Your WordPress login is the first target for hackers, usually because it’s not locked down as well as it should be. Securing your WordPress login eliminates this common weak spot from brute force attacks, automated bots, credential stuffing, and more.
Change Your Login URL
If someone wanted to break into your home, they’d head straight for the door. It’s the obvious entry point. Hackers do the same thing, except your site’s front door just happens to be the WordPress login page.
By default, the WordPress login page is your site name with /wp-login.php or /wp-admin at the end. Hackers and their bots automatically check if the login page is accessible before they start brute-force attacking the login form.
Admittedly, changing your WordPress login URL doesn’t make your site hack-proof. It’s just an added layer of security. After all, if you hide the door, it’s much harder to get in. Only you and authorized users have this unique WordPress login URL.
There are two ways to do this. You could edit the core WordPress files, but that requires technical know how and core updates may erase your hard work.
The easiest method is by using a WordPress plugin. Admin Optimizer lets you quickly create a custom login URL in minutes. Open Admin Optimizer in your WordPress dashboard and select Security. Enable the Custom Login URL module. Click Save Changes.
When prompted, change the default to whatever you want your new URL to be. You might change it custom-login or secret-login-page. As long as it’s not similar to the defaults, you’re good to go. Click Save Changes when you’re done.
If your site is ever compromised, change this URL to be safe.
Disable User Account
Users come and go and it’s easy to forget about their accounts. The problem is, every user account that’s no longer being used is a vulnerability for your site. Part of securing your WordPress login is auditing your site regularly to lock unused user accounts.
Take time to go through all your user accounts to see which ones are still active. Also consider users’ permissions. If a user doesn’t need administrator access, remove access. If a hacker did gain access to their account, limiting their access reduces what a hacker can do.
Whether it’s hackers or a user that may try to cause trouble, disable accounts you don’t need any longer. Remember, you can always reassign content to another user if you decide to delete the unused account later on.
Admin Optimizer has a handy module that lets you quickly disable WordPress user accounts one by one or in bulk.
Open Admin Optimizer in your dashboard and select Users Management. Enable Disable User Account. Click Save Changes.
Now, open go to Admin Menu -> Users -> All Users from the dashboard. Click Disable account under the user’s name. Renable the account by clicking Enable account.
If you want to disable WordPress user accounts in bulk, go to Admin Menu -> Users -> All Users. Check the checkbox beside each user account you want to disable. Then, open the Bulk actions drop-down box and select Disable User Accounts. Click Apply.
Repeat the process to enable disabled user accounts. Just select Enable User Accounts.
As an added security measure, make sure any disabled user accounts don’t have their login email or username listed in their bios or other areas of the site. If you ever re-enable the account, hackers may try to use this to get into your site.
Setup and Enforce 2FA
The strongest passwords are still vulnerable, especially if a user’s device gets hacked. The solution is requiring users to use two-factor authentication (2FA). This second step requires a short-term code either from an authenticator app, such as Google Authenticator or Microsoft Authenticator, or via a text message or email.
These codes expire anywhere from 30 seconds to over an hour, depending on the method you choose. The most secure method is using an authenticator app since these change the codes every 30 seconds and they’re tied to a user’s device.
WordPress plugins make enabling 2FA to secure your WordPress login easy. Admin Optimizer handles this security feature as well.
Open Admin Optimizer from your dashboard and select Security. Enable Enable Two Factor Authentication (2FA). Click Save Changes.
Once enabled, go Admin Menu -> Admin Optimizer -> Two Factor Authentication. Check the Enable backup recovery code box to allow users to generate backup codes in case they can’t access their 2FA code for any reason. Also, check the User 2FA Column to quickly see which users have and haven’t completed the 2FA sign up.
You can also choose which types of accounts are required to use 2FA and which ones can set up trusted devices to avoid having to use 2FA on those devices.
In the Manage Users 2FA tab, you can unblock users who’ve been locked out or deactivate 2FA for specific accounts.
Click Save Changes after making any changes.
Limit Login Attempts
Failed login attempts don’t necessarily mean someone’s trying to hack into your WordPress site. But, it’s better to be cautious and block a user from logging in after multiple failed logins in WordPress.
If it’s a legitimate user who just didn’t get their login entered correctly for some reason, they can contact you to have you unblock their account and let them try again.
Once again, WordPress plugins are the best way to manage this WordPress login security method.
Admin Optimizer offers a module called Block Failed Login to make this easy. Open the Admin Optimizer menu from your dashboard and select Security. Enable Block Failed Login and click Save Changes.
Then, navigate to the Admin Menu -> Admin Optimizer -> Block Failed Login. From here, adjust how many failed attempts you’ll allow, how long a block lasts, and how many cycles are allowed before the user is locked for a full 24 hours.
If a legitimate user gets locked out, you can unblock their IP address from this same area. Under IP Address Lockout Log, click Release Lock to let the user try again.
For best results, enable all of these features to secure your WordPress login. Consider it your first line of defense against hackers.
