As is known, the login page is the gate to a WordPress site. Once hackers get a key to it, they can go in and do some bad things that you’ll never want to happen. Therefore, it is a must to enhance the login security to eliminate some potential WordPress security issues. Many WordPress users do not bother to make a change to some default settings like the “admin” default username, but this deed actually makes it easy for hackers to get access to their sites.
If you are serious about your website, security should never be emphasized too much. This time we are going to talk over several ways to enhance the security of the login page of WordPress to make it hard for hackers to break into your site.
Secure wp-login.php with Password
As wp-login.php leads to the default login page of most WordPress sites, password protecting the entrance helps prevent unauthorized or malicious access to your website. Besides, this deed also reduces a lot of brute force attacks. Generally speaking, you can finish this task in 2 ways – adding a password manually or using a WordPress plugin.
If you prefer the manual method, you need to accomplish 2 steps. For the first step, you need to create a file and name it as .wpadmin, put the username and the new password in the file using the format of username:password (for example: susan:5Q8w2oPglY), and then upload the file to your home directory where visitors cannot access. For the second, you have to update the /home/username/.htaccess file by placing the following code.
Or if you want an easier way, you can use a plugin to enhance the security of wp-login.php. AskApache Password Protect is a good choice which is powerful. Using this plugin, you can set up password protection to your login page easily with simple settings. But remember to back up your site in case that something goes wrong.
Strengthening WordPress login security by password protecting wp-login.php is quick and effective, but it is not recommended if you run a large website with multiple users.
Limit Login Attempts to Admin Area
Even in recent years when the hacking attempts are more and more advanced, there are still a large number of attempts that run automatic bots to break into your site by guessing your password. This problem can be resolved by limiting the number of allowed attempts that can be performed on your login page.
The easiest way to set a limitation is to use a sucurity plugin like Login LockDown. After activating the plugin, you can set the number of allowed failed login attempts within a certain period of time. The plugin records the information like IP address of every failed login attempt, and disables the login function of IP ranges that are detected to send out too many login attempts in a short time.
Make Sure All Users Are Using Strong Passwords
The importance of a strong login password should have been emphasized over and over again since you started your first WordPress site. Try to set a strong password that makes it hard for hackers to predict, change the password regularly, and do not use the same password for different sections. You’d better use a password strength detector to make sure that your password is strong enough.
If you are running a site with more than one users, you should also make sure that the passwords of all other users are strong enough to protect the login section. One way to achieve that goal is to use Force Strong Passwords plugin which enforces all users with any capability to enter a strong password when changing their passwords.
Set Up Google 2-Step Authentication
2-step authentication is widely used nowadays to enhance security as it generates and sends a verification code to your phone which cannot be accessed by others. This method can also apply to WordPress sites. The most common way is to use the authentication offered by Google.
You can set up Google 2-step authentication by installing the Google Authenticator plugin on your WordPress site and using Google Authenticator app on your smarphone. In this way, when you login, you have one more step to accomplish after entering your username and password because a screen will appear asking you to enter the verification code sent to your phone. The verification can certain increase the security of your login page.