![\"7](\"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-content\/uploads\/2017\/04\/protect-the-login-page-in-wordpress-300x225.png\")
WordPress is one of the most popular CMS systems, single-handedly powering more than 20% of all sites online.<\/p>\nWordPress is one of the most popular CMS systems, single-handedly powering more than 20% of all sites online.<\/p>\n
However, being so popular has its downsides – WordPress sites are often the target of hacker attacks.<\/p>\n
This is why one of the first things you should do if you have a WordPress-driven website is to make sure you have a secure WordPress login page.<\/p>\n
Since it is the gateway to your WordPress based website, it often happens to be the gate for most of the hacker attacks.<\/p>\n
Therefore, if you minimize its security vulnerabilities, you’ll decrease\u00a0the chances for any harmful\u00a0behavior towards\u00a0your site.<\/p>\n
Today, we will show you 7 different ways to\u00a0create a\u00a0secure WordPress login page.<\/p>\n
Table of Contents<\/p>
In case you’re not aware, ‘\u0430dmin’ is the standard username for WordPress as well as for a bunch of other platforms.<\/p>\n
Every single hacker on the web knows this. And if you use the ‘admin’ username and someone attacks your login page, for them it’s the job half done.<\/p>\n
So, the first thing you need to do if you want a\u00a0secure WordPress login page is to change the pre-defined username.<\/p>\n
\u0422\u043e replace the ‘admin’ username, do the following:<\/p>\n
\u2022 Log\u00a0into WordPress;
\n\u2022 Add a new user by going to: Users > Add New;
\n\u2022 Select ‘Administrator’ as the role for this new user. Try to think of a unique and more difficult to guess username \u2013 this will be the new username of the admin user;
\n\u2022 Sign out of the old ‘Admin’ user account;
\n\u2022 Sign in again with the new unique username that you’ve just created;
\n\u2022 Delete the original ‘Admin’ user. You’ll also need to reassign all your previous posts from the old ‘Admin’ user to the new user;<\/p>\n
Changing the default ‘Admin’ username is step one to efficiently upgrading your WordPress protection.<\/p>\n
Step two towards a more\u00a0secure WordPress login page is to change your password. Never use your own initials or birthdate, as they are the easiest info one can acquire about you.<\/p>\n
Bots can easily guess your favorite sports team, pet names and other similar details.<\/p>\n
More often than not, brute force attacks are continuous\u00a0attempts at guessing a given password (trial and error).<\/p>\n
So, if you use a short and weak password, you’re prone to attacks.<\/p>\n
A strong password should contain both letters and numbers \u2013 upper case and lower case.<\/p>\n
You can also add a symbol like ‘@’ or ‘!’ to further strengthen it.<\/p>\n
If you find it difficult to think of one yourself, WordPress offers a password generator\u00a0built-in.<\/p>\n
Strong passwords might be more difficult to remember than weak ones, but you can always use password managers like: LastPass<\/a>, DashLane<\/a>, KeePass<\/a>, 1Password, RoboForm<\/a>, etc.<\/p>\n No need to worry about compromising your security, since your passwords will be stored in an encrypted form.<\/p>\n You can also access them\u00a0from multiple web-connected devices to which you have access (smartphones, tablets, etc).<\/p>\n You can also take a look at this report from SplashData, which shows the weakest passwords of 2016<\/a>.<\/p>\n If you are using one of the passwords listed there, it is now the\u00a0time to change it.<\/p>\n Bots gain access to your site by trying to log in with many different usernames and passwords multiple times until they finally hit the correct ones.<\/p>\n There is a quick counter for this.<\/p>\n Simply\u00a0limit the number of login attempts a single IP can make before it is\u00a0rejected from your website.<\/p>\n Here are some specialized WordPress plugins to do this for you:<\/p>\n \u2022 Limit Login Attempts<\/a> \u2013 it limits the rate of login attempts per IP. Still, a commonly used plugin, although its last update was a long time ago. Some web hosting providers offer login attempts restriction as part of their standard services.<\/p>\n The pre-defined URL for logging into a WordPress website is the site’s name followed by wp-login.php or wp-admin.<\/p>\n If your website is called ‘mywebsite.com’, for example, its URL will be mywebsite.com\/wp-login.php or mywebsite.com\/wp-admin unless you change it.<\/p>\n Needless to say, hackers are well aware of this fact. That\u2019s why if you want a secure WordPress login page, you should change this pre-defined URL<\/p>\n An easy-to-use plugin like Protect WP-Admin<\/a> will allow you to quickly change your default admin panel URL with a difficult to guess one.<\/p>\n You can change the regular URL\u00a0to something like mywebsite.com\/backend.<\/p>\n After that, all\u00a0queries for the standard mywebsite.com\/wp-login.php or mywebsite.com\/wp-admin URLs will be automatically redirected to your site’s homepage.<\/p>\n The admin panel will be accessible only from the custom URL that you’ve set.<\/p>\n One more time-tested way for WordPress admin page protection is to block the access to the wp-admin and the wp-login.php pages.<\/p>\n This is a good idea if you use a static IP address.<\/p>\n Keep in mind that if your IP changes from time to time, you can lock yourself\u00a0out of your own website.<\/p>\n Of course, if you can keep track of multiple IPs, this can still be a great solution.<\/p>\n Another way to protect the login URL is to add another level of restricted access, with simple HTTP authentication.<\/p>\n This way, anyone who wants to visit your admin area will have to provide a username and a password just to see WordPressres login form.<\/p>\n With this, a brute force attack to your admin page will require double effort, as there will be an additional layer of security.<\/p>\n SSL (Secure Sockets Layer) is a cryptographic protocol for secure exchange of information between a website and a browser. Getting one will not only give you a\u00a0secure WordPress login page but a secure WordPress website as a whole.<\/p>\n After an SSL certificate is set up correctly for a website, the server will encrypt all of the data including the private details (for instance: credit card details, etc).<\/p>\n Only\u00a0the specific user’s browser will be capable of deciphering this data.<\/p>\n It’s also worth mentioning that Google favors HTTPS. So, your site will have a higher rank if it uses the up-to-date HTTPS protocol instead of the older HTTP.<\/p>\n If you use the Google Chrome browser, getting an SSL is obligatory. This is part of Google’s policy of gradually marking all non-HTTPS sites as ‘non-secure’.<\/p>\n Getting an SSL Certificate today is very easy. Most hosting providers today offer free SSL Certificates from Let’s Encrypt<\/a> or\u00a0Comodo.<\/p>\n If your hosting provider does not offer free SSL Certificates, you can easily get a cheap one from reputable providers like NameCheap or Comodo.<\/p>\n A WordPress two-factor authentication is a great solution if you want a secure WordPress login page. It is used as an addition to the standard username\/password protection for logging in to your WordPress admin area and it works independently.<\/p>\n You type in your credentials and then a passcode that consists of digits will be generated on one of your devices (usually a smartphone). In order to gain access to your site, you need to enter this code as well.<\/p>\n There are numerous two-factor plugins for WordPress based websites on the market today, both free and paid:<\/p>\n Rublon<\/a> – this plugin offers two-factor authentication for the admin user for free, both by email or via a phone app.<\/p>\n Authy<\/a> – available for free, Authy uses security tokens sent to you by SMS\u00a0or\u00a0phone call. It also offers a dedicated mobile app.<\/p>\n Two Factor Authentication<\/a> – it’s available for free and\u00a0uses barcode scanning from authenticated devices.<\/p>\n 5sec Google Authenticator 2-Step Login Protection<\/a> – a paid plugin that uses a phone app to generate a special code, required for each login. It’s main advantage is the dedicated support you will get with your license.<\/p>\n Google Authenticator \u2013 Two Factor Authentication<\/a> – available for free, it offers support for all popular methods for two-factor authentication.<\/p>\n A captcha will help protect the login page against bot attacks, as it requires a special condition to be met along before the login request is even sent to the server for authentication.<\/p>\n There are two ways you can set up a captcha on the login page – manually or with a plugin. The manual way requires coding and dealing with public and private keys and is generally harder to implement. If you choose to go with a plugin, there are multiple plugins that can be used. Here are two\u00a0of the most popular ones:<\/p>\nSet a login attempts limit<\/span><\/h2>\n
\n\u2022 Brute Force Login Protection<\/a> \u2013 it can protect your website against all brute force attacks that use .htaccess.
\n\u2022 Jetpack<\/a>\u00a0\u2013 Part of the Jetpack suite of tools is Jetpack Protect, which can help you mitigate\u00a0bot net attacks.<\/p>\nUse a different login URL<\/span><\/h2>\n
Get an SSL certificate<\/span><\/h2>\n
Enable two-factor authentication<\/span><\/h2>\n
Use\u00a0captcha<\/span><\/h2>\n