WordPress Login Security: Easy Steps To Secure Your Login Page

Did you know that there are over 90,000 hack attacks on WordPress websites per minute? That’s an extremely high statistic and one that we simply can’t ignore.

To hack WordPress sites, hackers target the login page the most. This is because by accessing your site through this page, a hacker can gain complete control of your site.

The havoc that ensues will have a severe impact on your site. Hackers can sell illegal products under your name or send your visitors to malicious websites. They could also trick visitors into buying duplicate products or downloading malware. This can do severe damage to your business and your reputation.

Luckily, you can prevent hackers from abusing your website by protecting the most targeted page – the login page. At MalCare, we deal with these hacks on a daily basis and want to address the issue to all WordPress users. Here, we’ll show you the best security measures you can take to make your login page secure from hackers. Also you can check our guide on how to protect your website from hackers.

TL;DR – If you need a WordPress security solution that is easy to implement and will automatically protect your login page, install our MalCare Security Plugin. It will enable limit login attempts instantly and also give you options to harden your WordPress website.

5 Steps To Secure Your WordPress Login Page

There are several measures you can take to secure your WordPress Login Page. However, not every step you take is effective. Sometimes you are just adding noise while your login page remains vulnerable.

In this article, we’ll focus on 5 important steps you can take that have been proven to be effective and will definitely keep your site secure.

We assume that you already have SSL installed on your site. If you don’t have SSL protection, you need to need to add it immediately from your hosting provider or an SSL provider. Every website should have SSL installed as the first basic site security measure. It encrypts that data transferred between your website and server. This means hackers can’t steal your data when it’s passing between your site and hosting server. Hence hackers trying to steal user credentials from the login page will be prevented from doing so.

1. Using Strong Usernames And Passwords To Secure a Login Page

When creating user accounts on WordPress sites, people tend to use something that’s easy to remember or that they’ve used for every other account. The problem with this is that it makes the job of a hacker so much easier.

Firstly, hackers use a technique called brute forcing wherein they attempt different usernames and passwords to try to guess their way into your account. They do it by using automated bots and algorithms that are capable of making thousands of attempts in a few seconds. If you’re using simple passwords like “password123’, a bot will be able to guess it in the first few tries.

Secondly, if you’re using the same credentials for all your accounts, this spells trouble. There have been so many data breaches of top companies and in 2019 alone, 4.1 billion records were exposed. If your username and password were stolen on say a shopping website, hackers can use it to try to hack other accounts of yours such as your email, internet banking or your WordPress site.

Your admin login credentials are like the keys to your home or office. This is why the first step in login security is using rock-solid usernames and passwords.

  • We recommend that you never use the default username ‘admin’. If your website’s name is thefirstexample.com, don’t make your admin username ‘thefirstexample’. These are the first few usernames hackers will attempt on the login screen. Instead, use unusual and unique ones that are hard for anyone to guess.
  • Coming to passwords, you need to use one that is difficult for anyone to guess. We recommend using a passphrase in combination with symbols and numerals. This makes your password really strong.

While creating your password, WordPress will indicate how weak or strong your password is. To give you an example, we created the following in our WordPress admin account:

wordpress weak password

WordPress indicated that the password is very weak. So we upped our game with this:

strong password wordpress

Lastly, since your WordPress website is a valuable asset, we think it deserves a unique password. Come up with one that you don’t use on any other site.

Now you know your login credentials are secure. If you have multiple users on your WordPress site, it’s important that all of them follow these recommendations because it is very important step in protecting your WordPress login page.

2. Limit The Number Of Login Attempts for Better Security

By default, WordPress allows an unlimited number of login attempts. Hackers take advantage of this feature through brute force attacks. You can get brute force protection by simply limiting the number of failed login attempts a user is granted.

You might’ve seen this prompt when you’ve entered a wrong password on a website, especially an online banking one:

failed login attempts

This is because the website has implemented limited login attempts. A user has three chances to enter the correct credentials to enter their account. After three wrong attempts, they would be locked out of their account and would have to use the ‘Forgot password’ option.

You can implement this feature in two ways:

  • Using a plugin – We recommend the MalCare security plugin. Once installed, limited WordPress login protection is automatically implemented. The plugin also gives you Captcha-based protection that will prevent bad bots from accessing your site.
  • Manually – To manually limit the number of login attempts, you need to access your functions.php file. You need to add a WordPress action and hook filter with a corresponding callback function. This method is technical and risky. If you aren’t savvy with coding, it’s best not to attempt this.

With these two measures in place, your WordPress website has the basic security measures for your login page taken care of. Now, we can move on to more advanced measures.

3. Using 2-Factor Authentication for Stronger Login Security

You must have noticed that when you are trying to log into your Gmail account, you have to follow two steps.

Step one involves entering your credentials. In step two, Gmail sends you a verification code to your registered phone number or email address. After that, you’ll need to enter this number on your Gmail account to access your emails. This is Two-step verification or Two-factor authentication.

two factor verification for login security

To ensure that the user accessing the account is authentic, the process uses regular credentials plus a one-time password (OTP) that is generated in real-time.

So even if a hacker guesses your credentials, they would still need to enter the one-time code sent to you and you can secure your WordPress login page easily.

You can implement 2-Factor Authentication using a plugin. Two plugins we recommend are Google Authenticator 2FA and Two Factor Authentication.

Note: If you’re using the MalCare plugin, 2-Factor Authentication will soon be available.

4. Geo-blocking – Prevent a Hacker to Reach Your WordPress website

When you set up a WordPress site, you automatically welcome traffic from all over the world, unless you configure it to a particular region.

To see where your traffic originates, you need to sign up for Google Analytics. On the dashboard, you’ll see the option ‘Where are your users?’ By clicking on ‘Location Overview’, you can see exactly where your visitors come from.

primary traffic of blog

Alternatively, a plugin like MalCare also shows you where your traffic originates.

Many times, we’ve come across website owners who have found that they are getting unwanted traffic from particular countries.

To show you what we mean, let’s take an example. Say, you have a website that caters only to the United Kingdom – example.co.uk. But when you check Analytics, you see that a lot of your website’s traffic from other countries like Russia, Singapore and the United States. You should consider it a red flag.

This is only indicative of hackers, you can use the MalCare plugin to see if the traffic is actually malicious or not.

After installing the MalCare plugin, access the dashboard. Under ‘Security’, you’ll see the number of login attempts made on your website and how many the plugin blocked.

MalCare login requests

By clicking on ‘show more’, the audit logs will show you exactly where the traffic is originating from and what username was attempted.

malcare limiting login attempts for better WordPress security

If you feel such traffic is an unwanted risk, you can simply block out entire countries. To do this, MalCare has an option called ‘geoblocking’ that will add a layer of security by blocking any IP address from the country you select. Here’s how:

  • On the dashboard, select your site and then click on ‘Geoblocking’.
malcare geoblocking
  • Next, from the drop-down menu, select the countries you want to block. Once you click on ‘Block Country”, it will display a prompt “Selected Countries IPs have been successfully blocked.
malcare geo blocking

Geo-blocking or country blocking helps mitigate the risk of being hacked. It’s not advisable to block out entire countries as some of the traffic could be legitimate. However, if you’re 100% sure you don’t need any traffic coming from that country, it’s best to just block it so that you can secure your WordPress login page by not letting a hacker get to it.

Also Read: How to fix WordPress Login Not Secure issues

5. Auto Logout

It’s not uncommon to have the habit of logging into an account and leaving it open. You might find yourself closing the browser without logging out of accounts. If you leave your system unattended, a hacker could reopen your browser and will be automatically logged into your accounts.

Such habits magnify the risk of attacks. To mitigate such risks, many websites implement ‘auto logout’. This is common practice with online banking. If you’re inactive for a period of time, the website automatically logs you out. You might see a prompt like the one below:

error causing log out

This is an essential measure you can implement on your WordPress website. It ensures that there is no chance anyone can exploit an account that’s logged in while the user is away from their system.

This measure is especially recommended for people who work remotely or on their own personal devices. As a website owner, you can never ensure that they’ll remember to log out when they are inactive. If they’re using a public computer or unsecured public wifi, it puts your website at greater risk.

Unlike e-banking services, WordPress does not auto-logout users when they are inactive. But you can implement this security measure by using plugins like Bulletproof Security.

The plugin has a security feature called ‘Idle Session Logout’ that you can enable. You can select the time period of inactivity after which a user will be logged out automatically.

auto logout

This measure will keep your site safe from falling into the wrong hands.

In Conclusion: It’s Not Just Your Login Page

Protecting a security of your WordPress login page takes you one step closer to a secure WordPress website. Hackers like to prey on websites that are easy to hack. So by protecting your website with basic measures, hackers will probably give it a few tries and then move on to an easier target.

But this doesn’t guarantee that hackers can not hack your site. Hackers identify and exploit any vulnerability they find on your website. It could be in a new plugin you installed that has a security flaw. May be a theme you installed long ago and forgot to update developed a vulnerability over time. There are many such opportunities hackers take advantage of.

What you really need is a comprehensive protection plan. We strongly recommend taking a few more security measures like IP blockingsecuring site with wp-config.php, following this complete guide on WordPress security, and using one of the best WordPress security plugins – MalCare that will protect your site round the clock. It gives you access to regular scan reports and you can also implement recommended WordPress hardening measures. This way your WordPress site will be extremely hard to break into!

Keep your site protected with our
MalCare Security Plugin!


Melinda is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Melinda distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap