WordPress admin security guidelines

WordPress is a really popular content management system and being so prone to attacks. sapnasecurity team has accordingly released a guideline to help secure your WordPress admin environment.


  1. Implementing Two Factor Authentication to prevent unauthorised access
  2. Implementing Password Policy Manager/enforcement plugins and ensuring usage of strong password for backend and changing it every six months.
  3. Handling Username enumeration and password brute forcing by implementing wordfence plugin
  4. Restricting Users can submit unlimited login requests with no apparent request throttling or account lockout policy using wordfence plugins
  5. Disabling Username autocomplete disabled
  6. Never use the default admin username
  7. Password protect wp-admin folder.
  8. Create a custom login URL to avoid exposing default login URL(/wp-login.php). One plugin which does something similar is WPS Hide Login.
  9. Restrict login access to specific IP addresses if possible.
  10. Use a Website Application Firewall
  11. Ensuring Login session timeout of 24-30 minutes
  12. Ensuring that the “Remember Me” option of the browser is not used while login.