Are you unsure whether or not you should be concerned about WordPress login security?
Because it’s so simple to create a website with WordPress, it’s the most popular CMS on the planet. Despite the fact that it is a free CMS, there is a cost. WordPress is very predictable, which makes it an ideal target for hackers.
Take the login page, for example.
The login page for every WordPress website is the same (/wp-admin.com or /wp-login.php). When predictability is combined with the human tendency to use weak credentials, the page becomes a tempting target for hackers.
According to security experts, a website’s login page is the most susceptible. Hackers use bots to attempt brute force assaults on the page every day. They can simply acquire access to your CMS by figuring out your login credentials. As a result, you must do everything possible to safeguard it against these unexpected visitors.
We’ll show you five sophisticated strategies to increase WordPress login security and avoid being hacked in this article
How to secure a WordPress login page in 2021.
In the field of cyber security, there is a lot of bad advice. The majority of it is designed to instill dread in individuals and force them to make obsessive decisions. Instead of adding to the noise, we’ll show you how to use tactics that truly work in this post. These are the ones:
- Change login page URL
- Implement two-factor authentication
- Limit failed login attempts
- Prevent discovery of username
- Use auto logout
You’ve probably noticed that we didn’t mention enforcing strong passwords or installing SSL certificates. This is due to the fact that it is a given. We hope you’ve already started using them. 5 Best Free SSL Hosting Providers (2021)
1. Change login page URL
As we said at the beginning of the article, the default WordPress login page looks like this:
It’s common knowledge, even among hackers who create bots that target WordPress login sites. Because 59 percent of Americans  use weak passwords, brute-forcing the login page makes it much too easy to hack a website.
Changing the URL of your login page is one approach to secure it.
It’s simple to create a new custom login page URL. A lot of plugins are available that allow you to do so with only a few clicks.
We will use the WPS Hide Login plugin to demonstrate the process, but if you prefer any of the other plugins, go right ahead. The steps will be equally easy and swift.
How to change your WordPress login URL
Install and activate WPS Hide Login. Go to Setting → WPS Hide Login.
Scroll down at the bottom of the page, insert the new URL in the Login URL section, and hit Save Changes.
Try logging in with the new URL. Don’t forget to share it with your teammates.
2. Implement two-factor authentication
When using Facebook and Gmail, you’ve probably come across two-factor authentication. When you try to log into your account, the services usually send you a unique code to your registered mobile number. This security feature is in place to ensure that only the account’s owner has access to it. Even if hackers were to gain access to your credentials, they would be unable to obtain the one-of-a-kind code issued to your registered mobile number.
Two-factor authentication can also be applied to your WordPress website. It’ll add a layer of security to the login page. All you need to do is to install any of the following plugins:
- miniOrange’s Google Authenticator
- Google Authenticator – Two Factor Authentication (2FA)
- WP 2FA by WP White Security
Setting up a two-factor authentication plugin is very easy. We’ll use miniOrange’s Google Authenticator to show you the setup process.
How to implement two-factor authentication
Install the miniOrange’s Google Authenticator on your WordPress login page. As soon as you activate the plugin, a setup widget appears. Choose the first option, i.e. Google Authenticator.
Next, download the Google Authenticator app on your smartphone. Open the app and scan the QR code.
The app generates a code. Enter it on the setup widget and hit Save.
2FA WordPress login security is now active on your login page.
3. Limit failed login attempts
WordPress users have an infinite number of login attempts. This may appear to be innocuous, yet it is a serious security flaw.
Brute force attacks can be carried out with an unlimited number of login attempts. Hackers utilize bots to locate the proper username and password combination in this type of attack. Before stumbling onto the correct credentials, the bots failed multiple times. Limiting login attempts is one of the most effective techniques to combat bot assaults.
The plugins below will help you do just that:
How to limit failed login attempts
Install the plugin and then go to Limit Login Attempts → Settings → Local App. Here you can set how many times login attempts should be allowed on your website. And for how long someone will remain locked out after the said number of login attempts.
4. Prevent discovery of username
In most cases, the username is seen as less crucial than the password. We presume it must be of low value because it is a publicly available record. This is not the case.
Half of your credentials are made up of your username. It, like the password, must be secured.
Usernames are displayed on posts and author archives on a WordPress website. Thankfully, there is a way to turn off both of them.
How to disable author archives
This can be done with the help of any SEO plugin. In the tutorial below, we are using Yoast SEO to show it.
Go to SEO → Search Appearance → Archives and then disable the Author Archives. Hit Save Changes.
How to change display name
On published articles and comments, the display name appears. The display name and the username (the one you use to log in) are both set to the same value by default. You can alter the display name to something different to prevent the username from being discovered.
Go to Users → Profile → Nickname. You can’t directly change the display name. Instead, change the Nickname. Then select the new nickname from the drop-down menu below.
5. Auto logout
Snoopers are protected by automatic logouts. Auto-logouts stop sessions when users leave them unattended, protecting the website.
When a user’s login session cookie expires, WordPress defaults to logging them out 48 hours later. You’ll be logged in for 14 days if the user chose the “Remember Me” box. You’ll need to install a different plugin to terminate sessions due to inactivity.
The plugins below help you auto-logout to end idle user sessions:
How to enable auto-logout
Activate the plugin and then go to Settings → Inactive Logout → Basic Management. Set the clock for an idle timeout. There are options for role-based timeouts as well. Check it out if you like.
Check Out – 3 Ways to Increase the VRAM of Integrated GPU
Conclusion on WordPress login security
Are you ready to go? Great! One last bit of advice before you leave this page: Improving WordPress login security puts you one step closer to safeguarding your entire website, which is the ultimate aim!
Even if you took precautions to prevent hackers from brute-forcing their way into your website, intruders can still get access by exploiting insecure themes and plugins. As a result, maintain your website up to date at all times.