Securing WordPress Login Page: Tips and Tricks

Ensuring web security is a continuous and ongoing process for all websites. No matter how many precautions you take, there is always room for improvement. Hackers are always on the lookout for vulnerabilities to exploit, and so website owners must be vigilant at all times. Hosting, weak passwords, older versions of WordPress, or dubious themes/plugins are all possible entry points for bots to gain access to your site. One way to make it harder for hackers is by stepping up the protection of your WordPress Admin or Login Page. This page serves as the gateway to your website, and by hardening its security, you can stop most of the mischief right at the doorstep.

Here are some ways to protect your Admin page:

Change Username

The default username in WordPress is “Admin,” and bots are aware of this. If they can guess your password, then you have essentially invited them into your site. Therefore, it is important to change your username to something unique and difficult to guess. For instance, if you run the New York Soccer Club website, “NY Soccer” would not be a suitable username.

To change your username, follow these simple steps:

1. Log in to WordPress using your existing Admin user account.

2. Add a new user by clicking on Users > Add New.

3. Pick “Administrator” as the role for this new user. Choose a unique username for this new user as they will become the new admin user.

4. Log out of the old “Admin” user account.

5. Log in again using the new unique username you created.

6. Delete the original “Admin” user. You’ll need to reassign all your old posts from the old “Admin” user to the new user.

You can also change the username by accessing phpMyAdmin. SiteGround provides more information on this.

Strong Password

Changing your username is only half the battle. You must also strengthen your password so that bots cannot guess it. Birthdays, pet names, and favorite sportspeople are all easily guessed. Brute force attacks are frequent and repeated attempts at guessing the password by trial and error. If the password is weak, these attacks are bound to succeed. Therefore, strong passwords are essential.

A strong password should ideally use a combination of numbers and letters, both upper and lower case. Throw in a symbol or two like ‘!’ or ‘@’. WordPress provides the option to generate a strong password, or you can use a Password Generator. You can check if your password is strong at How Secure Is My Password. It is also important to change your password regularly.

If you find it hard to remember passwords, consider using password managers like LastPass, DashLane, KeePass, 1Password, and RoboForm. A password manager stores all your passwords in an encrypted form, and you can access them from any device.

Limit User Access

If you are the only one who accesses the Admin, then this step is not necessary. However, if you allow multiple users to access the backend, you should keep tight control over their privileges. Permit access and privileges only to the areas and to the extent that is necessary for them to perform their tasks.

Users on your site should also be required to use strong passwords. To ensure this, you can install the Force Strong Passwords plugin. This plugin allows users to access the site only if they have set up a strong password for themselves. Alternatively, you could look at Login Security Solution, which also examines and enforces password strength without annoying genuine users.

Limit Login Attempts

Bots gain entry into your site by trying out various combinations of username and password. It may take them many attempts before they can break in. If we limit the number of attempts that can be made from a single IP, we can drastically cut down on the chances of bots gaining access.

There are specialized plugins that can carry out this task:

Limit Login Attempts – Limits the rate of login attempts for each IP. It is a commonly used plugin, even though it has not been updated for a long time.

Brute Force Login Protection – Protects your website against brute force attacks using .htaccess.

Jetpack Protect – To protect WordPress websites from bot net attacks.

It’s also worth noting that some web hosts offer this feature built-in. WP Engine, for example, added this to their hosting platform back at the beginning of 2015 to make the websites they host more secure (in addition to their free SSL, two-factor authentication, automated backups, multiple firewalls, malware scanning, and more).

Change Your Login URL

The URL for logging into all WordPress websites is, by default, your site’s main URL followed by wp-login.php or wp-admin – for instance, Hackers know this, and if you can change this URL, you’ll be making it harder for them to get into your website.

You can install Protect WP-Admin to change the URL of your admin panel and block the default links. You can change it to anything you like, such as When a query for or reaches the site, it will be redirected to the homepage. Only the custom URL will be allowed to the admin panel.

A reliable way to protect your admin page is to entirely block access to your wp-admin and wp-login.php page. However, this can only be employed if you use one IP address that doesn’t change. Otherwise, you run the risk of being locked out of your website. If you can keep track of multiple IP addresses, you can still go ahead and adopt this option.

You can also restrict access to your wp-login.php file using HTTP Basic Authentication. This is an external layer of security that a user has to get past to reach the login page. You’ll need to generate a .htpasswd file to list all authorized usernames and their respective encrypted passwords. A brute force attack can be launched against HTTP basic authentication as well, but it’s going to be double the effort for hackers to crack both layers.

Add SSL To Your Website

SSL is standard security technology. HTTP is the Hyper Text Transfer Protocol for transfer of data between a server and a browser. The secure version of HTTP is HTTPS, the “S” standing for Secure. Together they verify the identity of the website to the user, and assure the user about the confidentiality between the website and the user’s browser.

Once you’ve set up SSL/HTTPS, the server encrypts data, and only the user’s browser can decipher it. To any unwelcome third party, the data won’t make any sense and will just appear as a string of characters. As a bonus, you’ll find that Google favors HTTPS while ranking websites.

Getting yourself an SSL certificate may no longer be optional, particularly if you’re using the Chrome browser. That’s because Google is on course to mark all non-HTTPS sites as “non-secure.”

Today, all non-HTTPS sites are simply neutral as to the indication of SSL status, but that will change in January 2017. All websites needing passwords or collecting credit card information must become secure or risk being labeled as non-secure by Google.

Many companies like Comodo, DigiCert, and offer certifying services. Certificates can be acquired without too much cost from SSLMate and for free from Lets Encrypt. Some hosting service providers offer free SSL with their hosting plans. You can read up more on installing SSL in our HTTPS & free SSL guide.

Two-Factor Authentication

Two-Factor Authentication is one of the most secure ways to protect your website from hackers. It works in addition to the standard username/password that you already have. Once you have keyed in these credentials, a code is generated on a device that you have, often your smartphone. Only when this code is entered do you gain access to the site.

Many free and premium plugins are available for installation on your website. This security method has been around for quite a while, but is now being increasingly applied to website access. You can read more about two-factor authentication in our earlier post.

Security Plugins

Many websites install plugins that take care of WordPress security in a comprehensive manner. They pack in firewall protection, malware scanning, blacklisting and whitelisting IPs, monitoring user activity, audit logging, and generally harden all-round security. Both free and premium options are available.

Some plugins that include login protection are:

Wordfence – Enforces strong passwords and prevents brute force attacks.

iThemes – Fights automated attacks and limits the number of login attempts. It also implements tougher user credentials.

All in One Security and Firewall – Prevents brute force attacks and allows IP level blocking, locking out a user after a specified time period. Other login protection features include login lockdown and whitelisting/blacklisting IP addresses.

BulletProof Security – Login and brute force protection.

McAfee Secure – Offers multiple layers of protection including a trusted site mark, malware scanning, and identity protection coverage for e-commerce stores (a huge asset).

Final Thoughts

The methods listed in this post are mostly simple but highly effective ways in which you can curtail bots, malware, and mischief makers from breaking into your website. You can also add captchas or other small tests to verify if the attempted login is by a human and prevent bots. If you need more tips on WordPress security, read what Freddy has to say in this post.

Stay in Touch


Related Articles