Securing WP-admin Directory in WordPress
In an ideal world, it would be easy to change the wp-admin folder name. While that’s not really possible without some hacking of WordPress, there are a variety of things you can do to secure wp-admin a little bit more. I’m not going to get into trying to rename this folder, as until there is a solution officially supported by WordPress, its just not worth doing. WordPress isn’t built for it, plugins aren’t built for it, and neither are themes. Here are some additional things you can do though…
Only Allow Certain IPs
This is probably my favorite solution as it really locks things down. What we’re going to do is check for an ip address, and if the IP address doesn’t match your approved IP addresses, it returns a forbidden error. This uses your .htaccess file to check for your ip address.
.htaccess order allow,deny allow from 184.108.40.206 allow from 220.127.116.11 deny from all
You would replace the 2 ip addresses above with the ip addresses that you would want to use to access the WordPress admin. You can allow just 1 ip address, or as many as you’d like by adding or removing lines starting with allow from.
Add Another Password Layer
Assuming you are running WordPress through Apache, it is pretty easy to password protect your directory with an htaccess password. Follow the instructions listed on the previous link, and place the code within your wp-admin directory. If you need to generate a .htpasswd file, see the htpasswd generator i created.
Don’t use user name admin
Please change the user name from the default admin name. If whoever is trying to gain access to your site has the user name, that is one step closer they are to forcing their way into your WordPress Installation. Especially in light of the recent brute force attack by a botnet that was targeting the user name admin, this is more important than ever.
This should be a given on any site. Don’t use 1234 as your password. Pick something secure, upper case and lower case, strings, symbols, whatever you can do to make guessing your password a little more complicated.