How to secure your WordPress wp-admin folder

published on April 19, 2010 in Blogging

Simple step to secure the wp-admin directory

Security should be high in everybody’s mind when running WordPress as blog software. Although vulnerabilities are usually quickly fixed, the open-source nature of the code makes it easier for would-be hackers to find flaws.

The risk of having to re-install a breached installation should encourage anyone to take the following simple steps in order to make their wp-admin folder far more secure.

IP based restriction

If you run a small WordPress blog, you are probably the only one who needs access to the administration folder. You can therefore take one very simple step to tighten your wp-admin folder security to a very high level by only allowing its access to a single IP.

IP addresses are a set of numbers assigned to you by your internet provider when you surf the internet. It is fairly easy to find out your IP address by going to websites such as What’s my IP.

With that information, you can restrict access to the wp-admin folder to anybody else. Simply copy the following code in a .htaccess file:

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Replace the xxx.xxx.xxx.xxx by the numbers given by the what’s my IP website and upload the file in your wp-admin folder (NOT your root folder).

Additional security

This step will help secure your wp-admin folder a lot more than any other you could take, however the more layers of protection you add, the less likely things will go wrong. There are plugins that help secure the login / admin area like the popular Login Lockdown. You can also enable HTTP authentication on your wp-admin folder which adds another level of security.

IP based restriction has some limitations that you may need to be aware of:

  • you need to keep the .htaccess file up to date: most internet providers don’t assign you a static IP address, so you may have to update your .htaccess details once in a while;
  • you need the IP address of anyone who needs access to the administraction folder: simply add a new allow from xxx.xxx.xxx.xxx to the .htaccess file. This includes yourself if you want to have access to wp-admin from your home and your office;
  • IP access restriction doesn’t protect you against host vulnerabilities if another account on your shared platform is compromised.
  • nor does it protect you against someone who is on the same IP or someone who finds out / spoofs it;

Despite those limitations, the additional security IP-based restriction provides makes it a worthwhile security measure every WordPress blog owner should use.

subscribe

{ 25 comments… read them below or add one }

Scott from fort myers web design April 29, 2010 at 6:09 pm

Good post. What about file/folder permissions? Can we lock those down any further than default? I’ve noticed a few files be accessed directly by potential hackers. Their IP is always different.

Reply

netaccountant May 27, 2010 at 1:24 pm

If you restrict access to your wp-admin folder using IP-based filters they shouldn’t be able to access them.

Reply

Kimi from Wordpress Video Tuts May 27, 2010 at 8:32 am

Useful Tip, however how about if i have many dynamic Ips, which is changed everyday?

Reply

netaccountant May 27, 2010 at 12:55 pm

Hi Kimi, I guess it would depend who much they change. You can use – or should be able to use – IP range to cater for a whole pool of IPs from your provider (using the CIDR information). I tend to use domaintools.com to find out about CIDR. You could also add multiple CIDR if the dynamic IP’s “rotate”.

Reply

Kimi from Wordpress Video Tuts May 27, 2010 at 5:38 pm

Thank you netaccountant!! I will try domaintools.com, didn’t think about it :D

Reply

Chris October 18, 2010 at 8:42 am

I just had to say thank you! I used this on my wp-admin folder after learning of the admin-ajax.php hack and it works like a charm. If you need to test that this is working, use a proxy server to try to access the wp-admin folder…

Reply

netaccountant October 21, 2010 at 9:58 am

Hi Chris,

thanks for the proxy tip. I usually use a server header checker as it uses the IP of the site that checks the URL.

Reply

Tim from Accountants Surrey November 29, 2010 at 12:37 pm

I have a few wordpress blogs and hadn’t heard about these hacks. I have used domain tools and whilst there is a subscription based version it is worth it if you do have a few blogs. Thanks for sharing this (and other gems on this blog)

Regards

Tim

Reply

netaccountant January 28, 2011 at 4:49 pm

Hi tim,

You can find CIDR info for IP addresses without the need to pay for domaintools (although if you have some spare cash, it is always good to reward great free tools).

Reply

Keith Davis from public speaking December 10, 2010 at 9:40 pm

Hi Leo

Good to get some sound advice on WordPress security.

Thanks for using the KeywordLuv – much appreciated.

Reply

netaccountant January 28, 2011 at 4:51 pm

Hi Keith, your more than welcome… love your blog theme BTW

Reply

Matthew from chicago shredding service January 17, 2011 at 8:04 pm

One thing to take into account. If you use this strategy and your blog grows and you hire new writers, you will have to lift this IP restriction if you want them to have administrative access. I could see a novice WP user implementing this security limitation only to forget about it a few months later.

Reply

netaccountant January 28, 2011 at 12:03 pm

Very true Matthew, the .htaccess file needs to be kept up to date with IP information from the other writers (I would even use CIDR information to allow for a greater spectrum of IPs)

Reply

TulkoŇ°anas Birojs January 27, 2011 at 6:23 pm

One more security tip. When login is unsuccessful, WP tells you exactly which of two was wrong: login or password. To hide those login errors add following lines to your theme’s functions.php:

add_filter('login_errors',create_function('$a', "return null;"));

Reply

netaccountant January 28, 2011 at 4:54 pm

Hi there TulkoŇ°anas, if you implement the IP restriction, people won’t be able to see the login page. Also, with your solution (which I used to use) if you look at the source code, even without the message displayed, you can still figure out what error you got (either username or password wrong)

Reply

Huck from seo services london
Twitter:
March 1, 2011 at 10:55 am

This article is very informative, but I have a little question. My internet provider keeps changing my ip address once in a week for security purposes (the last two parts of the ip keep changing). In view of this, is there a code where I can set my ip address for the first two parts in the address?
For ex: my ip is xxx.xxx.432.123 and after a week it gets changed to xxx.xxx.41.234 whereas the x parts remain the same. I’d be grateful if you can help me with that code.

Reply

netaccountant March 4, 2011 at 9:38 pm

Hi Huck, I guess you could allow a block of IPs in your .htaccess file. Something like xxx.xxx.0.0/16 which would allow for the 65,536 addresses you are referring to (from xxx.xxx.0.0 to xxx.xxx.255.255). Check out the CIDR table on Wikipedia or the article on IP v4.

Reply

Huck from seo services london
Twitter:
March 9, 2011 at 7:08 am

Thanks a lot for your reply. That was really helpful indeed..

Reply

Adam Barratt March 6, 2011 at 5:59 pm

This is a great security measure that I was never aware of. I will definitely have to implement this on some of my other wordpress blogs :)
Adam Barratt also wrote Yesterday I Became a Father

Reply

netaccountant March 6, 2011 at 6:49 pm

Hi Adam, thanks for stopping by, and yes it’s so easy to implement that there shouldn’t be any reasons not too (apart from the ones mentioned :))
ps. BTW congrats on you becoming a father… even if it was last November!

Reply

John from Lone Worker Security March 8, 2011 at 2:36 pm

Thanks for this tip. It’s certainly a simple way to really tighten up on WordPress security. Like Huck (above) I think that allowing access for a block of IP addresses would be a good move as I think I’m right in saying that this should make it possible for those with dynamic IP addresses to not have to fiddle about updating the IP address in the .htaccess file at all whilst still making the blog much more secure. I guess this would be especially true if your own range of IP addresses related to a specific UK based ISP and you wanted to remove the risk of being hacked by those outside the UK, for example.

Reply

netaccountant March 9, 2011 at 8:24 am

Hi John, thanks for your input. I have used a country based IP restriction on a couple of sites and used IP address location to get the list of UK IPs. If you look down the page – central column – the first box after your own information titled “Get and find IP address ranges corresponding for each country” will give you a fairly complete list of UK IP addresses. 2 things to note: 1. United Kingdom is just after Gabon in their list (probably because they wanted Great Britain); 2. I added half a dozen IPs manually because the list is only fairly complete.

Reply

Adrian April 12, 2011 at 5:09 am

This is very useful. What about protecting against SQL injections in WordPress? I am scared more of that than someone hacking into my account. I understand, there is little we can do about the WP code, unless we are programmers, but what can be done to minimize SQL injection threat (aside from updating WP regularly)?

Reply

netaccountant April 14, 2011 at 12:37 pm

Hi Adrian, the problem with open source is that it is relatively easy for people with bad intentions to find holes – because they have access to the full code running the software. Against SQL injections I guess you need to update as soon as a new version comes out – if you don’t want to go down the rote of sanitising all user input. Doing simple things like renaming tables and/or db can help against injections using table names that begin with wp_. Finally removing unused plugins and limiting the numbers of the ones you use can also help against creating vulnerabilities.

Reply

Nelly from Kayako Solutions August 2, 2011 at 10:01 am

Thanks for the post, but I think that your advice can be used only in a personal blog, because it may become a problem when you have few authors..ok, I’ll add their IPs but then they may have the dynamic ones or they may travel the world without a laptop, or..you know the problems may appear from nothing. So to protect my wp-admin folder I use AskApache Password Protect/Login Lockdown plugin.

Reply

Leave a Comment. This site uses KeywordLuv. Enter YourName@YourKeywords in the Name field to take advantage.

CommentLuv badge

Previous post:

Next post:

©2014 NetAccountant.net - All rights reserved
Site Map | Legal Stuff