Search for answers or browse our knowledge base.
Wordress login page hardening settings
Melapress Login Security enables you to harden your WordPress login page. Built on industry best practices, the plugin includes several options, each of which works independently, ensuring you can set up the security options that work best for you.
To access the login page hardening options, navigate to Login Security > Login page hardening. Here you will find all login page hardening options, as listed below:
Change the login page URL
Hiding your WordPress login URL is a security tactic known as security-by-obscurity. It is a passive security method that aims to make it more difficult for bad actors to find your login page.
First, find the Change the login page URL section at the very top of the page. Next, enter the following:
- Login page URL: Enter the new login page URL here
- Old login page URL redirect: To redirect users trying to access the old login page, enter the redirect URL he
When choosing a new login page URL, consider using something that does not stand out for maximum effectiveness. Once ready, scroll down to the bottom of the page and click on Save Changes to apply the new settings.
Limit login page access by IP address(es)
You can limit access to the login page to select users by including their IP address in an allowlist (whitelist). Any users whose IP address does not match any of the IPs on the list will be automatically redirected to a page of your choosing.
To limit login page access by IP addresses, first, tick the checkbox next to Restrict login page access by IP address(es).
Next, enter each IP address you would like to grant access to and click the Add IP button to add them to the list.
Once that is done, specify the URL you would like to redirect restricted IPs to by entering the slug in the Redirect restricted IP address to.
Lastly, you can enter a fallback URL which you can use in case of emergencies, such as a sudden change in IP address. Through this fallback URL, you will be able to bypass the IP address restrictions on the login page. To add this optional setting, enter the slug in the text field next to the Bypass IP restriction URL option.
Show a consent message on the login page
To ensure you’re GDPR compliant at all times, Melapress Login Security offers the facility to add a GDPR notice on the login page. Since IP addresses are processed by the plugin to determine access whenever such a policy is active, activating this notice ensures processes remain above board.
To enable the consent message on the login page, first, tick the checkbox next to Enable consent message on login page.
The plugin comes with a default message, which you’ll find in the Consent message section. This message is editable so you can make any changes you might see fit.
Block or allow access to the login page by countries
When limiting access based on geographical location, the plugin uses the user’s IP to determine their location. It will then apply the rules you set in the policy to either grant or deny access to the page.First, you need to get an IPLocate API key. If you have previously set up an IPLocate account to use with CAPTCHA 4WP, you can use the same API key.
Step 1: Configure IPLocate API Key
IPLocate offers a free plan that includes up to 1,000 verifications per day. You can set up your account by visiting IPLocate.io and registering for a new account.
Follow the instructions provided by IPLocate to get your key. Once done, log in to your WordPress dashboard, navigate to Login Security > Settings, and then click on the Integrations tab.
Enter your API Key in the textbox and click on Save Changes.
Step 2: Configure login page geo-blocking
With the API key in place, we can now go ahead and configure geo-blocking for the WordPress login page.
Navigate to Login Security > Login page hardening.
Scroll down until you see the Block or allow access to the login page by countries section and configure the below fields:
- Country Codes: Enter the ISO country codes of the locations that you would like to block or allow
- Action: Choose whether you want to:
- Do nothing: Turns off the feature
- Allow access from the above countries only: Limits login page access to users with an IP from the country or countries configured in ‘Country Codes’ and blocks everyone else.
- Block access from the above countries: Blocks login page access to users with an IP from the country or countries configured in ‘Country Codes’ and allows everyone else.
- Login Blocked Redirect URL: Choose which page you want to redirect blocked users to.
Once ready, click on Save Changes to apply the new settings.