While WordPress is a secure and robust CMS, it is also your responsibility to undertake basic security measures to safeguard your website. One such measure is to prevent unauthorized access to your WordPress admin panel. And as you might be already aware, to prevent access to WP admin panel, you need to bulletproof and secure your login page.
There are various ways to ensure the safety of the login page and the WP admin panel. In this article, we will be taking a look at some simple ways and helpful plugins that can be employed to prevent unauthorized access to your WordPress website.
First, let us begin with the most obvious and basic ones.
It goes without saying that you should always use difficult and tough to crack passwords. More importantly, be sure to change your password regularly, and never reuse the same password across different sites.
But it does not stop there. For your administrator account, use a username different from the default “admin”. This makes it tougher to guess for the hackers. Try to limit the number of administrator accounts on your site — it is a good idea to have just one administrator account so that other users of your site get restricted access.
With the basic details out of the way, what else can we do to actually secure our login page?
Change the Login Page’s URL
By default, WordPress uses wp-login as the URL of the login page — for example, mysite.com/wp-login.php
Anyone wanting to gain access to your site probably knows that if you are on WP, your login page must be at wp-login itself. What if you were to change that? What if your login page was elsewhere and not at wp-login?
There are many good plugins that let you do just that. You can simply change mysite.com/wp-login.php URL to mysite.com/safety and login therein. This way, you would know where your login page is, but the malicious hackers will not.
WPS Hide Login lets you do just that and it works on both WordPress and WP Multisite installations. You just need to specify the new login URL for your site, and you’re good.
Rename wp-login.php is another useful plugin for this purpose albeit it has not been updated in over a year and can possibly cause compatibility issues.
That said, renaming your login URL is generally a safe process, but it can cause issues with certain plugins that might have the login URL hard-coded in the code (this is a bad coding practice by the way). In any case, be sure to take a backup before changing the login URL of your site — if you get locked out of your own site, you might have to go through the database to restore the login URL.
Prevent Brute Force Attacks
A brute force attack is one where a malicious hacker tries to guess your password by repeatedly entering a new password. Naturally, having a strong password is helpful as compared to weak dictionary words.
There are several plugins that can prevent brute force attacks on your website. Jetpack has a Protect module that detects brute force attacks and locks out malicious users. Many popular security plugins, such as iThemes Security, have special IP detection features that can lock out users who enter wrong password multiple times.
If you are looking for a dedicated solution, Login Lockdown is a good pick. The plugin works in a simple manner — for every failed login attempt, it logs the IP address. After a given number of failed attempts, it locks down the said IP for a specific time duration.
Alternatively, the Loginizer WordPress plugin can be used to prevent brute force attacks too. It works in a fashion similar to Login LockDown, but comes with added features. You can add reCaptcha, two factor authentication via email or mobile app, etc. Plus, Loginizer also lets you rename the wp-login page and disable pingbacks.
Other Additional Measures
You can also take some extra steps to further safeguard your login page. However, these steps generally require a third party solution to work properly.
- Using a good web application firewall can prevent all bots and malicious IPs from ever reaching to your website or the login page. Every major CDN provider, such as CloudFlare, or a decent WordPress premium security plugin, comes with such firewall options.
- If your website has multiple user accounts, consider making use of user roles and setting them up as Editor, Contributor, Writer, and so on. Administrator privileges should not be offered to everyone.
- While not entirely a login page security measure, you should have email notifications enabled for successful login attempts whenever possible (once again, every good security plugin, including Loginizer mentioned above, comes with such features). This way, for every successful administrator login, you will know if it was you or if your site is in trouble.
Securing your WordPress login page is just one part of a comprehensive security strategy. You need to take further steps to ensure that your WordPress site is fully secure and safe from threats.
Which methods do you employ to safeguard your login page? Share it in the comments below!