WordPress Login Security: 13 Ways to Secure Login Page

WordPress Login Security

WordPress powers more than 2.6 million websites. Given this popularity, WordPress is a favorite target of cybercriminals. As a result, it is common to hear about security incidents targeting WordPress websites.

Fortunately, securing WordPress websites is all about observing certain best practices.

In this article, we’ll look at how you can secure your login page. Let’s get started!

Table of Content

Why Should You Secure the WordPress Login Page?

The WordPress login page is the gatekeeper to your website. Very often, it's the only hurdle to accessing the WordPress dashboard.

You can imagine the consequences of the scenario where hackers manage to go through the login page. Depending upon the compromised account's privileges, they can access, modify, or even delete website content.

Given their structure, hackers often use brute force attacks on WordPress login pages. They deploy automated scripts that try hundreds of username and password combinations in an hour. Since WordPress does have login rate limiting capabilities by default, an unprotected login page is an easy target for these scripts.

Top WordPress Login Security Practices

The good news is that securing the WordPress login page is pretty easy. You just need to keep the following best practices in mind, and the page will be protected from most threats.

1. Limit Login Attempts

WordPress places no restrictions on the number of attempts a user has to log into a website.

Unfortunately, this means hackers can brute-force their way into your website.

You can close this loophole by installing a plugin that limits the number of login attempts. These plugins monitor the login page and redirect the user when they fail several times (usually three or five attempts).

With LoginPress you can easily set up Limit Login. You can learn more about our guide on How To Limit Login Attempts in WordPress (Easy Guide).

2. Add CAPTCHA

CAPTCHA is another good option to secure your login page. It is like a shield to your website that protects it against bots and other automated malicious software. The CAPTCHA could easily be solved by a human but is hard for the bots.

You can use LoginPress to add reCAPTCHA to your login page.

For detailed information, see our guide on How To Implement The reCaptcha On Login Page With LoginPress.

3. Enforce Strong Passwords

A strong password is essential to the protection of the WordPress login page. against brute force attacks.

A strong password generally has a combination of 10 to 15 alphabets (both cases), symbols, and numbers. If you need help, we suggest the Strong Password Generator to generate strong passwords with a click.

4. Change the Login Page URL

Everybody knows the URL structure of the WordPress login page. It generally looks like www.website.com/wp-admin/ or www.website.com/wp-login.php/.

As a general rule, it is a good practice to change this URL to make sure that hackers are unable to find it.

LoginPress offers a Hide Login add-on that allows you to change the login page URL to a custom URL.

For detailed information, see our guide on Hide Login.

Hide Login

5. Set Up Two-factor Authentication

Two-factor authentication (TFA) hardens the security of your WordPress website significantly. When TFA is enabled, website log-in requires a code in addition to the credentials. Since an app generates this code on your phone (or another device), any hacker will have difficulty cracking two security layers.

The code required as the additional log-in credential is generated randomly and frequently changes to ensure maximum protection.

TFA is not a default feature of WordPress. However, you can easily add it by installing any of the following plugins:

6. Automatic Session Logout

Auto session logouts protect your website pages (particularly, the login page) from snoopers. Users often forget to log out and close browser tabs. This leaves their sessions vulnerable to hijacking or simple eavesdropping.

By default, WordPress logs out the user 48 hours after the login session cookie expires. But if the user checks the "Remember Me" box, they’ll remain logged in for 14 days. To remedy the situation, use LoginPress to force automatic session logout.

7. Limit Login Access to Selected IP Addresses

If you have a list of trusted IP addresses, you can easily exclude all other IP addresses from accessing the login page. This ensures only the people you trust can log in from trusted network locations.

To enforce the IP address filter, add the following code to the top of .htaccess file.

<Files wp-login.php>
order deny, allow
Deny from all
# whitelist your own IP address
allow from xx.xxx.xx.xx
#whitelist some other user's IP Address
allow from xx.xxx.xx.xx
</Files>

Note: Don’t forget to replace XXs with your IP addresses.

8. Disable Login Hints

WordPress shows error messages on failed login attempts that tell users whether their username or password is incorrect. These hints make the job of hackers easier by verifying that at least one part of the credentials are correct.

You can hide these login hints by adding the following code to your theme’s functions.php file. Note that the code snippet goes to the end of the file.

function no_wordpress_errors()
return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' )

9. Regularly Review User Accounts

User Audit should be a part of your website security audit checklist. Inactive user accounts are often how hackers burrow their way into your website.

As a rule, you should review users' details every month. During the process:

  • You should delete unused/inactive accounts.
  • Check user privileges.
  • Change or update all credentials regularly (remember to email the new credentials to the users).
  • Go through the activity logs.

10. Use SSL

If you haven't already, migrate your website to HTTPS by installing an SSL certificate. This simple step upgrades your login page security and ensures that no third party can listen in to guess the login credentials.

If your web host allows it, we suggest installing SSL certificates from Let's Encrypt. They are free and easy to set up.

11. Use a Website Application Firewall

A website firewall is a filter that screens all incoming traffic. This filter prevents traffic from known and suspected malicious sources so that your website remains safe from common threats.

The firewall also stops brute force attacks and DDoS attacks on your website.

12. Disable XML-RPC

XML-RPC was intended to be a secure way of connecting your WordPress website with external applications. Unfortunately, these days, its cons far outweigh the benefits. For instance, hackers can use XML-RPC to mount DDoS and brute force attacks on your website.

If you aren't using Jetpack, you should plan to disable XML-RPC, either through a plugin or by adding a snippet to the .htaccess file.

13. Keep WordPress Updated

Every new WordPress version comes with a long list of fixes and upgrades to various platform components. That’s why you must upgrade your WordPress website to the latest stable version.

As a rule, you should enable auto-update for core WordPress files, so you won’t miss out on a critical update.

Final Thoughts

It’s important to secure your WordPress login page as it’s the most common target of cybercriminals. Fortunately, securing this page is all about following certain best practices and security precautions.

Let us know how many of these ideas you already have deployed on your website.

Frequently Asked Questions

Is the WordPress login page secure?
Out of the box, the WordPress login page isn’t very secure and can be exploited in several forms of attacks. However, you can harden login page security by following WordPress security-related best practices. 
Is WordPress secure from hackers?
You can make a WordPress website secure by simply using a few security measures and installing a security plugin. 

That's all! You can also check out To Change The Theme for Your WordPress Website and How To Add Google Fonts With LoginPress.

Not using LoginPress yet?What are you waiting for?

Leave a comment

Your email address will not be published.