Top 10 Tips on How to Protect WordPress Login Page

Top 10 Tips on How to Protect WordPress Login Page

There is a common sense of all the WordPress users that the login page is certainly the most vulnerable webpage on their websites. This special page acts as a bridge between your website back-end and front-end, and is a critical gate that prevent strangers from entering your administrative page to do something bad.

Due to this importance, enhancing the login security cannot be ignored. Here, we have listed top 10 tips about how to protect WordPress login page. We have to note that there is no special technique that can avoid the login hacking totally, but the following practices can make the hacking issues far less to be accomplished.

Tip 1 – Pay Attention to the Login Password and Username

Although this aspect has been emphasized by so many professionals and experts on the web, there are still many WordPress users, especial newbies, who forget to convert the original username to something complicated and to enter a strong password.

Strange User Name

It is a general knowledge that the default username of your login is “admin”. If you do not change it, hackers can break your login page easily as they only need to decode your password.

Only changing the username is not enough, you also need to make sure that the username is weird and hard to guess. Personally, we do not recommend you to use the real names or location spellings. Instead, some random combinations of letters, numbers and symbols are great.

Strong Password

This aspect is easy to achieve. WordPress has a special indicator that showcases whether your entered password is strong or not. Besides, there are so many password generators on the web, with which you can get a risk-free password with much ease.

The only thing you should pay attention is that do not use a password for the whole life. Instead, you’d better keep a habit of changing it regularly, leaving less possibility for hackers to guess your password.

Even, if you view the login security as the top priority, you can try the One Time Password plugin, generating the random password that is only valid for one session.

Tip 2 – Limit the Login Attempts

By default, WordPress allows people to login with unlimited tries, so hackers can keep guessing your login information until they find the right answer. In this case, you need to limit the login attempts, so that the malicious hackers will be locked out of your login page if they enter the wrong username and password for more than the determined times.

To achieve this goal, you can modify the .htaccess file or install a useful plugin. This tutorial introduces steps in detail.

Tip 3 – Use Custom Login URL

For hackers who are looking to brute force your login page, the first thing they need to do is to find the URL of your login page. The default link is or, but you can hide such an easy to find URL with a custom one.

To do this, you can utilize the WPS Hide Login plugin, with which you can change the suffix of wp-admin or wp-login.php to anything you want.

WPS Hide Login

Tip 4 – Adopt Two Factor Authentication

Only having a login password is not enough to protect your login page, you also require another authorization code that can double protect your website.

Google Authenticator, for instance, is a great tool that works as an app installed in your smartphone. Each time you login your WordPress admin, it will generate a random QR code which requires you to scan using your phone or enter the secret code manually.

In this case, only knowing your password and username is not enough for hackers to pass your login authentication. This simply leaves less chance for the login hacking issues.

Tip 5 – Hide the Login Errors

WordPress is smart enough to tell hackers whether their entered username is incorrect or the password is wrong, so that they can at least confirm one aspect and continue guessing the rest one. In this case, you’d better hide such an error message that is released automatically.

WordPress Login Errors

To achieve this, you simply need to add a special filter into the function.php file of your current template. Detailed information can be found in this post

Tip 6 – Utilize SSL

SSL is an additional layer of security that safeguards the information transferred between your server and browsers, making it unreadable for hackers. Generally, it is used for some financial websites that have sensitive information to be shared.

As for the website login page, SSL operates by making the transferring process of username and password a lot more secure with an encrypted channel. If someone intercepts the delivery, they can never read your important information.

To use this service, you can purchase a SSL certificate or enable it from the control panel if your web host offers the free shared SSL.

Tip 7 – Ensure Everything is Updated

It seems that keeping WordPress up-to-date has no relation to the protection of login page, but the truth is just contrary.

Every time WordPress releases a new version, both the minor one and the major one, it means that the loopholes and vulnerabilities of the previous versions are public online. Therefore, if you keep using the old version, hackers can easily steal your login information or break your login authentication via the public flaws.

In this case, it is critical to make sure that your current WordPress version is the latest one. In addition to the WordPress core, your installed plugins and themes also need to be updated.

Tip 8 – Enable the CloudFlare CDN

The CDN service offered by CloudFlare is widely used by a large number of webmasters to better protect their login pages. This is because CloudFlare has stated that it has a special filter system which works against the Brute Force Attacks on the wp-admin page and wp-admin.php file.

Note that this feature is already included into the free plan of CloudFlare CDN, so you can enable it without spending even one penny. Besides, if your web host offers this CDN service, you can activate it simply via your control panel. If not, getting it manually from the official site is also not a difficult task. Check this how-to post to know the detailed steps.

Tip 9 – Limit the Admin Access to Some Certain IPs

This method is a double- edged sword. On the one hand, you can have your login page secured simply by allowing certain IP addresses to access. On the other hand, if you need to enter your WordPress admin from any other location, you cannot do so.

To do this, you only need to open your wp-admin folder and edit the .htaccess file with the following coding stuff. Do not forget to replace the IP addresses in the sample codes.

Limit Login for Certain IPs

Tip 10 – Password Protect the Login Page

This practice simply adds an extra level of security for your wp-admin directory and prevents your site from invalid login attempts effectively.

To do this, you can make use of WordPress plugins such as AskApache Password Protection or start a manual process via your control panel.

Enable Password Protection Manually

  • Login into your control panel and click the Password Protection icon under the Security section.
  • Choose Document Root in the next page and click Go button.
  • Next, you need to target the wp-admin directory and check the box before “Password protects this directory”.
  • Now, you need to click the Go Back button to navigate to the Security Setting page for this directory. Here, you can generate a strong password and a weird username to protect your wp-admin directory.
  • After saving all the settings, you now have your wp-admin directory safeguarded strongly. This means if your hackers want to access this critical directory, they have to enter the right username and password.