No unauthorized access to WordPress Admin

To safeguard your WordPress site and prevent unauthorized access to your admin panel, you can take the following steps:

Keep WordPress core up-to-date

By default, WordPress only updates minor versions automatically. To enable automatic updates for major versions, add the following line to your wp-config.php file:

define('WP_AUTO_UPDATE_CORE', true);

Keep plugins up-to-date

It’s very weird because you need to modify your template to activate it …

WTF… template not core?

Core developers = asshole! – sycured

Create child theme

Never, never, never modify the official theme directly, you need to use a child theme.

I let you read the official documentation

Activate automatic update

You need to add two lines in functions.php

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

U2F and OTP for all users

2FA rules the world and we use it right now to let hackers outside of wp-admin.


It’s an open-source plugin: Two-Factor


All configuration is inside each user’s account:

I recommend you use the same settings to have the best security…
After taking this screenshot, I added my 2 other U2F keys.

SSO when you can

SSO can be used to unify the login method but keep in mind that U2F & OTP must be activated at the SSO provider level.


It’s another open-source plugin: OpenID Connect Generic Client


Error in log

This is an example of failure to authenticate to the WordPress, no authorized access


In this configuration, you need to create users in your WordPress using the same email address that connects to SSO: no automatic registration/synchronization.


You have a better security level without high computing costs.
I prefer the SSO way due to having the possibility to force OTP/U2F.