Imagine you have set up your WordPress site, and everything’s running smoothly. But here’s the thing. Just like locking your front door at night, you need to protect the important areas of your website. Hackers often target places like wp-login.php (your login page) and plugins.php (where you manage plugins). Without proper protection, these spots can become easy targets.
Today, we will walk you through some simple yet powerful steps to lock down these important parts of your WordPress site. Don’t worry; you don’t need to be a tech expert to do this! Let’s dive in and keep your website safe.
Protecting wp-login.php
Check these 6 easy ways to protect your wp-login.php. You can choose which is convenient for you.
1. Use Two-Factor Authentication (2FA)
To set up 2FA, install a plugin like Google Authenticator or Wordfence. After installing, go to the plugin settings. You will need to scan a QR code using an authenticator app on your phone. Now, every time you log in, you'll enter your password and a code from the app.
2. Limit Login Attempts
Install a plugin like Limit Login Attempts Reloaded or WP Limit Login Attempts. These plugins allow you to set the number of times someone can try to log in before getting blocked. You can control how long the block lasts and how many retries are allowed.
3. Add CAPTCHA to Login
Use a plugin like reCAPTCHA by BestWebSoft. Once installed, go to its settings. You’ll need to get API keys from Google’s reCAPTCHA site. After setting it up, the CAPTCHA will appear on your login page to stop bots.
4. Change the Login URL
Install WPS Hide Login or iThemes Security plugin. In the plugin settings, you can change the default login URL from wp-login.php to something unique. This prevents attackers from easily finding your login page.
5. Disable Login Hints
In WordPress, error messages reveal whether a username or password is wrong. To hide these hints, add the following line to your functions.php file:
php
add_filter('login_errors', function() { return null; });This disables login error hints, making it harder for attackers to guess credentials.
6. Use a Security Plugin
Install a security plugin like Wordfence or Sucuri. These plugins offer multiple protections like firewalls, malware scans, and login security. You can configure features such as blocking brute-force attempts, hiding the login URL, and more, all within one plugin.
Protecting plugins.php
Here are 4 ways you can protect your plugins.php.
1. Disable Plugin/Theme Editing via wp-config.php
To stop anyone from editing plugins or themes directly in the WordPress dashboard, add this line of code to your wp-config.php file:
php
define('DISALLOW_FILE_EDIT', true);
This disables the built-in WordPress editor, preventing unauthorized changes.2. Use a Security Plugin to Limit Access
Install a security plugin like iThemes Security or All In One WP Security. These plugins can block access to sensitive files like plugins.php and offer other tools like IP blocking, file change detection, and access control.
3. Set Directory Permissions Correctly
Make sure your wp-admin directory has the correct permissions. Typically, set it to 755 (read, write, and execute for the owner, read and execute for everyone else). This ensures files and folders are protected from unauthorized access.
4. Password Protect wp-admin Directory Using .htaccess
Create an .htpasswd file for storing the username and password. Then, add this to the .htaccess file in your wp-admin folder:
apache
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /path/to/.htpasswd
Require valid-user
Replace /path/to/.htpasswd with the correct path. This adds an additional password layer to access anything in the wp-admin directory, including plugins.php.Conclusion
By taking these simple steps to protect wp-login.php and plugins.php, you can greatly reduce the risk of unauthorized access. It's a quick way to keep your WordPress site safe and secure. Stay proactive, and your site will be much harder for hackers to target!
