WordPress powers a significant portion of websites on the internet. With this popularity comes the need for strict security measures, especially for the login page. These entry points are prime targets for hackers and malicious actors. By implementing proper security practices outlined in this guide, you can maintain a secure WordPress login and protect your site from unauthorized access and potential data breaches.

How secure is the WordPress login page?

WordPress comes with basic security features out of the box. However, these standard protections may not be enough to ward off determined attackers. The default login page can be vulnerable to various threats, including:

• Brute force attacks
• Credential stuffing
• Phishing attempts
• Man-in-the-middle attacks

To truly safeguard your WordPress site, you need to go beyond the default security settings and implement additional protective measures.

Best practices for a secure WordPress login page

Let’s explore the most effective ways to boost your WordPress login security:

1. Install a security plugin

Security plugins offer comprehensive protection for your WordPress site. They often include features like:

• Firewall protection
• Malware scanning
• Login attempt monitoring
• IP blocking

One standout option is Sucuri Security. Our plugin provides:

• Web application firewall (WAF)
• Malware removal
• Security hardening
• Post-hack security actions

By using Sucuri or a similar security plugin, you add an extra layer of defense to your login page and entire WordPress site.

2. Modify the default login URL

The standard WordPress login URL is a well-known target for attackers. By changing this address, you can significantly reduce the amount of attacks your site faces.

Steps to change your WordPress login URL:

1. Go to Plugins > Add New.
2. Download, install and activate the WPS Hide Login plugin.
3. You will be redirected to the plugin settings page.
4. Update your login path to a new URL and save.

Remember to inform your legitimate users about the new login address. This simple change can greatly improve your site’s security by making it harder for potential intruders to find the entry point.

3. Enforce strong password policies

Weak passwords are a major security risk. Encourage all users to create strong, unique passwords for their accounts. Here are some password creation tips:

• Use a mix of uppercase and lowercase letters
• Include numbers and special characters
• Make passwords at least 12 characters long
• Avoid common words or phrases
• Don’t reuse passwords across multiple sites

Consider implementing a password policy that enforces these rules for all user accounts.

4. Secure the wp-admin directory

Another layer of protection you can add to your wp-admin folder is to password protect your wp-admin directory, requiring users to supply an additional set of credentials before they can access the WordPress login page.

For the following steps we’ll go through how this process works in cPanel:

1. Log in to your cPanel.
2. Go to the Directory Privacy section.
3. Locate the public_html/wp-admin folder and select Edit.
4. Enable password protection for this directory.
5. Enter a name for the protected directory and select Save.
6. Use the Create User field to add a new username and password.
7. Select Save.

After setting this up, users will need to enter the username and password assigned to the directory in order to view the WordPress login page. This still applies even if you’ve moved your login page to a different location.

5. Add multi-factor authentication

Two-factor authentication (2FA) adds an extra security layer to the login process. After entering their username and password, users must provide a second form of verification, such as:

• A code sent via SMS
• An authenticator app code
• A physical security key

miniOrange’s Google Authenticator is a popular plugin for implementing two-factor authentication on WordPress sites. It offers multiple 2FA methods and is easy to set up for both administrators and users.

6. Conduct regular user account audits

Maintaining clean user lists is crucial for WordPress security. Follow these best practices for user management:

• Remove inactive user accounts.
• Regularly audit user roles and permissions.
• Use temporary accounts for short-term contributors.
• Implement a formal process for creating and deleting user accounts.

By keeping your user list tidy, you reduce potential entry points for attackers.

7. Disable XML-RPC

XML-RPC is a protocol that allows remote access to WordPress sites. While useful for some applications, it can also be exploited by attackers to perform brute force attacks.

If you’re not using XML-RPC, it’s best to disable it. You can do this through a security plugin or by adding the following code to the top of your site’s .htaccess file:

# Block xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from ALLOWED.IP.GOES.HERE
</Files>

Replace the ALLOWED.IP.GOES.HERE with the IP address you want to allow. If you want to disable XML-RPC requests entirely, you can remove this line.

However, keep XML-RPC enabled if you use:

• The WordPress mobile app
• Jetpack
• Some third-party plugins that require it

When keeping XML-RPC active, monitor it closely for any suspicious activity.

8. Limit login attempts

Limiting the number of login attempts can prevent brute force attacks. After a set number of failed attempts, the system should temporarily lock the account or IP address. This approach effectively thwarts automated login attempts and password guessing.

Sucuri clients benefit from automatic protection against brute force attacks through our website firewall. We offer the ability to restrict access to authorized IP addresses and feature a detection system that blocks IPs after multiple failed logins.

If you’re not a Sucuri client, similar functionality can be achieved with a WordPress plugin. Many security plugins offer this feature, or you can use a dedicated plugin like Login LockDown.

9. Enable an automatic logouts

By default, WordPress sessions expire after 48 hours, or 14 days if you select the “Remember Me” option. However, this still leaves you vulnerable to things like cookie hijacking. Automatic logouts help prevent unauthorized access through open sessions and is especially important for sites accessed on shared or public computers.

Set up an auto-logout plugin to terminate user sessions after a period of inactivity. This will help reduce the risk of session hijacking and unauthorized access to admin accounts.

10. Apply the principle of least privilege

Follow the principle of least privilege when assigning user roles. Only give users the minimum access rights necessary to perform their tasks. This approach limits the potential damage if an account is compromised.

WordPress offers several default user roles:

• Administrator: Full access to all WordPress features. Can manage site settings, install plugins and themes, edit code, and control user access.
• Editor: Can publish and manage posts, including those of other users. Has access to pages, comments, categories, and tags, but can’t modify site settings.
• Author: Can publish and manage their own posts. Can upload files and images but can’t edit pages or other users’ posts.
• Contributor: Can write and manage their own posts but can’t publish them. Can’t upload media files. Posts require approval from an Editor or Administrator.
• Subscriber: Can read content and manage their own profile. Typically used for sites with restricted content or membership features.

Assign roles carefully, and consider creating custom roles with specific permissions if needed.

11. Install an SSL certificate

Secure Sockets Layer (SSL) certificates encrypt data transmitted between users’ browsers and your website. This encryption is vital for protecting sensitive information like login credentials.

Benefits of using SSL include:

• Encrypted data transmission
• Improved search engine rankings
• Increased user trust

Sucuri clients benefit from our partnership with Let’s Encrypt which provides HTTPS support across all our plans.

You can also easily obtain a free SSL yourself certificate through Let’s Encrypt. Alternatively, you can purchase an SSL certificate from a trusted provider.

12. Hide the WordPress version

Hiding your WordPress version can make it more challenging for attackers to exploit version-specific vulnerabilities. Add this line to your functions.php file:

<?php
remove_action(‘wp_head’, ‘wp_generator’);
?>

This will remove the WordPress version number from your site’s code and should help deter automated attacks.

Final steps to a secure WordPress login page

Implementing these security measures will significantly help reduce the risk of unauthorized access and potential data breaches, protecting both your data and your users.

For comprehensive protection, consider using Sucuri. We offer a range of features to safeguard your WordPress site against threats, including our web application firewall with the ability to restrict wp-admin access to only the IP addresses you authorize.

Remember, WordPress security is an ongoing process. Always update your plugins, themes, and core WordPress files, and keep yourself informed on the latest security threats and how to address them.