The WordPress admin dashboard is the control centre of your entire website. Anyone who gains access to it can modify your content, install malicious code, steal user data, or take your site down entirely. The good news is that securing it does not require technical expertise - just a handful of deliberate steps.
Here are 10 practical measures every WordPress site owner should take.
1. Change the Default Admin Username
When WordPress is installed, many setups create an account with the username "admin." This is the first thing automated brute-force bots try when targeting WordPress sites - they already know the username and just need to guess the password.
Go to Users in your WordPress dashboard. If you have a user named "admin," create a new administrator account with a different username, log in with the new account, and delete the old "admin" user (assigning its content to the new account).
2. Use a Strong, Unique Password
Your admin password should be at least 16 characters long and include a mix of uppercase, lowercase, numbers, and symbols. WordPress can generate a strong password for you under Users > Your Profile.
Critically, this password must be unique to your WordPress account - never reuse a password from another site. Use a password manager like 1Password or Bitwarden to generate and store it.
3. Enable Two-Factor Authentication (2FA)
Even a strong password can be compromised through phishing or data breaches. Two-factor authentication adds a second verification step - typically a time-based code from an authenticator app - that an attacker cannot bypass even if they have your password.
Install a plugin like WP 2FA or Two Factor Authentication from the WordPress plugin directory. Set up 2FA for your administrator account and any other privileged users.
4. Change the Default Login URL
By default, WordPress login pages are accessible at /wp-admin or /wp-login.php. Automated bots constantly probe these URLs looking for sites to attack.
Moving your login URL to something non-standard (like /site-access or /manage-2024) eliminates the vast majority of automated login attempts before they even begin.
The WPS Hide Login plugin handles this with a single setting and no code changes required.
5. Limit Login Attempts
WordPress allows unlimited login attempts by default, making it vulnerable to brute-force attacks where bots try thousands of password combinations.
Install Limit Login Attempts Reloaded to block IP addresses after a configurable number of failed attempts. Three to five attempts before a lockout is a reasonable threshold that stops automated attacks without inconveniencing legitimate users.
6. Keep WordPress, Plugins, and Themes Updated
The majority of WordPress compromises exploit known vulnerabilities in outdated software. Plugin and theme developers regularly release security patches, but they only protect you if you install them.
Enable automatic updates for minor WordPress versions under Dashboard > Updates. For plugins and themes, review and apply updates at least weekly. Delete any plugins or themes you are not actively using - they are attack surfaces even when deactivated.
7. Use HTTPS with a Valid SSL Certificate
Always access your WordPress admin dashboard over HTTPS. If your site is properly configured with an SSL certificate (which dotCanada hosting provides via AutoSSL), add this line to your wp-config.php to force HTTPS for the admin:
define('FORCE_SSL_ADMIN', true);
This ensures your login credentials are never transmitted over an unencrypted connection.
8. Set File Permissions Correctly
Incorrect file permissions can allow unauthorized users to read or modify your files. Standard WordPress file permissions are:
- Files: 644
- Directories: 755
- wp-config.php: 600 (only the owner can read it)
You can review and set permissions in cPanel File Manager by right-clicking files and selecting Change Permissions.
9. Disable File Editing in wp-config.php
WordPress includes a built-in file editor that lets administrators edit theme and plugin PHP files directly from the dashboard. If an attacker gains admin access, this editor gives them the ability to inject malicious code instantly.
Disable it by adding this line to your wp-config.php:
define('DISALLOW_FILE_EDIT', true);
This is a single line that eliminates a significant attack vector.
10. Maintain Regular Backups
No security setup is perfect, and even a well-hardened site can be compromised. Regular backups are your last line of defence - they let you restore a clean version of your site quickly if something goes wrong.
dotCanada hosting includes daily automated backups. Supplement these with a dedicated backup plugin like UpdraftPlus that can store copies offsite (Google Drive, Dropbox, Amazon S3) for additional redundancy.
Schedule weekly offsite backups at minimum, and test a restore at least once every few months to confirm your backups actually work.
Implementing these 10 steps takes less than an afternoon, and the protection they provide is well worth the investment. Start with the highest-impact items - 2FA, login URL change, and limiting login attempts - and work through the rest at your own pace.
