bloggers need to read. Thanks for the effort Matt.

    • Hi Ehsan,

      Glad you found it helpful. Something quite simple to set up that will greatly protect a site.

  • Hi John,

    Who do you host with, if you don’t mind me asking? There should be something similar with your company that will let you set this up. Think there is a way of setting it up manually as well, though I don’t know how to do that.

    I used a similar plugin to “Limit Login Attempts” called “Wordfence Security” [http://wordpress.org/plugins/wordfence/] that would allow you to block IP addresses, as well as other security measures. Unfortunately, it ate up a lot of resources and was one of my slowest plugin, so I removed it. This method will greatly help combat brute force attacks, as they have to crack two separate login details.

    There are other security protection methods you can make to sure up a site, which I’ll hopefully write about soon.

  • Hey Matt this is very useful I didn’t know about the extra security you can add in cpanel, however I want to ask, if you have guest writers logging into your back end will they see this extra authentication box as well?

    • Hi Fabrizio,

      That’s a good question, something I hadn’t really thought about. Yes, anyone who has to log in to the back-end of your site will see this authentication box. In this situation, you have two options;

      1. Give out one authentication username & password to all users.
      2. Create separate usernames & passwords for each user in cPanel.

      Personally, I don’t have anyone logging into my site, but if I did I’d prefer to set up different login details for each, just to be on the safe side.

      Good point though! Should have thought about multi-author blogs when writing this.

  • Walter

    Hi Matt,

    Thanks again for another wonderful post. Let me secure my site just now.


    • Hi Walter,

      Great to hear this has helped you protect your site 🙂

  • Clair Trebes

    Matt this is SO useful!

    100% going to be setting this up on the sites I’m managing!

    Another excellent helpful web tip from OIT 🙂

    • Hi Clair,

      Glad to be of help 🙂 Always best to keep a site protected, just in case. No security set-up is 100% secure, but it certainly makes it a bit harder for anyone trying to break in.