wordpress login security

Wondering if you should be worrying about WordPress login security?

WordPress is the world’s most popular CMS because it’s very easy to build a website with it. Although it’s a free CMS, there is a price to be paid. WordPress is extremely predictable, which sometimes makes it an easy target.

Take, for instance, the login page.

Every WordPress website has the same login page (/wp-admin.com or /wp-login.php). Combine predictability with the human penchant for using weak credentials, and the page becomes an alluring target for hackers.

Security experts say that the login page is the most vulnerable page on a website. Every day, hackers deploy bots to perform brute force attacks on that page. By figuring out your login credentials, they can easily gain access to your CMS. So, you must do everything in your power to protect it against these uninvited guests.

In this article, we will show you five advanced methods to improve WordPress login security and prevent getting hacked.

How to secure a WordPress login page in 2023

There is plenty of poor advice in the realm of cyber security. Most of it is aimed at driving people into fear and making them give in to compulsive choices. Instead of adding to the noise, in this article, we’ll show you methods that actually work. Those are:

You must have noticed that we haven’t included enforcement of strong passwords and installation of SSL certificates. That’s because it’s a given. We hope that you are already using those. See our other guides on how to get that done.

Note: To carry out the measures we have mentioned below, you will need to install a plugin or two. And we know even the best plugins can cause a breakdown. So do a backup of your website before you proceed any further.

Now, let’s begin:

1. Change login page URL

As we said at the beginning of the article, the default WordPress login page looks like this:

  • www.website.com/wp-admin/
  • www.website.com/wp-login.php/

Everybody knows it, including hackers who design bots that target WordPress login pages. And since 59% of Americans [1] use weak passwords, it’s way too easy to hack a website by brute-forcing the login page.

One way to protect your login page is by changing the URL.

Creating a new custom login page URL is easy. There’s a number of plugins available that let you do that in a couple of clicks.

We will use the WPS Hide Login plugin to demonstrate the process, but if you prefer any of the other plugins, go right ahead. The steps will be equally easy and swift.

How to change your WordPress login URL

Install and activate WPS Hide Login. Go to Setting → WPS Hide Login.

Scroll down at the bottom of the page, insert the new URL in the Login URL section, and hit Save Changes.

wps hide login settings - WordPress Login Security

Try logging in with the new URL. Don’t forget to share it with your teammates.

👉 If you need assistance, here’s our dedicated guide: how to change your WordPress login page URL.

2. Implement two-factor authentication

You must have come across two-factor authentication while using Facebook and Gmail. The services typically send a unique code to your registered mobile number whenever you try to log into your account. This security measure is implemented to make sure only the owner of the account can access it. Even if hackers could get their hands on your credentials, there is no way they can steal the unique code sent to your registered mobile number.

Two-factor authentication can also be applied to your WordPress website. It’ll add a layer of security to the login page. All you need to do is to install any of the following plugins:

Setting up a two-factor authentication plugin is very easy. We’ll use miniOrange’s Google Authenticator to show you the setup process.

How to implement two-factor authentication

Install the miniOrange’s Google Authenticator on your WordPress login page. As soon as you activate the plugin, a setup widget appears. Choose the first option, i.e. Google Authenticator.

miniorange setting up

Next, download the Google Authenticator app on your smartphone. Open the app and scan the QR code.

2fa google authenticator

The app generates a code. Enter it on the setup widget and hit Save.

2FA WordPress login security is now active on your login page.

WordPress login security 2 factor authentication

3. Limit failed login attempts

WordPress allows its users unlimited login attempts. This may sound harmless, but to be honest, it’s a glaring security loophole.

Unlimited login attempts enable hackers to carry out brute force attacks. In this type of attack, hackers deploy bots to find the right combination of username and password. The bots fail several times before chancing upon the right credentials. One of the most effective ways to counter bot attacks is to limit login attempts.

The plugins below will help you do just that:

How to limit failed login attempts

Install the plugin and then go to Limit Login Attempts → Settings → Local App. Here you can set how many times login attempts should be allowed on your website. And for how long someone will remain locked out after said number of login attempts.

limit login attempts plugin - WordPress Login Security

4. Prevent discovery of username

Typically, username is considered less important than the password. It is a publicly available record, and that is why we assume it must be of low value. Not true.

The username makes half of your credentials. It must be protected, just like the password.

On a WordPress website, you will find usernames displayed on posts and author archives. Thankfully, there is a way to disable them both.

How to disable author archives

This can be done with the help of any SEO plugin. In the tutorial below, we are using Yoast SEO to show it.

Go to SEO → Search Appearance → Archives and then disable the Author Archives. Hit Save Changes.

yoast author archive

How to change display name

The display name shows up on published articles and comments. By default, the display name and the username (the one you use to log in) are the same. To prevent the discovery of the username, you can change the display name to something else.

username and display name

Go to Users → Profile → Nickname. You can’t directly change the display name. Instead, change the Nickname. Then select the new nickname from the drop-down menu below.

display name drop down

5. Auto logout

Auto logouts protect websites from snoopers. When users leave sessions unattended, auto-logouts end the session, protecting the website.

The default WordPress behavior is to log out the user 48 hours after the login session cookie expires. And if the user checked the “Remember Me” box, you will remain logged in for 14 days. To terminate sessions due to a bit of idle time, you need to install a separate plugin.

The plugins below help you auto-logout to end idle user sessions:

How to enable auto-logout

Activate the plugin and then go to Settings → Inactive Logout → Basic Management. Set the clock for an idle timeout. There are options for role-based timeouts as well. Check it out if you like.

inactive user logout settings

Conclusion on WordPress login security

All set? Great! Before you leave this page, one last piece of advice: Improving WordPress login security takes you a step closer to securing your entire website, which is the end goal!

Even though you implemented measures to prevent hackers from brute-forcing into your website, the intruders can still gain access through vulnerable themes and plugins. Therefore, keep your site up to date round the clock.

To further secure your website, we highly recommend that you take all the security measures covered in this guide: 10 key WordPress security tips.

If you have any questions on how to handle your WordPress login security, let us know in the comments below.

Free guide

4 Essential Steps to Speed Up
Your WordPress Website

Follow the simple steps in our 4-part mini series
and reduce your loading times by 50-80%. 🚀

Free Access

0 Comments
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!