How You Can Protect the Login Page in WordPress
Web Security should be an abiding and ongoing concern for all websites. No matter what precautions you’ve taken, there is always room for improvement. This is because there is no such thing as foolproof security. Add to that, hackers are on the prowl 24×7, and so you’ve got to be on the guard constantly. Hosting, weak passwords, older versions of WordPress, or dubious themes / plugins are the possible entry points for bots to make way into your site.
One way that you can make it harder for hackers is by stepping up the protection of your WordPress Admin or Login Page. It is the gateway to your website, and you can stop most of the mischief right at the doorstep, by hardening the security on this page.
Some ways that you can go about protecting your Admin page,
The default username in WordPress is “Admin” and bots know this. Now, if they can guess your password, you’ve literally handed them an invitation to enter. So change your username to something unique and un-guess-able. For instance, for New York Soccer Club, ‘NY Soccer’ is not a fit username.
You can change the username by following these simple steps,
- Log in to WordPress using your existing Admin user account.
- Add a new user by clicking on Users > Add New.
- Pick “Administrator” as the role for this new user. Go for a unique username here, as this newly added user will become the new admin user.
- Log out of the old “Admin” user account.
- Log in again using the new unique username you created.
- Delete the original “Admin” user. You’ll need to reassign all your old posts from the old “Admin” user to the new user.
You can also change the username by accessing the phpMyAdmin. Read up on this at SiteGround.
Changing the username is only half way there. Strengthen your password so bots can’t guess it. Birthdays, pet’s name, favorite sportsperson can all be guessed correctly. Brute force attacks are just frequent and repeated attempts at guessing the password by trial and error. And they are bound to succeed if the password is weak. Therefore, strong passwords are important.
A strong password should ideally use a combination of numbers and letters, both upper and lower case. Throw in a symbol or two like ‘!’ or ‘@’. WordPress provides the option to generate a strong password, and you can use that too. Or take the help of a Password Generator. Check if your password is strong at How Secure Is My Password. And change the password on a regular basis.
Finding it hard to remember the password? Check out password managers like LastPass, DashLane, KeePass, 1Password and RoboForm. A password manager stores all your passwords in an encrypted form and you can access it from any device.
If I haven’t made my case for a strong password, this report from SplashData listing the worst passwords of 2015 can perhaps persuade you.
Limit User Access
If you’re the only one who accesses the Admin, this one is not for you. But if you’re allowing multiple users to access the backend, you should keep a tight control over their privileges. Permit access and privileges only to the areas and to the extent that is necessary for them to perform their tasks.
Not only that, the users on your site should also be required to use strong passwords. To ensure this, you can install the Force Strong Passwords plugin. This plugin allows users to access the site only if they have set up a strong password for themselves. Or you could look at Login Security Solution, which also examines and enforces password strength, without annoying genuine users.
Limit Login Attempts
Bots gain entry into your site by trying out various combinations of username and password. It may take them many attempts before they can break in. If we limit the number of attempts that can be made from a single IP, we can drastically cut down on the chances of bots gaining access.
There are specialized plugin that can carry out this task –
- Limit Login Attempts – Limits the rate of login attempts for each IP. It is a commonly used plugin, even though it has not been updated for a long time.
- Brute Force Login Protection – Protects your website against brute force attacks using .htaccess.
- Jetpack Protect – To protect WordPress websites from bot net attacks.
It’s also worth noting that some webhosts offer this feature built-in. WP Engine for example added this to their hosting platform back at the beginning of 2015 to make the websites they host more secure (in addition to their free SSL, two factor authentication, automated backups, multiple firewalls, Malware scanning and more).
Change Your Login URL
The URL for logging into all WordPress websites is, by default, your site’s main URL followed by wp-login.php or wp-admin – for instance, mywebsite.com/wp-login.php. Hackers know this, and if you can change this URL, you’ll be making it harder for them to get into your website.
You can install Protect WP-Admin to change the URL of your admin panel and blocking the default links. You can change it to anything you like, such as mywebsite.com/allow_admin_access. When a query for mywebsite.com/wp-login.php or mywebsite.com/wp-admin, reaches the site, it will be redirected to homepage. And only the custom URL will be allowed to the admin panel.
A totally reliable way to protect your admin page is to entirely block access to your wp-admin and wp-login.php page. But this can be employed only if you use one IP address that doesn’t change. Or else, you run the risk of being locked out of your website. If you can keep track of multiple IP addresses, you can still go ahead and adopt this option.
You can also restrict access to your wp-login.php file using HTTP Basic Authentication. This is an external layer of security that a user has to get past to reach the login page. You’ll need to generate a .htpasswd file, to list all authorized usernames and their respective encrypted passwords. A brute force attack can be launched against HTTP basic authentication as well, but it’s going to be double the effort for hackers to crack both layers.
Add SSL To Your Website
SSL is standard security technology. HTTP is the Hyper Text Transfer Protocol for transfer of data between a server and a browser. The secure version of HTTP is HTTPS, the “S” standing for Secure. Together they verify the identity of the website to the user, and assure the user about the confidentiality between the website and the user’s browser.
Once you’ve set up SSL / HTTPS, the server encrypts data and only the user’s browser can decipher it. To any unwelcome third party, the data won’t make any sense and will just appear as a string of characters. As a bonus, you’ll find that Google favors HTTPS while ranking websites.
Getting yourself a SSL certificate may no longer be optional, particularly if you’re using the Chrome browser. That’s because Google is on course to mark all non HTTPS sites as “non secure”.
Today, all non HTTPS sites are simply neutral as to the indication of SSL status, but that will change in January, 2017. All websites needing passwords or collecting credit card information must become secure or risk being labelled as non secure by Google.
There are many companies like Comodo, DigiCert, and SSL.com offering certifying services. Certificates can be acquired without too much cost from SSLMate and for free from Lets Encrypt. Some hosting service providers offer free SSL with their hosting plans. You can read up more on installing SSL in our HTTPS & free SSL guide.
Two Factor Authentication is one of the most secure ways to protect your website from hackers. It works in addition to the standard username / password that you already have. Once you have keyed in these credentials, a code is generated on a device that you have, often your smartphone. Only when this code is entered, do you gain access to the site.
Many free and premium plugins are available for installation on your website. This security method has been around for quite a while, but is now being increasingly applied to website access. You can read more about two factor authentication in our earlier post.
Many websites install plugins that take care of WordPress security in a comprehensive manner. They pack in firewall protection, malware scanning, blacklisting and whitelisting IPs, monitoring user activity, audit logging and generally harden all round security. Both free and premium options are available.
Some plugins that include login protection,
- Wordfence – Enforces strong passwords and prevents brute force attacks.
- iThemes – Fights automated attacks and limits number of login attempts. It also implements tougher user credentials.
- All in One Security and Firewall – Prevents brute force attacks and allows IP level blocking, locking out a user after a specified time period. Other login protection features include login lockdown and whitelisting & blacklisting IP addresses.
- BulletProof Security – Login and brute force protection.
- McAfee Secure – Offers multiple layers of protection including a trusted site mark, malware scanning, and identity protection coverage for e-commerce stores (a huge asset).
The methods listed in this post are mostly simple, but highly effective ways in which you can curtail bots, malware and mischief makers from breaking into your website. You can also add captchas or other small tests to verify if the attempted login is by a human and prevent bots. If you need more tips on WordPress security, read what Freddy has to say in this post.
Wow! that was an amazing list, just buzzing after reading that. Very informative, rich in details and easy read. I will try out your awesome techniques and let you know how it goes. Thanks!
I am using limit login attempt plugin and i also changed login page url but still i am getting emails from limit login attempts showing too many failed login attempts. It also shows last user attempted as admin,test,site name etc but problem is sometimes it also showing correct username.