How to secure your WordPress admin login: 13 best practices

Securing your WordPress login page goes a long way in helping you improve the security of your WordPress site. By following best practices, you’ll ensure you’re covering all your bases for a rock-solid WordPress login security strategy.

In this guide to WordPress admin login page security, we’ll cover everything from how to password-protect the wp-admin page to which plugins can help you improve your security.

Continue reading to learn how to secure WordPress login.

TLS certificates (previously SSL) encrypt data between WordPress and site visitors’ browsers. Without a certificate, data traverses the internet in plain text, making it very easy for bad actors to intercept and read that data – including your password.

Certificates protect more than your login page – they cover your entire website along with any other forms you may have. Aside from addressing security concerns, TLS certificates also help you with SEO, as search engines penalize websites that do not offer this basic security measure.

In most cases, you should be easily able to get a certificate from your hosting provider, who will also help you install it. Do keep in mind that you might need to set up redirections however, the trouble is well worth the effort.

Weak passwords are very easy to crack – often taking no more than a few seconds thanks to GPUs (Graphical Processing Units) that go through combinations like a knife goes through butter. A good, strong, WordPress password contains a mixture of upper and lower case letters, numbers, and special characters. It should not be based on actual words since bad actors account for this.

Every character you add to your password substantially decreases the risk of it being cracked – so don’t be shy, go wild.

But how do you ensure all users use strong passwords, thus protecting their user account and your website? Glad you asked.

Melapress Login Security is a WordPress plugin armed to the teeth for protecting your WordPress login process. It includes a password policy manager that enables you to ensure that all your users use equally strong passwords. After all, a chain is only as strong as its weakest link.

The plugin also offers users real-time help by guiding them in creating a password that meets your policy, thus avoiding frustrations while increasing security. Win-win.

Make it a habit to change your password every so often – better yet, use Melapress Login Security to automatically require you to set a new password at an interval of your choosing. While strong passwords go a long way in reducing the risk of getting cracked, they are not immune to it. By having a password expiration policy you can stay one step ahead of anyone who might be trying to take a crack at your password.

And, of course, you shouldn’t recycle passwords. Like bad breakups, old passwords offer nothing but grief. Remember, there are always plenty of new passwords in the sea.

Brute force attacks take the old ‘if at first you don’t succeed, keep trying’ adage very literally. These types of attacks will keep on trying different username and password combinations until they find a pair that works. The best way to stop brute-force attacks is to limit login attempts.

When limiting login attempts, anyone trying to log in will only have a limited number of tries before their account is locked out. Legitimate WordPress users will typically remember their password after a few tries (unless they’re having a really bad day). For brute force attacks, it’s like a crippling kick in the shins.

When using Melapress Login Security to limit login attempts, you can choose between a temporary account lock, where the account automatically unlocks after some time, or a secure lock, which requires an administrator to unlock it from the WordPress dashboard.

Password reset links are convenient, but that convenience comes at a price. If a user’s email account gets compromised, it’s very easy for the ‘new account holder’ to request a password reset and gain access to your WordPress website.

As a WordPress administrator, your users’ email accounts are beyond your sphere of influence. They might have very weak passwords, used by multiple people, or have been breached. By disabling the password reset link, you ensure that a compromised email account does not result in a compromised website.

You can disable password reset links at the click of a button when using Melapress Login Security. You can even enter a custom message to show to users, providing further instructions (such as contact your administrator) to ensure they still have an avenue to resolve the issue.

A strong WordPress password is like having a very secure lock on your WordPress doors. Adding 2FA is like adding another very secure key. As such, even if the password somehow gets exposed, stolen, or misplaced, without access to the 2FA key, nobody else can gain access but you.

2FA is very secure. In all reported security breaches, bad actors only managed to circumvent 2FA when the owner gave them access. No wonder companies like Google and Microsoft are making it mandatory for all users.

Adding 2FA to WordPress is easy with WP 2FA. The plugin comes with a setup configuration wizard that will help you get up and running with minimal fuss. It takes just minutes to set things up. The plugin also comes with a raft of options to help you make the most out of 2FA.

There are multiple authentication methods to choose from, ensuring all users on your WordPress site will be able to set up 2FA. Additionally, features such as secondary authentication methods, like backup codes, ensure fewer support requests and more productive users.

Another measure you can take to secure your WordPress login page is to hide it. Each WordPress website uses the same login URL, making it very easy to find. By hiding it, you make it more difficult for any bad actors looking to breach your website.

It’s important to note that hiding the login page does not mean it cannot be found – however, it does make it more difficult to find. This is a measure that falls under the security by obscurity doctrine.

Security by obscurity is a strategy that obscures specific elements of a system. When combined with other measures such as the ones mentioned here, it provides for even better security.You can hide the login page through Melapress Login Security. Simply navigate to Login Security > Hide login page and enter the new URL. You can also set up a redirect for the old URL, avoiding those pesky 404 errors.

HTTP Authentication adds another security layer at the web server level. This measure enables you to password-protect the login page before you even get to it. While it’s not as easy to set up as some of the other methods mentioned, it forces anyone looking to access the wp-admin page to authenticate before they even get to the page.

You can set this up through the htaccess and htpasswd files. However, if you have cPanel, you can use the Directory Privacy feature, which will modify the aforementioned files for you, providing a more user-friendly way to password-protecting your WordPress login page.

You can take this a step further by enforcing an IP allowlist, where any connections that are not using IPs on the allowlist are rejected. One very important thing to note here is that most consumer internet plans/connections have dynamic IP addresses. This means that you can get assigned a different IP, which would lock you out of your WordPress login URL.

Using an IP allowlist is more doable if you have a static IP. Of course, if your IP address does change, you can always update the list through cPanel (or equivalent) or SSH – however, it is something to keep in mind.

CAPTCHAs are great at telling humans and computers apart. As most attacks are automated, CAPTCHAs can effectively stop an attack bot from even trying to submit passwords. It also has the added benefit of protecting your website from spam. Double win.

CAPTCHA has evolved a lot since its early days. You’ll find versions of CAPTCHA that rely on behavior analytics instead of pictorial puzzles, making the entire process smooth and seamless for you and your users.

Use CAPTCHA 4WP to get access to multiple CAPTCHA providers, including Google reCaptcha, hCaptcha, and Cloudflare Turnstile. Seamlessly protect your login, comments, and registration pages with one-click support for several 3rd party plugins. You’ll also get features like Failover to ensure false positives don’t fall through the cracks. Nice!

Idle sessions occur when a logged-in user abandons the session without logging out.

Idle sessions can increase the risk of a successful XSS (Cross-Site Scripting) attack. In XSS, attackers take advantage of a vulnerable website to inject malicious code, which code is then executed on the victim’s machine. This allows the attacker to execute specific actions – such as stealing the victim’s cookies.

Since the WordPress cookie holds the session information, the cookie of an idle session allows the attacker to take over the session – without needing to enter any passwords.

While an XSS vulnerability needs to be present for this attack to work, OWASP’s current Top 10 web application security risks list includes ‘Injection’ as one of the risks. XSS attacks are included in this category.

Inactive accounts are more susceptible to a successful takeover since nobody will complain their account is behaving in unpredictable ways. A compromised user account may have no trouble accessing your WordPress login without raising any suspicions if the legitimate owner hasn’t logged in for some time.

Disabling inactive user accounts ensures the user will need to contact you before they can log in again, giving you the opportunity to verify they are who they claim to be – reducing overall risk.

You can easily disable inactive user accounts by setting up a policy in Melapress Login Security. You can easily set the days of inactivity required for an account to be considered inactive and what happens once it’s disabled.

Most users on your WordPress site will typically log in during the same hours – especially if you are running a larger website with employees on your payroll. In such cases, it makes sense to restrict login hours to users’ regular hours.

In doing so, you’ll reduce the overall risk profile and the surface attack of your website.

You can set one policy for all accounts or different policies for the different user roles, thus ensuring everyone can log in when they need to.

The WP Admin account has full access to the website, and is able to carry out any action. If you’re not doing something that requires administrator privileges, consider logging in with an account that does not have administrator rights.

While this might create some added inconvenience, it helps you reduce the risks of your administrator account getting compromised.

Speaking of accounts, hiding WordPress usernames is another security-by-obscurity tactic that helps you discourage attackers.

Bad actors use a technique called username enumeration to find your WordPress website’s usernames. Tools such as WPScan make this endeavor effortless. Usernames are then used in attacks such as brute force attacks to try and gain access. Hiding usernames upsets this attackers’ little apple cart.

All you need to do is change users’ Display name publicly as to something other than their actual username.

Any software can ship with vulnerabilities, which is why updates are a critical process in WordPress administration. Sure, reputable vendors will test software extensively before releasing it to market. However, it’s physically impossible to account for all environments in which it will be installed. Updates rectify such issues (and occasionally add new features to boot).

Whether you choose to install updates as soon as they become available or after you’ve tested them in a staging environment, the important thing is to keep your WordPress install, plugins, and themes up to date at all times.

Nulled WordPress plugins offer the same features and functionality as premium plugins at a fraction of the price. While a cheaper price might sound intriguing, keep in mind that you will not get the same level of support. You cannot turn to the developer for help, and updates are sporadic at best, potentially leaving you without important security updates.

Take the Melapress Security Survey 2024

Share your perspective
and WIN