WordPress is one the most popular CMS used by millions of website on the Internet. So, it is likely to be a popular target for hackers. If you are reading this article, I assume you are concerned about the security of your WordPress site. In this article, I will share four ways to secure WordPress login page.
Everyone knows that the default login page is accessible by visiting wp-admin or wp-admin.php. So, your site’s login page is certainly one of the vulnerable pages on your website. An attacker can try brute force attack to gain access to your website and do the potential harm.
Here are four steps to secure WordPress login from hackers:
1. Use a strong password and unique username
As mentioned above, if someone knows your login page URL they can try brute force attack on your website and do the harm. Further, if you have used an easy password and username that can be guessed easily, then your website is at great risk and you can be a victim anytime.
Every year list of most common passwords is released. Check this list of 25 worst passwords of 2017 compiled by Time.
If you are using any one of the passwords mentioned in the above list, go ahead and change it right now before anything goes wrong and someone takes control over your site.
It is recommended that you use very strong password more than 8 characters containing alphanumeric and symbols. Use this website to check the strength of your password.
You can also use a random password generator tool to create a more strong password using these two free tools – LastPass and Secure Password Generator. LastPass chrome extension is also available to store the credentials so that you don’t have to remember every login credentials.
2. Activate SSL Certificate
SSL or Secure Socket Layer adds an extra layer of security to your site that ensures that all the data passed between the web server and browsers remain private and integral. As a result, no one will be able to intercept your site information and read it. Starting from July, Google Chrome mark all HTTP sites as “not secure”. Thus, it is necessary to have an SSL certificate in 2018.
When your site has SSL certificate, it will make the browser to server communication more secure. Depending upon your web hosting plan, you can either get a free SSL or might need to purchase one. Once you get the SSL certificate, you can use this free WordPress plugin Really Simple SSL to set up SSL on your site.
3. Hide Login Page
The default login page of WordPress site can be accessed via wp-login and wp-login.php. A hacker can launch different attacks on your login page to gain access to your site. It is advisable to change this default login page to protect your site from potential harm.
A free WordPress plugin WPS Hide Login allows you to change that default login URL. You can change the wp-login path to any desired path.
To change the login page URL:
Install the above plugin.
Go to Admin Dashboard > Settings > WPS Hide Login > Type the desired path.
After that click on Save Changes button.
4. Limit Number of Login Attempts
A hacker often tries to attempt login by guessing the password. An easy password will provide an access to your site in a few attempts. A brute force attack works by attempting to get your username and password by trying multiple combinations over and over.
Usually, the attackers attack with a particular IP and this attack can be tracked. If such unusual behavior is observed from any particular IP, you can block that IP to disable brute force attack and keep your site secure.
There are plenty of free security plugins available for your WordPress site. Login LockDown, All in One WP Security & Firewall and Wordfence plugin offer the best security to protect your website login pages and limit the numbers of login attempts. They also track IP address and provides more control to handle the login attempts. Few such plugins are as follows:
This is a simple plugin with only functionality to control the login attempts. After you have successfully installed this plugin, go to Settings > Login LockDown. You will see the following interface:
As seen in the above screenshot, you can set the Max Login Retries, Retry Time Period and Lockout Length. Make the necessary changes and click on Update Settings to apply the changes.
In the Activity tab, it shows the records the IP address and timestamp of every failed login attempt.
This is another free WordPress plugin offers more features and adds extra layers of security and firewall to your WordPress site.
To control the login attempts, go to WP Security > User Login. Make the necessary changes and click on Save Settings.
This plugin also covers other aspects of your website security and provides you score based on your settings. You can explore yourself to get maximum score and improve your site security.
It is another most popular security plugin to secure WordPress login and offers quite a few features even in free versions such as traffic source information, whois lookup and settings import/export features.
To control the login attempts, go to Wordfence > Dashboard > Manage Firewall.
Make the necessary changes and click on Save Changes button located at the top.
So, these are the 4 ways to secure WordPress login page. By doing so, you ensure that your site is secure from hackers or anyone who tries to gain unauthorized access.
However, this only provides a certain level of security to your site and there are also other things to consider if you want to make your site fully secure from any threats.
I hope this article was helpful.