How to Protect WordPress Login Page?

Jul 19, 2018

How to Protect WordPress Login Page?

Jul 19, 2018

Protect WordPress login page – Here’s a question: How many hack attempts do you think are made of WordPress websites every minute? 100? 1000? 10,000?

That’s not even close. 90,978 hack attempts are made on WordPress sites every single minute of the day. Hackers resort to various methods to break into a site, and WordPress login pages are often targeted. Hackers program bots to attack log in pages of WordPress websites and try to gain access to the dashboard. This type of attack is called brute force attacks where the bot tries various combinations of usernames and passwords again and again in the login page until it breaks in. Enforcing login protection could harden your WordPress site against such attacks. Going ahead, we’ll discuss what exactly we mean by the term login protection.

What is Login Protection?

As the name suggests, login protection means protecting your WordPress site’s login page. The goal is to it make impossible for people to guess your credentials and gain unauthorized access to your website. Here are a handful of things that you can do to protect WordPress login page:  

  • Use a Unique Username
  • Use a Strong Password
  • Enforce Two-Factor Authentication
  • CAPTCHA-based Protection
  • Limit Failed Login Attempts
  • Set Login Page to Expire

Taking each of the steps will help you protect WordPress login page. We’ll discuss what they mean and how to implement these steps in the paragraphs below.

How to Protect WordPress Login Page:

Protect WordPress Login Page

Use a Unique Username

WordPress comes with a default username, ‘admin.’ The site owner can change the username but many site owners choose to leave it as it is. When programmed bot come to the login page of one such website where the username is ‘admin’, it gives the hacker bots one less thing to worry about. All it has to do now figure out the password. With half the job already done, hacker bots are one step closer to breaking into your site. Therefore for better site security, users are urged to use a unique username. Unique by definition means unlike anything else or being one of a kind. You can create a unique username by a combination of things. Say you combine the name of your favourite basketball with that of your grandmother’s. That’ll give you a unique username that’ll be hard for hacker bots to guess.

Use a Strong Password

Generally, a WordPress login in page has two section. One for username and the other one for password. We already talked about why username should be unique as well as how to create them. Having unique or strong password is as important as having a unique username. A strong password will consist of 15 characters that’ll be in a combination of letters, numerals and symbols. The catch here is that strong passwords are difficult to remember. Imagine remembering a password like this ‘K#AOBlSkVFTw.’ Impossible to remember unless you have a photographic memory. This is why recommended storing your credentials in an encrypted sheet so that only you can access it whenever you want.

Enforce Two-Factor Authentication

As the names suggest, two-factor authentication means you will have proof that you are a valid user two times before you are allowed to access the WordPress dashboard. This is how most two-factor authentication works:

Your fill in the WordPress login page with login credentials (username & password). Instead of taking you to the WordPress dashboard, you’ll land in a page where you’ll be asked to insert a code. You’ll receive a code on your mobile phone. Only after you insert the code you just received into the website, will you be allowed to access the site. How does this help in login protection? Suppose a hacker is able to crack your login credentials. To access the site, he would still have to enter the correct code that’ll only appear on your phone. Unless the hacker has stolen your phone, there is no way for him to access the dashboard of your site.

To implement two-factor authentication, you can use plugins like Two-Factor Authentication (by miniOrange), Two-Factor Authentication etc.

Enable CAPTCHA-based Protection

CAPTCHA is used to determine whether the user is a human or not. Therefore captcha-based protection is excellent for preventing brute force attacks. In these kinds of attacks, bots are deployed to guess login credentials and they constantly keep trying out different usernames and passwords. Such attacks have an impact on the website speed and not to mention the disaster that’ll befall if they manage to break into the site. If a captcha is deployed after a few failed attempts it’ll lock out the bots from the login page. How? Say you are installing a captcha-based security plugin in your site. A hackerbot comes to your website login page and tries to login in. After three failed login attempts a captcha is deployed. Only after the captcha is solved, can the bots get access to the login page again. Bots are unable to solve a captcha, therefore, they stop attacking your site and move on to the next target. Really Simple CAPTCHA and Google CAPTCHA are the two most popular captcha plugin available.

Limit Failed Login Attempts

Limiting login attempts are another very efficient method to protect WordPress login page. It basically means that after a couple of failed login in attempts the user (or hacker in this case) will be blocked from entering the login page for 24 hours or more (depends on your configuration). One can limit login attempts by modifying the .htaccess file but unless one is technically adept, we wouldn’t recommend this method. Instead, using a plugin is ideal for websites owners who have no technical knowledge of how WordPress works. One can use standalone plugins like WP Limit Login Attempts or security plugins like MalCare or NinjaFirewall. Such security plugins come with inbuilt firewall features that limit login attempts. The only downside here is that you, the site owner forgets his credentials and enters the wrong ones, he’ll be locked out too. But of course, with some security plugins, there are options to whitelist IP addresses that’ll help prevent your IP address from getting blocked in the first place.

For more detail checkout our guide on WordPress Limit Login Attempts

Set Login Page to Expire

This will make sure that the user has only a limited time to log into the site. After a certain time, the login page will expire. If you are not able to log in by that time, you will be blocked from accessing the WordPress login page. There are two way of setting up an expiry-time for your login page. One, you can use a plugin like Login Security Solution or you can place the following code in your WordPress theme to protect WordPress login page. Here’s the code:


add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_30_minutes’ ); 

function keep_me_logged_in_for_30_minutes( $expirein ) { 

return 1800; // 30 minutes in seconds 


It’s worth noting that plugins like NinjaFirewall, WordFence, and iThemes allow site owners to set the expiry-time for login page manually.

It’s evident that there are a number of ways to achieve login protection. The ones we have listed above are some of the legitimate ways of doing it but there are several misleading recommendations to protect WordPress login page out there.

Also read: How to stop WordPress Registration Spam 

How Not to Protect Your WordPress Login Page

There is one particular recommendation for login protection that we’d want to warn you about. It fails to protect WordPress login page as it is claimed to. Let’s have a look.  

Hide Login Page, Move it to Custom URL

Anyone who has used WordPress knows about its default login page. It goes something like this – No matter what website you have, as long as it’s on WordPress, adding ‘/wp-admin’ at the end of the website URL will take you to the login page. Thus if you shift the login page from to, your login page will be protected right? Since hack attempts like brute force attacks are automated, bot’s won’t find your login page and move on to the next target. But this does not guarantee protection. Why? Well, as many website owners use plugins like iThemes to enable a custom URL for their login page. Chances are there are hundreds of other site owners using the same plugin. Therefore, your custom URL is not unique to your site. Hacker may use iThemes to find out what custom URL it generates and then target those URLs. Hiding your login page by moving it to a custom URL only offers you a false sense of security.

Over to You

As you can see, there are several ways for you to protect the WordPress login page. Instead of taking just one measure, we’d urge you to take a few. Layered protection is better in securing a website. If you have any comment on the post, please write to us. We’ll get back to you as as possible.

Hackers program bots to attack log in pages of WordPress websites
Share via
Copy link