In a typical WordPress installation, the login page is one of the most vulnerable pages on the entire website. For this reason, it is important that you protect it against potential attacks and exploits. Follow the tips below to protect your WordPress login page against attacks and improve its security.
1. Change WordPress login URL
By default, the WordPress login page is “yourdomain.com/wp-login.php”. By changing this URL, you are preventing bots and unauthorised users from automatically finding your login page.
Rather than editing the name of wp-login.php, we recommend that you use a plugin such as WPS Hide Login to change this URL. Using a plugin is a good idea because:
- You don’t have to alter or rename any WP core files.
- Your custom login page will remain the same following major updates to WordPress.
Once you have installed WPS Hide Login, navigate to Settings > WPS Login to change the login page’s URL.
2. Limit login attempts
By default, WordPress allows for an infinite number of login attempts. Although it may be next to impossible for a person to guess your login credentials, bots can repeatedly attempt to login via a brute force attack. This is when thousands of login and password combinations are tested until one of them eventually works.
Even if a bot is unable to guess the password, the process is repeatedly sending information to your server, which can cause a dramatic loss in website speed.
Limiting login attempts is very simple and keeps your site safe from brute force attacks. You can either use a plugin or add this code to your functions.php file.
3. Use a secure password:
This one may be obvious, but one of the leading causes of WordPress hacks is weak username/password combinations. To maximise WordPress security, avoid using usernames such as:
- admin
- administrator
- user1
- blog
WordPress automatically generates secure passwords when a new user is created. We recommend that you keep this password and save it to your browser. This will keep your site safe while still allowing you to sign in without hassle.
4. Restrict login to certain IP addresses:
A great way of preventing people from seeing your login page is by restricting access to wp-login.php to specific IP addresses. To do this, paste the code below into your .htaccess file, which is found at the root of your WordPress installation:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>
Replace xx.xx.xx.xx with your IP address. You can list multiple addresses by creating multiple ‘Allow from’ lines. See the example below:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
Allow from 456.456.456.456.
Allow from 789.789.789.789
</Files>
Click here to learn more about improving security through your site’s .htaccess file.
5. Use a secure host:
No matter how secure your WordPress site is, an insecure host can put you at risk of hacking and other malicious attacks. For this reason, it is important that your website is hosted by a company that prioritises security.
At OPMC, we provide secure WordPress hosting for websites. Our powerful security software blocks attacks and detects issues before they can cause damage to your website. With 99.99% effectiveness, you can be assured that your site is receiving the best protection against hacking.
Learn more about our hosting options here