Looking for ways to secure your WordPress login page?
The login page is one of the most vulnerable pages of your WordPress website. It’s an entry point. Anyone with the right credentials can gain access to your site through that page.
So it’s not surprising that this particular page is often targeted by hackers who design bots to try out different credentials until they find a match. This is called a brute force attack. And almost all WordPress websites experience this type of attack regularly.
Luckily, there are ways to secure your WordPress login page by taking certain steps. In the rest of the article, we will discuss what measures you need to take to implement WordPress login security.
Let’s get started.
WordPress Login Security: Steps You Can Take to Secure Your Site
There are 6 essential steps that you must implement to secure the login page of your WordPress site. Those are:
1. Use strong credentials
2. Change login page URL
3. Implement two-factor authentication
4. Prevent discovery of username
5. Limit failed login attempts, and
6. Use a security plugin
In the next few sections, we are going to discuss how taking these steps will secure your login page. We will also show you what is the right way to implement these steps.
But before you start, we insist that you take a backup of your entire website.
In this article, we will ask you to install new plugins and make modifications to your WordPress files. Both of these activities involve a lot of risks. You can end up damaging your site. Even seasoned WordPress users are careful when they install a new plugin or make modifications to their WordPress files.
A backup is a safety net. In case things go wrong, you can quickly restore your site back to normal and try again. If you don’t have a backup plugin already installed on your website, then choose one from here.
Now let’s dive into WordPress login security measures.
1. Use Strong Credentials
One of the most common reasons why hundreds of thousands of WordPress websites get hacked is because they use weak usernames and passwords.
We get it. You just want to use credentials that are easy to remember. However, with the advent of reliable password managers, there is no longer any reason to keep using weak credentials.
Here are a few tips on how to create strong credentials:
- Use a combination of lowercase and uppercase letters, numbers, and special characters to create a username and password
- Use different usernames and passwords for different websites
- Create a password that’s 12 characters long
- Avoid using real words in your passwords
- Avoid using your name, a family member’s name, or even your pet’s name in the password
- Avoid using keyboard patterns such as 12345678
- Update password every quarter
Pro Tip: Many website owners don’t take usernames as seriously as passwords. But the username is really the first line of defense for your login page. If you use a weak username like “admin,” “username123,” etc, you are making it easy for hackers to guess your credentials. So make sure your usernames are strong and unique.
2. Prevent Discovery of Username
Preventing the discovery of a username is one of the most overlooked WordPress login security measures.
Usernames can be found on WordPress websites, typically, on the top of published posts.
This means hackers can easily scrape the usernames from your site and by combining them with different passwords they can figure out your credentials.
Your username is half of your login credential. So by exposing the usernames on your website, you are making it way too easy for the hackers to invade your site.
To prevent this from happening, you will need to change your display name from the user profile page.
We’ll show you how to do that but first, let’s take a quick look at what is a display name and how is it related to the username.
When you create a user account you are asked to enter a username and a password.
By default, WordPress sets the username as the display name. This is the name that appears on the top of published posts on your website. Luckily, the display name can be modified from the WordPress dashboard. Here’s how:
On your WordPress dashboard, go to Users > Profile and scroll down to the Display name publicly as an option. It has a dropdown option. If you select it, it will show you other display names that you can use.
But if you don’t see any other display name, go to the Nickname option and replace your present nickname with a new name.
Then, return to the Display publicly as an option and again select the dropdown menu. The new nickname should appear in the dropdown menu. Select it and save your settings.
The display names on your published posts will now be changed to the new name.
That said, this is not a foolproof method of hiding your username.
Usernames also appear in the URL of the user profile page so hackers can still find your username by scraping the URLs of your website.
Don’t worry! You can still prevent the discovery of your username.
To prevent hackers from discovering your username from the user profile page URL, you can implement any one of the following steps:
i. You can redirect the profile page to the homepage of your site. Whenever hackers try to access the page to scrape the username from the URL, they will be redirected to the homepage. Here’s a guide that’ll help you learn how to redirect pages on a WordPress site.
ii. Alternatively, you can prevent access to the profile page by removing it from the search engine and your sitemap.
To do this, you need to install the Yoast plugin on your WordPress site and set it up properly with the help of this guide.
Next, open the user profile page by going to Users > All Users and then click on the Edit button below the user whose profile page you want to retire.
On the next page, you find a Do not allow search engines to show this author’s archives in search results option somewhere down the page. Select that.
It will prevent the user profile page from appearing in the search engine and your sitemap. This means hackers can’t access your user profile page and therefore they can’t find your username.
3. Change Login Page URL
Anyone familiar with the WordPress platform knows that the login page of a WordPress website can be accessed by adding “wp-admin/” or “wp-login.php/” to the end of the domain. Easy access to the login page is one of the main reasons why hackers target WordPress websites.
But what if you hid the login page by changing the URL?
For instance, you can retire the default WordPress login URL (i.e. https://yoursite.com/wp-admin/) and create a new URL that looks something like this: https://yoursite.com/secretlogin/.
If hackers try to access your website using the default login they will face a 404 error, or you could redirect them to the homepage.
There are plenty of plugins out there that can help you change the login URL.
We used Protect Your WP Admin plugin on our demo site but you can use any one of the following plugins as well: WPS Hide login, Perfmatters, and iThemes Security.
Step 1: To change the WordPress login page URL, install and activate the Protect Your WP Admin plugin on your website.
Step 2: Then go to Settings > Protect WP-Admin. You should see an option called New Admin Slug. Enter and new login URL (as we have done in the image below)
Step 3: Make sure to select the Enable option. And hit the Save Settings option.
You have now changed the URL of your login page and implemented one of the most effective WordPress login security measures.
Try opening the page using the old URL (i.e. https://yoursite.com/wp-admin/). You will be redirected to the homepage of the website.
4. Implement Two-Factor Authentication
Two-factor authentication adds an extra step to the login process. Anyone who wants to log in to your site will need to enter a time-based one-time password (TOTP) right after entering the username and password. The TOTP is generated via an app or it is sent by SMS or phone call.
Some of the most popular websites like Facebook, Twitter, and Gmail use two-factor authentication to protect user accounts from hackers. Even if hackers manage to figure out your credentials, they can’t get the TOTP that is needed to log into the site.
To add two-factor authentication to your WordPress site, you will need to install and activate any one of the following plugins:
- WP 2FA
- MiniOrange Two-Factor Authentication
- Duo Two-Factor Authentication
- Two Factor Authentication
- Rublon
On our demo site, we used the WP 2FA plugin to implement two-factor authentication. Here’s how you can install and set up the plugin on your own site:
Step 1: Install and activate WP 2FA on your WordPress website. A setup wizard will appear where you will be asked to select a primary two-factor authentication method.
Step 2: Under the primary method select One-time code via 2FA App (TOTP) and move on to the next step.
Step 3: You will be asked if you want to enforce the two-factor authentication on some users or all users. Select All users.
Step 4: Then you will have to specify whether users need to configure two-factor authentication immediately or if they have a grace period of a few hours or days. Select Users have to configure 2FA straight away.
Step 5: Next, select the Configure 2FA now option, and a pop-up will appear with a QR code. You will need to scan the code with a two-factor authentication app.
Step 6: Install any one of the following two-factor authentication applications on your smartphone:
- Authy
- Google Authenticator
- Microsoft Authenticator
- Duo Security
- Lastpass
- FreeOTP
- Okta Verify
We recommend using Google Authenticator because it has a very small learning curve.
After installation, the app will ask you to set up your first account by selecting any one of the following options: Scan a QR code or enter a setup key.
Select the Scan a QR code option and then go to your WordPress dashboard and scan the code.
And that’s it, folks. You now have a two-factor authentication system implemented on your WordPress login page.
Pro Tip: As you can see, the two-factor authentication method relies heavily on your smartphone. So if you lose your smartphone, logging into the site will become impossible. Therefore, have a backup method in place. Set up a backup method with the help of this guide. If something happens to your primary two-factor authentication method, users can still log into your site with the backup method.
5. Limit Failed Login Attempts
WordPress allows users to attempt to log in as many times as they want to. This is dangerous because it allows hackers to try different combinations of usernames and passwords until they find the right credentials.
Even if hackers can’t find the right credentials, continuous login attempts will overwhelm your website server and your site will crash.
To prevent hackers from figuring out your credentials or crashing your site, you can set a limit on failed login attempts.
If you have a security plugin installed on your WordPress website, then it might have features that enable limiting failed login attempts. For instance, the iThemes Security Plugin lets you set the number of times users can attempt to log into the site.
If you don’t have a security plugin installed, you can use any of the following plugins to limit failed login attempts:
The Limit Login Attempts Reloaded plugin is the most popular one. It has 2 million installs so we tried using it on our demo site. Here’s what we did:
Step 1: Install and activate Limit Login Attempts Reloaded on the WordPress website.
Step 2: Then go to Settings > Limit Login Attempts > Settings. In the Lockout allowed retires option, enter the number of times you want users to try to log in before they are blocked from any more attempts.
Save your settings. And that’s it! You have implemented a crucial WordPress login security measure.
6. Use a Security Plugin
WordPress security plugin will use a firewall to help identify suspicious visitors and block them from accessing the website altogether. This means it will prevent hackers who come to your site with the intention of brute-forcing your login page.
That said, security plugins offer a lot more than just a firewall. They can scan your website on a daily basis and help clean your site if it gets hacked. Many of the measures that we have covered in this article (like implementing two-factor authentication and limiting failed login attempts) can be implemented using security plugins.
So if you are not already using a security plugin on your site, install one right away. Here’s a list of the best WordPress security plugins. Take your pick.
That’s it, folks. These are the steps you should implement to ensure WordPress login security.
Conclusion
As you can see, there are a number of ways to secure your WordPress login page. Some of the most essential steps include using strong credentials, changing the login page URL, implementing two-factor authentication, preventing discovery of username, limiting failed login attempts, and setting up a security plugin on your WordPress website.
Apart from these, you may also consider implementing the following steps:
- Enable auto logouts when the website is sitting idle.
- Remove the WordPress version so that hackers can’t exploit known vulnerabilities.
- If you are using WordPress version 4.4 or any version before that, then disable the XML-RPC.
- Set user roles carefully. Make sure only a few trusted users are made administrators.
With that, we have come to the end of this article. Let us know if you have any comments.
