How To Secure Your WordPress Website Login Page

Last updated on
Share
Tweet
Share
Email

Your WordPress Login page is the gateway to your website. From time to time hackers may try to break into your site by attempting to login from this page.

One way that you can make it harder for hackers is by stepping up the protection of your WordPress Admin or Login Page. You can stop most of the mischief right at the doorstep, by hardening the security on this page.

In this article, I will show you simple steps on how to secure your WordPress admin login page.

5 Simple Techniques for Securing Your WordPress Website Login Page

Here are five simple ways that you can implement to secure the WordPress login page.

1. Change WordPress Login URL

By default, the URL for logging in to all WordPress website is by appending the main URL with either wp-login.php or wp-admin.

For instance, if you have a website that leaves on mywebsite.com. Hackers know this and will try to login to your site from these URL’s:

  • mywebsite.com/wp-login.php
  • mywebsite.com/wp-admin

In reality and in most cases, many website owners doesn’t care this at all. That’s why more and more WordPress website are getting hacked each day.

By changing the default wp-admin login page, you are most likely secured from getting hacked and that your site is halfway less vulnerable.

You can install WPS Hide Login to hide your wordpress login page and blocking the default links.

Once activated, you can change the URL to anything you’d like, such as mywebsite.com/real_admin_only_access from the plugin’s Settings section. You can do so by going to Settings » WPS Hide Login.

WPS Hide Login
WPS Hide Login Settings

Now, when someone try logging in through the default links, it will end up redirected to a 404 or any page you’ve specify.

A word of caution though, since the default links become inaccessible, you must bookmark your new admin login page.

2. Change Default Username

Most WordPress install comes with a default username admin which hackers are aware of. It makes easier for them to find your password using brute force attack.

There are couples ways to change WordPress default username and the one I am recommending is to just create a new admin username. And then just delete the default one.

To do this, go to Users » Add new. This will take you to Add New User page.

Username and email are required, you must fill in this fields while the rest are optional. Generate a strong password by click on the big blue button Show Password. Then change the role to Administrator from the dropdown.

That’s it. You now have a new admin username and you may now delete the default.

3. Use Strong Password

Another recommended ways in securing WordPress is by using a strong password. This one, together with a unique username, makes it harder for hackers to guess and infect your site.

WordPress now comes with a built in strong password generator which is very much handy. If you want to try this feature, just follow the steps above and click the gererate password button.

As always, use uppercase, lowercase, numbers, and special characters for the password. Passphrases are excellent as well.

You may also try generating secure password using online tool here. I’ve been using this service for quite a while now and works perfectly fine for my needs. And the best part is, it’s free.

4. Remove the WP Version Number

Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view.

So basically, the more outdated version of WordPress your site will be, the more it is prone from getting hacked.

There are a lot of ways you can remove version number, and the one I prefer to use is using a hook. You just need to add the following code in your child’s theme functions.php file.

function wpms_remove_wp_version() {
return '';
}
add_filter('the_generator', 'wpms_remove_wp_version');

The above code will completely remove WordPress version number from the head file and RSS feeds.

To learn more about using filter hook, visit the official Filter Reference in the WordPress codex here.

5. Limit Login Attempts

By default, WordPress allows users to enter passwords as many times as they want. Hackers may try to exploit this by using scripts that enter different combinations until your website cracks.

To prevent this, you can limit the number of failed login attempts per user.

For instance, you can say after 3 failed attempts, lock the user out temporarily.

If a user has more than 3 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 30 minutes, 24 hours, and even longer.

A plugin like, Limit Login Attempts Reloaded can save you a lot of time and effort.

Upon activation, you need to visit Settings » Limit Login Attempts page to configure the plugin settings.

You can also add your email from the Notify on lockout section so that, you’ll get notifed when some gets it.

Read also: How & Why To Limit Login Attempts in WordPress

Final Thoughts

The methods listed in this post are simple, yet highly effective ways to restrict bots, malware and malicious hackers from breaking into your website.

Additionally, you may also add captchas or other small tests to verify if the login attempts is by a human and not from bots.

Securing login page in WordPress keeps those doors closed and ensures that the only person to have access to your site is yourself. And that login attempt is legitimate.

If you need more tips on WordPress security, you can read more ways to secure WordPress website from hackers here.

If you liked this article, then please subscribe to my YouTube Channel for WordPress video tutorials. You can also find me on LinkedIn, Facebook and Twitter.

If you have some questions, please let me know in the comment below.

Share
Tweet
Share
Email
Our Most Popular Post Right Now!
Disclosure: Some of the links on this site are “affiliate links”, which allow me to earn a small referral payment if you choose to purchase the product or service.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recommended Book: WordPress All-in-One For Dummies
Subscribe to Blog via Email
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
This field is for validation purposes and should be left unchanged.

Don’t worry, we hate spam as much as you do.
Do you need help setting up WordPress?
I can help you with blog and site setup, full website build, performance & security, maintenance and support, and many more.
Recommended Web Hosting