How to Secure Your WordPress Login Page?
All site administrators should be concerned about the security of the WordPress login page.
WordPress is the most popular content management system in the world because it is very easy to create a website with it. Although it is a free CMS, there are some steps to increase its security. WordPress is very predictable, which sometimes makes it a target for hackers.
Take, for example, the WordPress login page
Every WordPress website has a login page (/wp-admin.com or /wp-login.php). Since the login URL is the same for all WordPress sites, all hackers make the site’s login page their first target.
Security experts say that the login page is the most vulnerable page on a website. Every day, hackers deploy bots to perform brute-force attacks on that page. By specifying login credentials, they can easily access your CMS. Therefore, you should do everything you can to increase the security of your WordPress login page.
In this article, we will teach you 5 advanced ways to improve WordPress login security and prevent hacking.
How to increase the security of the WordPress login page?
In this article, we will show you methods that are very effective in increasing the security of the WordPress login page:
- Changing the URL of the login page (login page)
- Enable two-step verification
- Set the login attempt limit
- Prevent username discovery
- Using auto logout
You must have noticed that we have not included implementing strong passwords and installing SSL certificates in the above. Because doing these actions is a must for everyone and we assume that you have already done these things.
Note: You need to install one or two plugins to perform the steps we mentioned below. And we know that even the best plugins can cause problems on the site. So make a backup of your website before proceeding.
1. Changing the URL of the login page (login page)
As we said at the beginning of the article, the default WordPress login page is as follows:
www.website.com/wp-admin/ or www.website.com/wp-login.php/
Everyone knows it, including hackers who design bots that target WordPress login pages. And since most people use weak passwords, it is very easy to hack a website on the login page.
As a result, one of the ways to increase the security of the WordPress login page is to change the login URL.
Creating a new custom login page URL is easy. There are a number of plugins available that allow you to do this with a few clicks.
We will use the WPS Hide Login plugin to do this process. Install and activate the WPS Hide Login plugin. Go to Settings >> WPS Hide Login.
Scroll down to the bottom of the page, enter the new URL in the Login URL field, and click Save Changes.
From now on, you can only enter the admin dashboard of your site with the new URL.
2. Activating two-step verification to increase WordPress login security
You must have encountered two-step authentication when using Facebook and Gmail. The Services typically send a unique code to your registered mobile phone number whenever you want to log into your account. This security measure is implemented to ensure that only the owner of the account can access it. Even if hackers can get your password, there is no way they can steal the unique code sent to your registered mobile number.
Two-factor authentication can also be applied to your WordPress website. It actually adds a layer of security to the login page. All you have to do is install one of the following plugins:
- miniOrange’s Google Authenticator
- Google Authenticator – Two Factor Authentication (2FA)
- WP 2FA by WP White Security
Setting up a two-factor authentication plugin is very easy. We use Google Authenticator miniOrange in this tutorial.
Install Google Authenticator miniOrange. As soon as you activate the plugin, the launch widget will appear. Choose the first option, i.e. Google Authenticator.
Next, download the Google Authenticator app on your smartphone. Open the app and scan the QR code.
The program generates a code. Enter it in the installation widget and click Save.
WordPress 2FA login security is now enabled on your login page.
3. Setting the login attempt limit
WordPress allows its users unlimited login attempts. This may sound innocuous, but to be honest, it’s a glaring security hole.
Unlimited login attempts enable hackers to perform brute force attacks. In this type of attack, hackers use bots to find the right combination of username and password. Bots will fail several times before they achieve proper credibility. One of the most effective ways to combat bot attacks is to limit login attempts.
The following plugins will help you do this:
We use the Limit Login Attempts Reloaded plugin to limit the number of login attempts. Install the plugin and then go to Settings >> Limit Login Attempts >> Local App. Here you can determine how many login attempts are allowed to your website. And for how long a person will be locked out after the specified number of login attempts.
4. Prevent the discovery of username
Typically, a username is less important than a password. But this is not the case because the username is half of your credit. So it should be protected like a password.
On a WordPress website, you’ll see usernames displayed in posts and author archives. Fortunately, there is a way to disable both of them.
This can be done with the help of any SEO plugin. In this section, we use Yoast SEO to demonstrate it.
Go to SEO → Search Appearance → Archives and then disable Author Archives. Click Save change.
By default, the display name and username (the username you use to log in) are the same. To prevent username discovery, you can change the display name to something else.
Go to Users >> ID >> Nickname. You cannot change the display name directly. You need to change the nickname first. Then choose a new nickname from the drop-down menu below.
5. Using auto logout
Automatic exit from websites protects against spies. When users leave the session unattended, automatic logout ends the session and protects the website.
WordPress’ default behavior is to log the user out 48 hours after the session cookie expires. And if the user has checked the “Remember Me” box, you are logged in for 14 days. To end the session due to some idle time, you need to install a separate plugin.
The following plugins help you log out to end an inactive user session:
Activate the plugin and then go to Settings >> Inactive Logout. Set the clock for idle time. There are also options for role-based timeouts.
Conclusion about the security of the WordPress login page
As discussed above, hackers’ first attempt to hack a site is to break into your site’s login page, so it is very important to keep it secure. In this tutorial, we have taught you 5 very practical ways to do this
