WordPress is very vulnerable to hack attempts and bloggers need to be very careful securing their website running on the WordPress platform. There are different tips and tricks or WordPress plugins available but the most important one is securing your WordPress admin directory from unnecessary login or hack attempts.
Move the Core files to a Non Root Directory
The very first thing you should do is move the core WordPress files to a different directory in your website. Do not keep the files laying on the root directory as this is the most common location which anyone may guess and try to exploit your site. So what I suggest is, make a new directory in your website e.g yourwebsite.com/files or yourwebsite.com/dir and move all the core wordpress files to that directory.
And do not name the same directory as “WordPress” which is another common name which anyone may guess.
Protect The Wp-admin folder using HTACCESS
Another good move will be to protect your wp-admin directory using an HTACCESS file. Just use the following code in the HTACCESS file of your wp-admin folder:
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
replace the xx.xx.xx.xx with your computers IP address.
The above code tells your web server that only a small number of IP address(s) can access your WordPress administration area and login through the wp-login.php page. You can find your computer’s IP address from this website
Hence, if you use only your home or office computer to login to WordPress, it will be certainly a good idea to use the HTACCESS file and specify the IP address(s) of your home and office computer. This will ensure that other IP addresses trying to access your wp-admin directory get a 403 forbidden error.
In the following video, Google Engineer Matt Cutts shares some good tips on how to protect your WordPress blog from unauthorized access:
Note: You will have to change the TCP/IP setting in your network connections and use a static IP address because if you choose the option “Choose an IP address automatically”, you might not be able to login to your WordPress admin area. This is because every time you connect to the internet, your computer will dynamically choose a new IP address which may not match with the IP address listed in the .HTACCESS file, kept in the wp-admin folder.
In that case, you will have to delete the code from .htaccess file, clear your browser’s cache and reload the login page to access the wordpress admin area.