How to Secure Your WordPress Login Page (Complete Guide)

A critical factor in running a successful WordPress website is implementing monitoring and security measures. After all, a hacked site can cause a lot of headaches — regardless of whether your site is used for business or personal purposes. It can impact your revenue, risk your visitors’ information, and wreck your reputation. 

A typical entry point for hackers is the WordPress login page, which will be our focus today. What follows is a rundown of 14 ways to harden WordPress login security so malicious actors won’t breach your site. 

Why secure your WordPress login page?

Before we get to the list of security tips, let’s first briefly discuss why you might want to secure your WordPress login page — from brute force attacks or otherwise — in the first place. 

  • WordPress is very popular, so cybercriminals are often looking for new vulnerabilities that they can exploit over a wide number of sites.
  • Because hackers are familiar with WordPress, they know when a website is outdated and which security flaws are present in each version. 
  • To gain access through a login page, hackers don’t always need advanced development knowledge or special skills.

Keeping a secure WordPress login page is essential for your website’s long-term success and overall performance. 

How to harden your WordPress login security

So you know why you need to create a secure WordPress login, but how can you accomplish it? We’ve gathered 14 ways to secure your WordPress login page properly so you don’t have to leave the safety of your data or customer info to chance. 

1. Install a WordPress security plugin

You can get a handle on most security concerns in just a few minutes by installing a high-quality WordPress security plugin. While many plugins specialize in protecting specific aspects of a site or against certain kinds of attacks, a more comprehensive approach is best for the average site.  An all-in-one security plugin will include features like audit logs, malware scans, firewalls, and login security tools in a single solution.

And at the top of the list of our recommendations is Jetpack Security.

Jetpack Security homepage

Jetpack Security works by taking care of numerous security tasks automatically. And with both free and paid features, a level of protection is available to everyone with a WordPress website. It has a strong range of features that can work to prevent security breaches, but also help you diagnose and recover from any incidents you experience. These include:

  • Brute force attack protection
  • Spam prevention
  • Malware scanning 
  • Downtime monitoring 
  • Backups 
  • Activity logs 
  • Two-factor authentication

While you can move through the rest of the steps outlined here on your own, using a plugin like Jetpack Security will streamline the login hardening process. 

2. Change and hide your WordPress login URL

Another way to make your login page more secure is to hide it from prying eyes. By default, the login address for all WordPress sites is http://www.yourwebsitename.com/wp-admin, which is basically like giving a burglar your home address. So anything you can do to obscure this is a good idea. 

Changing the WordPress login URL is a great way to put barriers in place to make the hacker’s job more difficult. You can find a plugin that does this for you, but you can also do it yourself. 

For this, you’ll need FTP access to your website. Once you’ve got that, just follow the instructions in our tutorial: WordPress Login URL: How to Find, Change, and Hide It

3. Use a strong password to log in to WordPress

You can also bolster your site security by upgrading to a stronger password. Implementing strong password measures makes it much less likely that a hacker or bot will be able to “guess” it. Though “fluffy21” might be easy to remember, it’s much too easy to guess — especially if “Fluffy” is the name of a beloved pet. 

Instead of picking passwords based on names, ages, or pets, creating one that combines letters and numbers, uppercase and lowercase letters, and a couple of symbols are much better. You can build a strong password in a couple of ways: 

  • A built-in strong password tool. WordPress has a strong password tool that encourages you to create a stronger password than what you may be naturally inclined to choose.  
  • A password generator. Many password generators make it easy to develop a strong password that’s not intuitively guessable. 
  • A password keeper/manager. The only trouble with strong passwords is that they’re hard to remember. Using a password keeper or management tool eliminates this issue. Popular options include LastPass, DashLane, and 1Password.
LastPass homepage

4. Password protect your login page

By default, anyone can access the login page for your WordPress site. And while you can hide or change your login URL, as we previously discussed, hackers may be able to find it if the wp-admin folder is still accessible. 

That’s why adding another layer of protection before accessing the login page is a good idea. And you can accomplish this by password protecting the wp-admin folder. If your web host uses cPanel, this process is relatively easy. 

Log in to your hosting provider account, access the cPanel, then go to the Directory Privacy folder. 

While viewing your site’s files, navigate to public_html/wp-admin. There should be a visible checkbox that reads password protect this directory. Check the box. Then create a new username and password for accessing the wp-admin folder. Save your changes.

Try to log in to your site as usual. You should now have to input another set of credentials before being granted permission to log in to WordPress. 

Note: this process would be identical, even if you moved the location of your login page. Password-protect the folder in which your login page resides, even if it’s not wp-admin. 

5. Limit the number of login attempts

Another thing you need to do to secure the WordPress login page is to limit login attempts. Hackers can use bots to make repeated login attempts until they crack the code — i.e., figure out your password and gain access to your website. Unfortunately, WordPress allows unlimited logins by default.

To prevent this potential access point, you can limit login attempts. A plugin is the best way to accomplish this. In fact, Jetpack Security offers Brute Force Attack Protection as a part of its all-in-one security solution. 

number of brute force attacks blocked by Jetpack

Brute force attacks can be incredibly disruptive to how your website functions, even before hackers gain access. For instance, they can slow your site down considerably — or cause it to stop responding altogether. Repeated login attempts may eventually succeed and the hacker can then go on to inject malware, insert links, or otherwise cause mayhem. These attacks can also put your personal information at risk. 

The Brute Force Attack Protection feature included in Jetpack Security provides the tools necessary to block attacks and prevent malicious hackers from gaining access to your data. It works by blocking malicious IPs before they ever get to your site. It also provides a count of total attacks and enables you to whitelist known IP addresses.

6. Add a security question to your WordPress login form

You can also extend the security of your login form by adding a security question (or two) to the login process. So, instead of just inputting a username and password, users must also answer a security question to gain access. 

This single step makes your website much more difficult to hack. And it’s relatively easy to implement. 

The No-Bot Registration plugin is a great way to accomplish this. Download it by going to Plugins → Add New, then type in the plugin’s name. Once it appears, download and activate it. 

No-Bot Registration plugin

Once activated, go to Settings from the WordPress dashboard. Here you can set up the plugin and configure the rules for when security questions are used (on registration, login, or forgotten password pages). 

This is much more user-friendly than a CAPTCHA, as it only requires answering a simple and logical question.

7. Add two-factor authentication to WordPress

Next, you can enable two-factor authentication. Many websites and apps use this popular security option, including Gmail. It works by sending an SMS code to your phone that you’ll need to input before you can complete the sign-in process. 

This is used to verify your identity and ensure access is only granted to authorized users. Every layer of authentication that you add to the process makes it significantly more difficult for someone to hack your site. Even if a bad actor gets access to your login information, it’s unlikely that they’ll be able to thwart the 2FA process.  

The easiest way to add two-factor authentication to WordPress is using a 2FA plugin. Several security plugins include this feature, but again, Jetpack Security comes through strong with Secure Authentication

Secure Authentication allows you to log in using your standard WordPress.com credentials and also disable or bypass the default login form entirely. Plus, you can opt to make two-factor authentication a requirement for all users to give your site further protection. 

8. Install an SSL certificate on your WordPress site

Another avenue of protection is to install an SSL certificate. Getting an SSL certificate for free is easy, so it’s a security measure no one should skip over. 

SSL is how most websites secure their data. And you can tell when a site is secure as the “HTTP” in the URL field will have an “S” added, so it reads “HTTPS.” Browsers will often use other visual indications, like a green lock icon, to let visitors know your site has an active SSL certificate in place. 

Beyond the security implications, visitors may not continue to navigate your site if they see that it’s unsecured. Plus, sites with SSL certificates tend to rank better in search engines and some browsers will even display a warning to visitors if you don’t have one. 

Don’t skip this step. Learn how to get a free SSL certificate.

9. Disable WordPress login hints after failed login attempts

Login hints can be genuinely helpful for real WordPress users, but they can sometimes give away too much information about your username and password to hackers. When you attempt to log in to a WordPress site and get the username wrong, you’re met with an error that reads, “The username is not registered on this site. If you are unsure of your username, try your email address instead.” 

error message about a username that's not registered

Something similar happens if you type in the right username or email address, but the wrong password. 

incorrect password error

To remove login hints, you need to add a few lines of code to your site’s functions.php file. 

function no_wordpress_errors(){
return 'There is an error.';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

When someone — real or bot — inputs an incorrect username or password, they’re greeted with the message, “There is an error,” rather than the default. 

10. Keep your WordPress install & plugins up-to-date

Hackers also find entry points into WordPress sites via outdated installations. Every time WordPress is updated, all the bug fixes and security holes that were repaired are posted online. If your installation is outdated, hackers have an instruction manual for breaching your site. 

When new WordPress core updates roll out, you must back up your site and install the update as quickly as possible. 

But that’s not all you need to be mindful of. Third-party software — i.e., plugins and themes — are potential weak points, too. They’re even more essential to keep updated as plugins and themes are made by various development companies with different standards and approaches. 

This is also why you must be selective about the plugins and themes you install. If your go-to social sharing plugin hasn’t been updated in two years, it may be time to find one that updates regularly.

11. Hide your WordPress version number

A quick way to improve the login page’s security is to hide the WordPress version number. At the very least, this will make hackers look more thoroughly to determine which security holes to exploit. And you can remove it rather easily. 

Locate the functions.php file and (after you’ve backed up your site) add the following line of code to the file: 

remove_action('wp_head', 'wp_generator');

12. Hide your WordPress login username

Another step you can take is to hide your WordPress login username. A lot of the time, the emphasis is on creating a super-secure password — which is excellent — but you need to think of your username, too. Often, it’s available to the public — an opportunity hackers can exploit.

The quickest way to hide your username from the view of prying eyes is to remove it from appearing on blog posts and within author archives. 

To remove your username from blog posts, you simply need to go to Users → Profile → Nickname while logged into WordPress. From here, you can change the nickname so that your username is no longer visible to site visitors. So instead of seeing “blogperson02,” they’ll see your first name, first and last name, or another nickname you configure. 

To remove your username from appearing in the author archives, you’ll need an SEO plugin like Yoast SEO

Install Yoast like any other plugin, then go to the SEO → Search Appearance → Archives menu in the WordPress dashboard. There’s an option here to disable author archives. Do this, then click Save Changes

disabling author archives with Yoast

13. Shorten your WordPress auto-logout timer

It’s common to stay logged in to your accounts when you use them often. But this can create potential breaches, especially if several people have accounts on your site. Implementing an auto-logout timer is a great way to close those security holes. 

When a session is left unattended, it will be logged out automatically. By default, WordPress will log out users after 48 hours. Checking the “Remember Me” box keeps users logged in for 14 days. You can change these time frames a bit by using a third-party plugin. One that’s dedicated to this feature is Inactive Logout

Once installed, navigate to Settings → Inactive Logout → Basic Management. Then select the duration of idle time you want to trigger a logout.

14. Delete old and unused WordPress user accounts

Lastly, deleting accounts no longer in use can also help improve your WordPress security. Having several open accounts on your site means each is an access point to private data. And if you’re not regularly updating passwords for these accounts, they could present significant weaknesses. 

To avoid this, delete old and unused accounts. Make doing so a part of your regular site maintenance plan. 

You should also only provide privileges to users who need them. Not every user needs Editor or Admin privileges.

Likewise, keep an eye on the accounts listed. Sometimes, hackers will create a fake account. If one appears, delete it right away and bolster the rest of your security measures. Learn what to do if your WordPress website has been hacked

Secure your WordPress login page

Owning a website means bearing a level of responsibility for its content and users. Of course, this is doubly the case if you collect customer information. But no matter how you use your WordPress site, bolstering security around the login page is a great way to keep your data safe for the long haul. 

And the tips presented here should help you become efficient at WordPress security maintenance in no time. 

Ready to take the first step? Get started with Jetpack Security.

This entry was posted in Security. Bookmark the permalink.

Simon Keating profile
Simon Keating

Simon has worked in marketing and product development for over 10 years, previously at HubSpot, Workday, and now Automattic (Jetpack). He has a varied education, with a degree in chemical engineering and a masters in computer science to his name. His passion is helping people and their businesses grow.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 59% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 110,904 other followers
  • Browse by Topic

  • %d bloggers like this: