Create a secure WordPress login page

Replace the ‘admin’ username

In case you’re not aware, ‘аdmin’ is the standard username for WordPress as well as for a bunch of other platforms. Every single hacker on the web knows this. And if you use the ‘admin’ username and someone attacks your login page, for them it’s the job half done. So, the first thing you need to do if you want a secure WordPress login page is to change the pre-defined username.

То replace the ‘admin’ username, do the following:

• Log into WordPress;
• Add a new user by going to: Users > Add New;
• Select ‘Administrator’ as the role for this new user. Try to think of a unique and more difficult to guess username – this will be the new username of the admin user;
• Sign out of the old ‘Admin’ user account;
• Sign in again with the new unique username that you’ve just created;
• Delete the original ‘Admin’ user. You’ll also need to reassign all your previous posts from the old ‘Admin’ user to the new user;

Create a strong password

Changing the default ‘Admin’ username is step one to efficiently upgrading your WordPress protection. Step two towards a more secure WordPress login page is to change your password. Never use your own initials or birthdate, as they are the easiest info one can acquire about you.

Bots can easily guess your favorite sports team, pet names and other similar details. More often than not, brute force attacks are continuous attempts at guessing a given password (trial and error).

So, if you use a short and weak password, you’re prone to attacks. A strong password should contain both letters and numbers – upper case and lower case.

You can also add a symbol like ‘@’ or ‘!’ to further strengthen it. If you find it difficult to think of one yourself, WordPress offers a password generator built-in.

Strong passwords might be more difficult to remember than weak ones, but you can always use password managers like: LastPass, DashLane, KeePass, 1Password, RoboForm, etc.

No need to worry about compromising your security, since your passwords will be stored in an encrypted form. You can also access them from multiple web-connected devices to which you have access (smartphones, tablets, etc). If you are using one of the passwords listed there, it is now the time to change it.

Set a login attempts limit

Bots gain access to your site by trying to log in with many different usernames and passwords multiple times until they finally hit the correct ones. There is a quick counter for this. Simply limit the number of login attempts a single IP can make before it is rejected from your website. Here are some specialized WordPress plugins to do this for you:

• Limit Login Attempts – it limits the rate of login attempts per IP. Still, a commonly used plugin, although its last update was a long time ago.
• Brute Force Login Protection – it can protect your website against all brute force attacks that use .htaccess.
• Jetpack – Part of the Jetpack suite of tools is Jetpack Protect, which can help you mitigate bot net attacks.

Some web hosting providers offer login attempts restriction as part of their standard services.

Use a different login URL

The pre-defined URL for logging into a WordPress website is the site’s name followed by wp-login.php or wp-admin. If your website is called ‘mywebsite.com’, for example, its URL will be mywebsite.com/wp-login.php or mywebsite.com/wp-admin unless you change it.

Needless to say, hackers are well aware of this fact. That’s why if you want a secure WordPress login page, you should change this pre-defined URL. An easy-to-use plugin like Protect WP-Admin will allow you to quickly change your default admin panel URL with a difficult to guess one.

You can change the regular URL to something like mywebsite.com/backend. After that, all queries for the standard mywebsite.com/wp-login.php or mywebsite.com/wp-admin URLs will be automatically redirected to your site’s homepage.

The admin panel will be accessible only from the custom URL that you’ve set. One more time-tested way for WordPress admin page protection is to block the access to the wp-admin and the wp-login.php pages.

This is a good idea if you use a static IP address. Keep in mind that if your IP changes from time to time, you can lock yourself out of your own website. Of course, if you can keep track of multiple IPs, this can still be a great solution. Another way to protect the login URL is to add another level of restricted access, with simple HTTP authentication.

This way, anyone who wants to visit your admin area will have to provide a username and a password just to see WordPress login form. With this, a brute force attack to your admin page will require double effort, as there will be an additional layer of security.

Get an SSL certificate

SSL (Secure Sockets Layer) is a cryptographic protocol for secure exchange of information between a website and a browser. Getting one will not only give you a secure WordPress login page but a secure WordPress website as a whole.

After an SSL certificate is set up correctly for a website, the server will encrypt all of the data including the private details (for instance: credit card details, etc).

Only the specific user’s browser will be capable of deciphering this data. It’s also worth mentioning that Google favors HTTPS. So, your site will have a higher rank if it uses the up-to-date HTTPS protocol instead of the older HTTP.

If you use the Google Chrome browser, getting an SSL is obligatory. This is part of Google’s policy of gradually marking all non-HTTPS sites as ‘non-secure’.

Getting an SSL Certificate today is very easy. Most hosting providers today offer free SSL Certificates from Let’s Encrypt or Comodo.

If your hosting provider does not offer free SSL Certificates, you can easily get a cheap one from reputable providers online.

Enable two-factor authentication

A WordPress two-factor authentication is a great solution if you want a secure WordPress login page. It is used as an addition to the standard username/password protection for logging in to your WordPress admin area and it works independently. You type in your credentials and then a passcode that consists of digits will be generated on one of your devices (usually a smartphone). In order to gain access to your site, you need to enter this code as well.

There are numerous two-factor plugins for WordPress based websites on the market today, both free and paid:

Rublon – this plugin offers two-factor authentication for the admin user for free, both by email or via a phone app.

Authy – available for free, Authy uses security tokens sent to you by SMS or phone call. It also offers a dedicated mobile app.

Two Factor Authentication – it’s available for free and uses barcode scanning from authenticated devices.

5sec Google Authenticator 2-Step Login Protection – a paid plugin that uses a phone app to generate a special code, required for each login. It’s main advantage is the dedicated support you will get with your license.

Google Authenticator – Two Factor Authentication – available for free, it offers support for all popular methods for two-factor authentication.

Use captcha

A captcha will help protect the login page against bot attacks, as it requires a special condition to be met along before the login request is even sent to the server for authentication. There are two ways you can set up a captcha on the login page – manually or with a plugin. The manual way requires coding and dealing with public and private keys and is generally harder to implement. If you choose to go with a plugin, there are multiple plugins that can be used. Here are two of the most popular ones:

All in One WP Security and Firewall – Aside from setting up a captcha, this plugin also allows for granular control over which IPs can access your website, and the creation of IP whitelists and blacklists. Better WordPress reCaptcha – This plugin focuses only on adding captcha to your website and offers on other security options.