Assessing your website’s level of security needs to start at the most obvious entry point: your login page. Having a secure WordPress login page is essential to prevent security breaches.
Poor login security can have a huge impact on how protected your data is and what level of safety you offer your website visitors. Even though WordPress is a very secure CMS platform, it is generally prone to attacks because of its huge popularity. An unprotected login page can be one of the most convenient entry points for malicious entities and can lead to huge security problems for you as a website owner or administrator.
Table of Contents
- Is the WordPress Login Page Secure?
- How to Secure the WordPress Login Page?
- Why Secure Your WordPress Login Page?
Is the WordPress Login Page Secure?
Taking WordPress login security seriously means looking at every single exploitable aspect of your login page. While the WordPress login page is secure, it is not impenetrable. Creating a 100% bulletproof website that is impossible to hack and has zero exploitable features is not something that you can do. What you can do is make it as difficult as possible for a hacker to be able to gain access to your data.
For example, one thing that gets you exposed right off the bat to a certain extent is the fact that the login page is, unless changed, in a well-known location (www.sitename.com/wp-admin/). This is the default location for your WordPress login page as soon as you create your WordPress site. That means that hackers know exactly where to hit.
Another vulnerability we need to take into account is allowing unlimited login attempts. That means that bots can, unless you implement additional security measures, force a login through brute force attacks.
WordPress is a secure CMS and it offers a series of protective measures by default. For example, SSL encryption is a default for all WordPress sites. Firewalls are in place. Security testing is performed regularly. WordPress offers data backup and recovery options in case all else fails. A dedicated security team works tirelessly and is committed to protecting all data shared through WordPress sites.
Despite all these security measures, there are still vulnerabilities you should be aware of. Limiting login attempts and changing the login URL can have a positive effect on how secure your WordPress login is.
How to Secure the WordPress Login Page?
The good news is that there are several ways you can influence the level of security of your WordPress login process. There are many tips and tricks you can benefit from, and we luckily know most of them. Here are some of the most important:
1. Implement a Strong Password Policy
The more we get involved in understanding what having a secure website means, we tend to get further from the basics than we should. Sometimes the easiest solution to having a secure WordPress website is to simply pay attention to the way we set up our passwords.
To better understand the power of a strong password, let’s see how long it would take a dedicated algorithm to crack a password through brute force based on the number of characters the password has.
- 8 characters – can be cracked instantly if it contains only numbers; can be cracked in 5 minutes if it contains numbers, upper and lowercase letters, and special characters.
- 10 characters – can be cracked instantly if it contains just numbers; can be cracked in 2 weeks if it contains numbers, upper and lowercase letters, and special characters
- 12 characters – can be cracked in 1 second if it contains only numbers; can be cracked in 226 years if it contains numbers, upper and lowercase letters, and special characters
- 16 characters – can be cracked in 1 hour if it contains only numbers; can be cracked in 5 billion years if it contains numbers, upper and lowercase letters, and special characters.
As you can see, a strong password can make a huge difference. Just by using a strong password, you can turn a 5-minute brute force attack into a 5 billion years-long brute force attack. Granted, having a strong password, remembering it, and using it every time you log in can be difficult.
That is why certain services like Bitwarden and other password manager platforms can be great tools to help you overcome the difficulties of having to use strong passwords.
2. Activate Two-Factor Authentication (2FA)
Two-factor authentication can be another great way to improve your WordPress login security. 2FA, as the name suggests, adds a second layer of protection to each login you perform. It is based on the principle of using something you know and something you have for each login and it can reduce security breaches tremendously.
2FA is a service through which every time you want to log in to your website, you will need to use your previously set password and a unique code that is generated and sent to you. You can choose to get the codes sent to you via email, SMS, phone calls, or special authenticator apps.
You can integrate two-factor authentication on your WordPress login page by using a specially dedicated plugin. Some of the best 2FA WordPress plugins are:
3. Install a Comprehensive WordPress Security Plugin
WordPress login security and overall safety can be significantly improved by using a security plugin. There are several options out there, and some will protect your website against a huge variety of potential threats.
Overall WordPress security is generally as good as the least safe component of your website. That means that even though the core of WordPress is safe, you will probably face several other vulnerabilities because of the plugins you use.
Dedicating some funds and website resources to a good WordPress security plugin can protect your WordPress site against much more than just login vulnerabilities. Some of the best WordPress security plugins have a lot of applications for protecting websites and can seriously decrease the chances of your website getting hacked. Here are some of the best:
4. Limit the Number of Login Attempts
One of the most common types of attacks that affect WordPress websites is the brute force attack. This consists of an algorithm trying to guess your password one attempt at a time. One of the simplest ways to prevent this is to just limit login attempts.
Unfortunately, WordPress doesn’t have a built-in feature to limit login attempts. This means that to be able to limit login attempts in WordPress, you will need a security plugin that includes this option or a dedicated plugin. Here are some of the top dedicated plugins:
5. Change the Default WordPress Login URL
Another way to protect your website from brute force attacks is to simply change the URL you use to log in. As mentioned before, WordPress has, as default, the same destination for logging in, and that is something similar to www.sitename.com/wp-admin/.
Hackers know that and are able to automate attacks with bots that simply try finding the login page URL for each website and then start the process of “guessing” the password.
If you change the login page URL, you will significantly reduce the chances of bots finding your login page, thus making them unable to even start brute-force attacks. You can easily do this by using security plugins that have this option or with a dedicated plugin like WPS Hide Login.
One extra step you can add to the process of logging in to your WordPress dashboard can have a huge impact on how secure your WordPress website is. On top of the security measures mentioned above (and below for that matter), you can choose to add another layer of protection by password-protecting your login page at the hosting level.
Depending on who your hosting provider is, this process can be different. The main idea is to access your cPanel or equivalent control panel, navigate to your website’s folders, and locate the /public_html/wp-admin/ folder.
If you password-protect this folder, every time you try to access the login page URL www.sitename.com/wp-admin/, you will be required to enter a username and password even before entering the WordPress user login information.
Password-protecting WordPress is a great way to seriously decrease your chances of ever getting hacked.
7. Disable WordPress Login Hints
Another important step in improving WordPress login security is simply disabling the login hints WordPress natively offers after failed login attempts. For example, if you try to log in with an incorrect username, WordPress will display a message saying that your username was wrong.
Automatically, this information can be helpful to hackers or bots trying to find a way in. Any piece of information that gets leaked through the cracks is going to be of great help in the malicious process.
To avoid giving attackers any clues, you will need to disable these login hints. That way, you remove a bit of information that other websites give out unwillingly. To get this done, you just need to add a couple of lines of code to your functions.php file:
function no_wordpress_errors()
{ return 'an error message of your choice.'; }
add_filter( 'login_errors', 'no_wordpress_errors' );
Now, whenever failed login attempts occur, WordPress will display “An error message of your choice” instead of the default messages that include details about which part of the login information was wrong.
One thing to keep in mind is that the functions.php file will be overwritten every time WordPress updates, which means that the extra code you just added will simply disappear.
An easy-to-implement solution to this is to use a dedicated plugin or a child theme.
8. Hide Your WordPress Login Username
One thing we usually tend to focus a lot less on than having a strong password is the fact that our username represents generally 50% of the login information a malicious entity needs to access our data.
That being said, our efforts of protecting our passwords and making them as secure as possible are equally important as making an effort to keep our usernames private as well. A relevant piece of information many WordPress website owners tend to forget is that usernames are made public by default because each post’s author name is actually the login username. This can differ depending on how your settings are set up and what form the author name is set to appear: Nickname / Username / Full Name / First Name / Last Name.
To make this vital piece of information private, you just need to make some adjustments to your WordPress user profile, under Users -> Profile -> Nickname if you are looking to change things up for your own user. Here, you can change your nickname to something different than your login username.
If you want to make this change for a different user, you will need to navigate to the Users menu and then click Edit on the desired user, where you can edit the Nickname field.
One important thing to mention is that as a WordPress user, you will have a username (which is what you will use to log in) and a nickname (which will appear on all the posts you author).
On this same page, you can also set up how your public name will look like. You should see the option to Display name publicly as and you will be able to select from different options in a dropdown menu.
One last thing to mention is that the username that comes as a default for any WordPress admin user is admin. Changing this username to anything else will give you an extra layer of website security since it will detour any hackers using automated systems based on known vulnerabilities.
To change it, you just need to click on Change username on the right side of the Username field on this same page.
9. Enable and Configure Auto Logout
Especially important for websites with multiple users, configuring different auto-logout rules will seriously decrease your chances of security breaches caused by human error. Since you have little to no control over the way your users access the dashboard of your WordPress website, it’s important to reduce the risks another way.
If one of your users logs in from a public computer for example and forgets to log out, WordPress automatically logs users out after 48 hours. This period can extend up to 2 weeks for users who check the “remember me” box on the login screen.
To shorten these time frames that can cause you serious security concerns, you will need to use a third-party plugin like Inactive Logout, WPForce Logout, or other security plugins that include this feature.
10. Integrate CAPTCHA and Security Questions
WordPress login security can be improved considerably if you understand one simple fact: most of the malicious traffic on the web is non-human. That means that, in most cases, keeping your website from getting hacked is a simple matter of keeping bot traffic away from it.
That is where CAPTCHA comes in as a way to differentiate human traffic from bot traffic. These are specially designed Turing tests you can use on your website to keep bots away. To implement them, you will need to use third-party plugins like:
11. Regularly Review User Accounts
WordPress login security can also be influenced by how careful you are with the users who have access to your dashboard.
If you have a website with an above-average number of contributors, it is imperative for you to constantly check the list of users and their permissions. You should always keep an eye on the active accounts and ensure that you don’t leave any users active when they no longer need access.
Also, having a clear idea of who the users are and what their permissions are, you will be able to notice if anything suspicious users with high access privileges appear out of nowhere.
Why Secure Your WordPress Login Page?
While the true number of WordPress sites that are getting hacked every day is not known, experts estimate that at least 13,000 websites go through some form of malicious attack every single day. The fact that roughly 9 sites get hacked every minute should put things in some sort of perspective.
By the time you’ve finished reading this article, around 100 websites have been hacked.
If you want to avoid being part of this statistic, you should take WordPress login security seriously and that needs to start at the most obvious entry point: the login page. If you cut corners, there is quite a lot you are putting at risk.
You can unwillingly grant malicious actors access to your data, risk having your website completely shut down or defaced, or you can put your other users’ personal information at risk.
That can cost you dearly. Whether that translates into money loss, user trust, or simply the online reputation of your blog or business, the repercussions of a malicious attack can be quite serious.
The good news is that with relatively little effort, all this can be avoided. Putting some focus on WordPress login security can go a long way in preventing all kinds of security threats, so you shouldn’t hesitate to make these tweaks sooner rather than later.
Conclusion
Putting very little effort into improving WordPress login security can be a great way to secure your website. Whether it’s through two-factor authentication, adding limits to login attempts, changing the URL of the page you use for logging in, or all of these, the important thing is to stay on top of the game at all times.
You should also make it a priority to stay informed and up to date with the recommendations WordPress makes in terms of security and always stay in line with their list of best practices.