As a WordPress website owner, it is important to add security to your login page to prevent unauthorized access to your website. Hackers and malicious third parties are always looking for the easiest backdoors into your website, and the login page is one of the most vulnerable areas.
WordPress is the most popular CMS on the internet, which makes it an easy and attractive target for hackers. The platform is vulnerable to attacks and exploits due to outdated core software, themes, and plugins, malware, credit card skimming, unauthorized access, and more.
Adding security to your WordPress login page can help prevent these attacks and exploits. Here are some techniques that you can implement to improve your WordPress login security.
Some of the following recommendations may seem technical and difficult to do – don’t worry – I will recommend a free plugin that can do most of these tasks for you.
Let’s dive in!
Table of Contents
- Use a Custom Login URL
- Limit login access by IP address or range
- Use Two Factor Authentication (2FA)
- Disable Common Usernames
- Limit Login Attempts
- Use SSL on your website
- Use a strong password for your WordPress admin account
- Hide your WordPress version number
- Disable the Themes and Plugin editor
- Disable XML-RPC, RSS and Atom feeds
- Delete the default Readme.html
- Install a WordPress plugin to harden your security
- Backup your website
- Add a Captcha to your Website Forms
- Use a hosting provider with good security
- Final Thoughts
Use a Custom Login URL
Hackers know the default login url, it’s wp-login.php. Hacking scripts will target this location on your website and spam it with thousands and thousands of login attempts using a dictionary of common passwords.
Even if they don’t succeed in guessing your password it can slow down your websites or even break it.
The solution is for your login page to be at a different location – a custom login URL that you decide.
You will need a plugin to achieve this – I’ll recommend one that can create a custom login page for you later in the article.
Limit login access by IP address or range
If you always log into your WordPress website from the same machine you may want to limit your login page to the IP address or range of your machine.
This will block all login attempts from other IP addresses.
The problem is you will not be able to login from another address. For instance, if you take your laptop to a coffee shop and use the Wi-Fi to login it won’t work because the IP address will be different.
Use Two Factor Authentication (2FA)
This option will greatly increase your security because even if a hacker successfully guesses your password they will then need to authenticate a second time using Google Authenticator or some other method.
This makes the login process a little more complicated and time consuming but it is highly recommended.
Disable Common Usernames
Using common usernames makes it easier for your site to be hacked. Don’t use usernames such as:
- admin
- test
- guest
Instead, choose unique and difficult-to-guess usernames. You can also block these common names on the signup pages using security plugins or by manual configuration.
Limit Login Attempts
An obvious sign you are being hacked is repeated failed attempts to log in using different passwords and usernames.
A plugin can limit the number of failed login attempts. After the final failed login attempt that IP address will be blocked for an hour. Repeated failed login attempts will trigger longer timeouts of 24 hours and then 7 days.
This depends on the plugin and your configuration.
Use SSL on your website
This cannot be set up using a plugin. You will need to access your hosting account to generate and assign an SSL certificate for your website.
This will encrypt all traffic, including login attempts, to and from your website. For instance, when you log in from a coffee shop using free Wi-Fi, other users on that network won’t be able to see your username and password.
SSL also ensures the safety of visitors who want to use your contact form. Without SSL, their communication with you could be viewed by third parties, but SSL prevents this.
Payment processors usually require SSL on a website before allowing transactions to occur.
Lastly, SSL is considered a ranking factor by Google, so using it on your website can give you a small boost in rankings.
Use a strong password for your WordPress admin account
Strong passwords are more difficult to guess. Instead of just using letters and numbers, incorporate punctuation as well to enhance the complexity of your password and make it harder to guess.
It is crucial to use different passwords for each website. Sometimes websites experience security breaches, resulting in the collection of passwords. Hackers then include these stolen passwords in their lists for subsequent hacking attempts.
Hide your WordPress version number
By default, WordPress includes the version number in its HTML output. Although this number is not visible on the web page, hackers examining the HTML can easily identify it.
If the version number doesn’t match the latest WordPress version, hackers can search for security vulnerabilities and exploit them to gain unauthorized access to your website.
To prevent WordPress from displaying this version number in its output, you can use a security plugin. Such a plugin will effectively eliminate this vulnerability.
Disable the Themes and Plugin editor
Unless you plan to modify code using the theme and plugin editors on your WordPress website I recommend disabling these editors.
By disabling the editor, website owners can improve their website’s security and prevent potential security vulnerabilities and cyber attacks.
Disable XML-RPC, RSS and Atom feeds
XML-RPC has been known to contain security vulnerabilities in the past. XML-RPC is most useful for software developers, most website owners do not need XML-RPC and should disable it for improved security.
RSS and Atom feeds provide a feature where published articles can be accessed via a structured feed suitable for reading by other applications. It reduces the load on a website as no images, CSS or javascript files are needed.
It does, however, provide security issues as the code needed for this feature could be vulnerable to attacks by hackers.
The downside to disabling RSS and Atom feeds are that visitors who use these feeds to be alerted to new content on your site will not be notified.
Delete the default Readme.html
The Readme.html file is not needed for the website’s functionality and reveals sensitive information about your website, such as the WordPress version number.
This file is often used by hackers to compile lists of potentially vulnerable sites which can be hacked or attacked.
Install a WordPress plugin to harden your security
Manually making all these changes suggested to your website can be daunting. Luckily there are security plugins that can do these tasks for you. Setting them up can be done in a matter of minutes.
There are several plugins on the market, I recommend this free plugin from SiteGround that works on any WordPress website – regardless of your hosting provider.
Nearly all the tasks I have mentioned previously can be done with this plugin. The exception is installing an SSL certificate for your website which can be done from your hosting account.
Backup your website
This is an essential task to perform, for all websites, not just WordPress websites. Given how common WordPress websites are hackers do regularly attack them so you should have an automated backup schedule setup for your account, at least weekly and preferably daily backups.
Automate daily backups of your website
Add a Captcha to your Website Forms
Your “Contact Us” and other website forms, including your comments section, will be spammed with all kinds of scams and solicitations.
Adding a Captcha to your forms makes it much more difficult for a bot or script to send unsolicited content.
I’ve written about how to do this previously. Here is the article: Say Goodbye to Email Spam with CAPTCHA & WPForms
Use a hosting provider with good security
There is only so much you can do as the owner of a WordPress website. Some security issues can only be addressed and mitigated by network and server technicians employed by your hosting provider.
Security threats continue to evolve, with hackers, spammers, malware, and ransomware gangs on the rise. That’s why it’s crucial to choose a hosting provider with a proven security track record.
Personally, I use and recommend SiteGround for hosting WordPress websites. With data centers worldwide and user-friendly setup screens, you can easily install and configure your WordPress site. Plus, you can even purchase and register your domain through them.
Final Thoughts
I hoped you found this article informative and useful.
Implementing these security precautions and preventive measures can’t guarantee you won’t be hacked but it will greatly reduce the chance.
It’s important to remember that regardless of security features offered by your hosting service on the back end, the website owner is responsible for securing their website.
If you found this article helpful, please consider sharing it with your network by using the social media sharing buttons below. Thank you for your support!