WordPress Login Protection
Did you know that 80% of website breaches in 2020 involved brute force attacks? This type of attack typically targets your website login page and makes multiple attempts to gain access to your site.
If you run a WordPress site, you cannot afford to ignore WordPress login protection measures. Through your WordPress account, hackers can take complete control of your website users and resources. For example, they can use your site to sell fake or illegal products to your customers or steal valuable customer data.
This detailed and in-depth guide talks about 12 effective measures you can take to improve your WordPress login security.
How to Protect your WordPress Login?
Now that we know why WordPress login protection is important for your website, let us look at 12 measures that can secure your WordPress login:
1. Use Strong Login Credentials
To be successful, brute force attacks primarily try to guess the username and password to force their entry into the account. Hence, every WordPress account must be configured with strong login credentials.
Through brute-forcing, automated bots can easily guess weak usernames like “user01” or “admin123” or passwords like “password” or “123456789.”
Here are some measures to build strong login credentials:
- Replace any default usernames like “admin” or “user” with unique usernames.
- Configure strong passwords for every user. Every password must be at least 12-characters in length and combines alphabets, special characters, and numbers.
- If there are many WordPress users, invest in a password management tool like LastPass that can automatically generate strong passwords and securely store them for use.
2. Hide the WordPress Version Number
This is an easy and effective way of protecting WordPress login pages from hackers. Before launching attacks, hackers first try to determine the WordPress version that you are using. If you are using an older version, hackers exploit all vulnerabilities that have been reported on it.
Typically, hackers can retrieve the WordPress version from the website source, Readme files, or from the RSS feeds.
How do you go about hiding the WordPress version number?
Here are a few measures:
- Automatically by installing the WP-Hardening plugin.
- Manually by adding the following code to the functions.php file in your WordPress themes:
3. Limit Login Attempts
As you may have guessed, WordPress allows an unlimited number of login attempts to their user accounts. This is what brute force attacks exploit by launching repeated attempts on any account until they get the right login credentials.
With limited login attempts, you can restrict the number of login retries to a maximum of 3-4 attempts. Once users exceed this number of failed attempts, they are temporarily locked out from the account – or asked to change their password.
How do you limit login attempts?
If you have the technical understanding to do so, you can manually add the code to the functions.php file in your WordPress installation. Alternatively, you can install the “WP Limit Login Attempts” plugin for this purpose or use this functionality offered by security plugins.
4. Use Two-factor authentication (2FA)
Two-factor authentication or 2FA is an effective way to determine if genuine users are trying to access their accounts. It primarily works through a 2-step process.
The first step is the normal login process comprising of users entering their username and password. Once they complete this step, the next step is to enter a unique one-time code that can be retrieved only from their phone or email address.
How can you implement 2FA for WordPress sites? By installing a 2FA plugin like “Two Factor Authentication” or Google Authenticator.
5. Limit User Access
To minimize unauthorized access, you must try to limit user access to your all-important WordPress dashboard only to trusted users like account administrators. Other lesser users like subscribers or editors must be granted access only if they need it to perform their work.
How do you restrict user access?
This can be done by installing any plugin like “Content Control” or “Restrict User Access.” Restricted users can be easily redirected to another webpage or site when they try to access your dashboard page.
6. Add a Security Question to the Login Page
Security questions act as an additional password for login pages and can be effective against unauthorized account access. The good part is users can select their own set of security questions along with their answers. Security questions make it difficult for hackers to hack into your WordPress login accounts.
How can you implement security questions?
You can install the “WP Security Question” plugin for WordPress sites. Once installed, you can select any of the available security questions or add your questions.
7. Change the Default Admin Username
A brute force attack tries to access administrator accounts by trying default usernames like “admin.” With administrator rights, hackers can damage websites in multiple ways like installing spurious plugins, adding fake users, and corrupting backend files. This makes Admin login protection in WordPress websites a critical component in the overall login protection practices.
How can you change the default admin username? Delete the default “admin” user from your WordPress account and replace it with a new administrator user with a unique username.
Note: Pin the image below to Pinterest to come back later 🙂
8. Block malicious IP addresses
A majority of the login page attacks originate from the same IP addresses used by hackers. To implement a WordPress secure login, it would be a good idea to block requests made from suspicious or malicious IP addresses. This measure is also effective for dealing with other attacks like malware and DDoS attacks.
How can you locate and block malicious IP addresses?
You can try to do this manually if you have up-to-date data on the malicious or suspicious IPs and the technical know-how to block traffic from these IPs. Alternatively, you can use the inbuilt firewall feature of the MalCare security plugin to automatically detect and block requests from malicious IP addresses.
9. Disable XML-RPC in WordPress
XML-RPC is an XML-based remote procedural call mechanism that allows users to post content to WordPress sites using clients like the Windows Live Writer, or from any mobile app. By default, XML-RPC is always enabled and can be exploited by hackers. The best guard is to disable this mechanism.
How can you disable XML-RPC in WordPress?
The best mode is to install the “Disable XML-RPC” plugin on your WordPress site.
10. Change the login URL
Most WordPress websites have a default login page URL (for example, <mywebsite.com>/wp-login (or wp-admin)). This makes it easy for hackers to find your login page URL and plan their attacks on it. To implement WordPress login protection, you must consider changing the default URL of the login page.
How can you change the login URL? The easiest way is to create a customized WordPress login URL by installing the “WPS Hide Login” plugin on your website.
11. Install an SSL certificate
A secure and encrypted login page is the best guard against brute force attacks. An HTTPS-enabled website secures all your web pages (including the login page) by encrypting all data transmitted from the page to the user’s device.
How do you move your WordPress site from HTTP to HTTPS? By installing an SSL certificate. You can obtain this certificate from your web host easily. Most web hosts provide it for free.
12. Use a Security Plugin
This is easily the most efficient and comprehensive way of implementing a WordPress login security solution. Designed for WordPress websites, security plugins are easy to install and besides detecting the latest kinds of login page attacks, they are effective against even other lesser-known attacks.
And in case, any malware infection still manages to make its way to your site, security plugins like MalCare offer an automated one-click method to clean your site.
The biggest advantage of security plugins such as MalCare is that they integrate most of the WordPress login protection measures we’ve discussed into features on their dashboard.
The security of your WordPress site begins with your ability to keep attackers away from your site. This makes login protection is the best place to start.
With these 12 measures ticked off your list, you can be sure that you’ve done your best to keep attackers away from your site. If not all of them, follow a few important steps first.
But then, there’s no such thing as guaranteed protection from hackers. You must also make sure to scan your website for malware regularly and clean it before it has time to wreak further damage. If you have the budget for it, a security plugin is a great investment for the up-to-date security and peace of mind it provides.
More about Guest Author;
Akshat Choudhary has always prided himself on his ability to teach himself things. Since starting Malcare, Akshat has transformed his side-project into a profitable venture that is scaling new heights in the Indian startup space. Being a member of the WordPress community for almost a decade, Akshat is keen on understanding the areas where users struggle. Akshat’s core belief behind building any product is making sure the end-user doesn’t need assistance and to assist them in the best possible manner if they do.