This post may contain affiliate links, I receive a small commission if you make a purchase with this link.

WordPress security login

As a WordPress website owner, it is important to add security to your login page to prevent unauthorized access to your website. Hackers and malicious third parties are always looking for the easiest backdoors into your website, and the login page is one of the most vulnerable areas.

WordPress is the most popular CMS on the internet, which makes it an easy and attractive target for hackers. The platform is vulnerable to attacks and exploits due to outdated core software, themes, and plugins, malware, credit card skimming, unauthorized access, and more.

Adding security to your WordPress login page can help prevent these attacks and exploits. Here are some techniques that you can implement to improve your WordPress login security.

Some of the following recommendations may seem technical and difficult to do – don’t worry – I will recommend a free plugin that can do most of these tasks for you.

Let’s dive in!

Table of Contents

Use a Custom Login URL

Hackers know the default login url, it’s wp-login.php. Hacking scripts will target this location on your website and spam it with thousands and thousands of login attempts using a dictionary of common passwords.

Even if they don’t succeed in guessing your password it can slow down your websites or even break it.

The solution is for your login page to be at a different location – a custom login URL that you decide.

You will need a plugin to achieve this – I’ll recommend one that can create a custom login page for you later in the article.

Limit login access by IP address or range

If you always log into your WordPress website from the same machine you may want to limit your login page to the IP address or range of your machine.

This will block all login attempts from other IP addresses.

The problem is you will not be able to login from another address. For instance, if you take your laptop to a coffee shop and use the Wi-Fi to login it won’t work because the IP address will be different.

Use Two Factor Authentication (2FA)


This option will greatly increase your security because even if a hacker successfully guesses your password they will then need to authenticate a second time using Google Authenticator or some other method.

This makes the login process a little more complicated and time consuming but it is highly recommended.

Disable Common Usernames

Using common usernames makes it easier for your site to be hacked. Don’t use usernames such as:

  • admin
  • test
  • guest

Instead, choose unique and difficult-to-guess usernames. You can also block these common names on the signup pages using security plugins or by manual configuration.

Limit Login Attempts

An obvious sign you are being hacked is repeated failed attempts to log in using different passwords and usernames.

A plugin can limit the number of failed login attempts. After the final failed login attempt that IP address will be blocked for an hour. Repeated failed login attempts will trigger longer timeouts of 24 hours and then 7 days.

This depends on the plugin and your configuration.

Use SSL on your website


This cannot be set up using a plugin. You will need to access your hosting account to generate and assign an SSL certificate for your website.

SSL Manager

This will encrypt all traffic, including login attempts, to and from your website. For instance, when you log in from a coffee shop using free Wi-Fi, other users on that network won’t be able to see your username and password.

SSL also ensures the safety of visitors who want to use your contact form. Without SSL, their communication with you could be viewed by third parties, but SSL prevents this.

Payment processors usually require SSL on a website before allowing transactions to occur.

Lastly, SSL is considered a ranking factor by Google, so using it on your website can give you a small boost in rankings.

Use a strong password for your WordPress admin account

thinking of a strong password

Strong passwords are more difficult to guess. Instead of just using letters and numbers, incorporate punctuation as well to enhance the complexity of your password and make it harder to guess.

It is crucial to use different passwords for each website. Sometimes websites experience security breaches, resulting in the collection of passwords. Hackers then include these stolen passwords in their lists for subsequent hacking attempts.

Hide your WordPress version number

By default, WordPress includes the version number in its HTML output. Although this number is not visible on the web page, hackers examining the HTML can easily identify it.

If the version number doesn’t match the latest WordPress version, hackers can search for security vulnerabilities and exploit them to gain unauthorized access to your website.

To prevent WordPress from displaying this version number in its output, you can use a security plugin. Such a plugin will effectively eliminate this vulnerability.

Disable the Themes and Plugin editor

Unless you plan to modify code using the theme and plugin editors on your WordPress website I recommend disabling these editors.

By disabling the editor, website owners can improve their website’s security and prevent potential security vulnerabilities and cyber attacks.

ransomware gang
ransomware gang

Disable XML-RPC, RSS and Atom feeds

XML-RPC has been known to contain security vulnerabilities in the past. XML-RPC is most useful for software developers, most website owners do not need XML-RPC and should disable it for improved security.

RSS and Atom feeds provide a feature where published articles can be accessed via a structured feed suitable for reading by other applications. It reduces the load on a website as no images, CSS or javascript files are needed.

It does, however, provide security issues as the code needed for this feature could be vulnerable to attacks by hackers.

The downside to disabling RSS and Atom feeds are that visitors who use these feeds to be alerted to new content on your site will not be notified.

Delete the default Readme.html

The Readme.html file is not needed for the website’s functionality and reveals sensitive information about your website, such as the WordPress version number.

This file is often used by hackers to compile lists of potentially vulnerable sites which can be hacked or attacked.

Install a WordPress plugin to harden your security

Manually making all these changes suggested to your website can be daunting. Luckily there are security plugins that can do these tasks for you. Setting them up can be done in a matter of minutes.

There are several plugins on the market, I recommend this free plugin from SiteGround that works on any WordPress website – regardless of your hosting provider.

Get SiteGround Security Plugin

Nearly all the tasks I have mentioned previously can be done with this plugin. The exception is installing an SSL certificate for your website which can be done from your hosting account.

Backup your website

This is an essential task to perform, for all websites, not just WordPress websites. Given how common WordPress websites are hackers do regularly attack them so you should have an automated backup schedule setup for your account, at least weekly and preferably daily backups.

Automate daily backups of your website

Add a Captcha to your Website Forms

Your “Contact Us” and other website forms, including your comments section, will be spammed with all kinds of scams and solicitations.

Adding a Captcha to your forms makes it much more difficult for a bot or script to send unsolicited content.

I’ve written about how to do this previously. Here is the article: Say Goodbye to Email Spam with CAPTCHA & WPForms

Updated 3+ Million Sites

Use a hosting provider with good security

There is only so much you can do as the owner of a WordPress website. Some security issues can only be addressed and mitigated by network and server technicians employed by your hosting provider.

Security threats continue to evolve, with hackers, spammers, malware, and ransomware gangs on the rise. That’s why it’s crucial to choose a hosting provider with a proven security track record.

Personally, I use and recommend SiteGround for hosting WordPress websites. With data centers worldwide and user-friendly setup screens, you can easily install and configure your WordPress site. Plus, you can even purchase and register your domain through them.

Ad - Web Hosting from SiteGround - Crafted for easy site management. Click to learn more.

Final Thoughts

I hoped you found this article informative and useful.

Implementing these security precautions and preventive measures can’t guarantee you won’t be hacked but it will greatly reduce the chance.

It’s important to remember that regardless of security features offered by your hosting service on the back end, the website owner is responsible for securing their website.

If you found this article helpful, please consider sharing it with your network by using the social media sharing buttons below. Thank you for your support!

Leave a Comment