Last updated - February 24, 2020
Website security is one of the common concerns of a WordPress site owner. Even though WordPress is a secure platform, sites are often subject to a lot of hacking attempts. Generally, WordPress experts advise to use a security solution to be careful. Thankfully, there are several security solutions available in the WordPress ecosystem to help you protect your website. And, there are several strategies that you can adopt to keep your site secure from malware and attackers. It is best to follow these practices to ensure that your site is not vulnerable to attacks. In this article, we will discuss a few strategies to secure your WordPress login page.
Use secure username and password
You need to have a secure username and password for your WordPress site. This will help you secure your site from brute force attacks. Brute force attacks are cases where hackers try to breach your site login by relentlessly trying different combinations of username and passwords. Having a different username other than the default “admin” one is especially important in this case. If you are keeping admin as your username, hackers are saved from having the trouble to guess your username. One of the first steps you can take to secure your WordPress login page will be to change the username from admin to something else.
Now, it will be common knowledge that you have to use a secure password. WordPress, by default, generates strong passwords even though you can opt for a weaker one. Experts strongly advise against choosing a weak password. For this, you can use one of the popular security plugins that will enforce the use of a strong password. If you have a lot of external users, this might be a good approach to make your site more secure.
Limit the number of users you add
If you allow other users to login to your site’s backend, you have to exercise some caution. The site becomes more vulnerable when multiple users are allowed admin access on your site. So the sensible thing to do will be to avoid this unless extremely necessary. If your site allows user generated content, you can create user roles and limit the capabilities of each user role according to your specific requirements.
Learn more about WordPress user roles and how you can customize user capabilities.
Limit login attempts
One of the major strategies adopted by hackers is brute force login attempts. For this to be successful, they will have to attempt to login to your site multiple times. By limiting the number of login attempts, you can prevent this option. There are tools available in the WordPress ecosystem that will help you limit the login attempts on your site. We will be discussing a few of the popular security options you can use later in the article.
Disable login hints
Another aspect that you can focus on to make your WordPress login page more secure would be to disable login hints that WordPress offers. Basically, when you enter an incorrect password or username, WordPress provides a clear indicator on which credential is wrong. For example, it will clearly display a warning showing which one is correct and what is incorrect. This will help attackers to know that they have guessed the username or password correctly.
You can use the below code snippet to disable these login hints. Simply paste the code into the functions.php file of your theme.
return 'You have entered the wrong credentials!';
add_filter( 'login_errors', 'no_wordpress_errors' );
This will show a generic error message rather than a specific message helping the attackers.
Customize login url
In another article, we have discussed how to access the login page on your browser. Now, this is the default method to access the login page, which is probably how hackers also see it. You can hide the login page, and make it less obvious to find it to avoid hackers even attempting to breach your security wall.
There are ways to protect the login page as well as wp-admin directory to make your site more secure. You can use WPS Hide Login plugin to change the url page safely. Basically it just interrupts the page requests and help you display a customized url for login. Only your site users to whom you provide this url will be able to access the page. You can simply deactivate the plugin to revert the site to the default login page.
Protect WordPress admin directory
Your WordPress site is basically protected by the password that you use. According to experts, you can add an additional protective option by password protecting WordPress admin directory. You can do this manually by logging into the cPanel of your hosting service. Here, you will be able to find the wp-admin directory, which you can password protect and create users who can access. You can also do this manually by creating a .htpasswds file as well.
Get an SSL certificate
SSL or Secure Socket Layer creates an additional security option for websites. It encrypts the communication between the server and the browser. This will prevent hackers from accessing information, particularly online financial transactions. Having an SSL certificate for your website will make the WordPress login page also more secure. You can either purchase the SSL from a third party provider such as Comodo. Or, you can even get a free SSL certificate from Let’s Encrypt. A lot of hosting services provide shared SSL free when you opt for one of their hosting plans.
You can understand more about the benefits of getting an SSL certificate here.
Two factor authentication adds an other login step when users try to login to your site. Basically, when a user tries to login, along with the username and password, they will have to enter an additional verification code. This verification code will be sent to another device, which is mostly a mobile phone. Only once the user enters this verification code, they willk be let in to access your website.
Google Authenticator creates 2-step verification codes on the phone. Similarly reCAPTCHA will help to reduce spam logins on your site.
Update WordPress regularly
As a WordPress site owner, you might have already seen regular updates of the WordPress software. This is how WordPress introduces new features and makes security updates and bug fixes. It is really important to update your website to the latest version of WordPress. If you don’t update, your site will be still vulnerable to a lot of threats that are already taken care of. Moreover, with the latest updates, you will get new features as well.
If you are using multiple plugins and customized settings on your site, ensure that the new update is not breaking anything. You can have an update schedule to ensure that everything is in order. Read our article to understand how to manage WordPress updates without problems.
Use a security plugin
You can take a lot of specific precautions to secure your WordPress login page. However, there are also options that will help you take care of your website security comprehensively. In the WordPress ecosystem, you will find numerous solutions that take care of multiple aspects of site security. They will help you with continuous site monitoring, malware protection, offer firewalls and a lot more that strengthen your website’s defenses.
Let us take a look at some of the important WordPress security plugins that can help you secure your WordPress website:
Jetpack will ensure protection of your site by continuous monitoring, regular backup and solid protection against any unwelcome intruders. Here are some of the relevant features of Jetpack:
- Helps prevent brute force attacks
- Secure authentication for your WordPress login page.
- Malware scanning
- Notify any site downtime promptly.
- Back ups are saved in a different location and easy restore options.
- Report all site activity with accurate timeline.
- Comment filter.
Wordfence is another popular solution that offers all round protection for your WordPress site. You will find a lot of useful features as given below:
- Web Application Firewall to block malicious traffic to your site.
- Security scanner to check for any attempts to breach.
- Identifying breached passwords and prevent those users from logging in.
- Monitor live traffic and block perceived threats.
- Two-factor authentication
- File repair.
This is one of the reliable options that offers complete WordPress security without affecting your site performance. You will find an option for instant malware removal with this plugin. Some of the other features to look out for are:
- Malware scan and removal
- WordPress Firewall
- WordPress login page protection.
- Security hardening
Hope this article has given you a basic understanding on how to protect your WordPress login page. Leave us a comment if you have a query or an insight to share.
You can also watch the below video tutorial for a better understanding.