Some Basic Steps For Securing wp-admin Directory of a WordPress Website

Some Basic Steps For Securing wp-admin Directory of a WordPress Website

Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots.

Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php. See the Resources section for more documentation on how to password protect your wp-admin/ directory properly.

The most common attacks against a WordPress blog usually fall into two categories.

Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.

Attempting to gain access to your blog by using “brute-force” password guessing.

The ultimate implementation of this “second layer” password protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted. See Administration Over SSL.

Simplest Way to Protect  Your WordPress Website from Brute Force Login Attempts

Simplest Way to Protect Your WordPress Website from Brute Force Login Attempts

There is brute force attack on almost every WordPress based website. The frequency can be more or less but it usually happens with most of the sites (unless you are hidden from search engines or your site is published privately without the world knowing it.

The best way to look for such attacks and curb them is to install a plugin to stop brute force attack on WordPress sites. Wordfence do it well and here is screenshot of the monitoring email address which gets a notification every time someone tries to get nasty with your websites.

To protect your site, you need to install Wordfence and configure it with the following parameters which instantly blocks any ip trying to log in with invalid username. You can set the time and parameters according to you but an idea setting could be this.