How to Secure Your WordPress Login Page

How to Secure Your WordPress Login Page

How to Secure Your WordPress Login Page 1920 1344 Coding Outdoors

Websites are constantly being attacked and with WordPress as one of the best and most utilized content management systems on the internet, it is a prime target for attackers. Your web hosting services provides a certain level of security and protection, however as a site owner the bulk of the security is on you and there are actions you can take to prevent unwanted access and logins to your website.

We’re focusing specifically on login security for this article and updates to the wp-login and wp-admin URLs. There are five simple steps that can help secure and harden this process. You will want to change your login URL, limit login attempts, setup 2FA, hide your username, and employ a strong password. See below for more details.


Change Your Login URL

Changing your login URL is simple and is a part of almost every security plugin out there. The default login address for WordPress sites is With over 455 million websites running on WordPress it is safe to say that everyone knows that login URL. While security by obscurity is not a good practice, this is just a change to prevent your site from being brute forced by bots constantly. Make a simple change your login page URL to shift if from to something like Plugins can easily accomplish this. My preferred choice for this is to use WPS Hide Login.


Limit Login Attempts

Limiting login attempts prevents users from trying an endless number of username and password combinations to gain access to your site. You can a specific number of invalid login attempts in a period of time and lock out that user account for a certain time period. This is employed in a lot of WordPress security plugins such as iThemes Security and Wordfence. It also gives you the option to blacklist user IP addresses that have a specific number of invalid logins.


Setup Two Factor Authentication (2FA)

Two factor authentication, or 2FA is an obnoxious yet necessary login security feature that is utilized. I personally don’t like having to authenticate with my username and password, then also use an authenticator program to provide an additional encrypted key. However, this does make your website that much more secure and is a very good choice to enable for logins. I utilize WordFence Security plugin to accomplish this and I pair it with google authenticator or whatever else a user wants to use to store their keys.


Hide Your Username

Utilize a nickname in your WordPress user settings to prevent your login name from being easily discoverable. This is just another step to make brute force attacks more difficult. If a hacker doesn’t have the login page, username, or password then it becomes much more difficult for them to gain access. Go to Users –> Profile–> Nickname
Plugins can easily accomplish this such as WPS Hide Login, iThemes Security, or WordFence.


Employ a Strong Password

Always create a strong password for your WordPress admin user account that includes uppercase letters, lowercase letters, numbers, special characters, and a length of at least 12 characters. The more the better. Also do not use words or sequences in your password. This will go far in preventing brute force attacks from being successful!

Using all of these tips together will not make your website un-hackable, however it offers a greater degree of security to prevent unauthorized users from gaining access and deters the vast majority of unsophisticated bots and scripts running out there designed to attack a /wp-admin page with a admin username and a weak password. Always keep your site secure and up to date and do regular backups to have available for a restore if needed.

Back to top