Protect your wp-admin – WordPress admin security

Your WordPress admin account is a glowing target for crackers.  One suggested way to improve WordPress admin security is NOT to use admin as your admin username.

If you are currently using admin as username, don’t worry.  You can still change it.

  1. create a new hard-to-guess username
  2. Change it to admin
  3. Demote admin username to user or subscriber. Don’t delete it, use it a decoy.
Other things to consider
  • Never use the admin account to post news or blogs – create an editor account instead
  • Use .htaccess to protect wp-admin directory.
  • Use Profile Builder for user profile editing

Protect wp-admin directory

You may want to use .htaccess to protect wp-admin directory. Let’s assume your staticIP is

Your .htaccess should look like this:

AuthName “protected”
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from

If your IP is dynamic, You may use 192.168.100.  to cover possible IP changes.  If you find yourself locked out due to IP change, find your new IP, and change the old or add the new IP into .htaccess file.

Profile Builder for user profile editing

Use Profile Builder for your user profile editing, in addition for user login and registration.

wp-admin should be only accessible to admin, not to regular users! Regular users should not have any remote connection with wp-admin.  This is one of serious security  oversights of  WordPress.