7 Ways to Secure Your WordPress Login
If you are visiting this page to find the one magical tip that is going to make your WordPress login secure, you are going to be disappointed. Hackers and others looking for unauthorized access to your site will attack your login page using a variety of techniques. So you need to secure your login page from a number of different angles.
Your WordPress login page is like the front door of your home. It is a gateway to access the most vulnerable parts of your website. Let’s take a look at seven steps you can follow to make your WordPress site login page more secure.
Hide the Login Page and WordPress Admin Page
A brute force attack is like someone coming up to your door with an endless number of keys and trying each one until they find the one that opens the lock. However, if you hide the door, this technique is useless.
By making your WordPress login location obscure, you prevent a hacker from identifying a potential entry point. Most WordPress sites have their login page at yourwebsite.com/login.php. However, you can move your login entry to a different URL and thus protect your site. In a 2019 report by Aussie Hosting, hosting researcher Nathan Finch found that changing login URLs for WP login could reduce brute force attempts by over 30 percent.
Use a Unique Username and a Strong Password
If your WordPress login page is like your front door, your username and password are like the locks. A cheap lock is easy to circumnavigate. A weak password and username can easily be broken. Some of the worst passwords that you could use include:
• 123456
• Password
• ASD123
• Any combination of your name and birthdate
If you use these passwords and if your site receives any traffic, it is likely that it will be hacked sooner or later. It’s recommended that you take advantage of password generator tools and password managers to help you create and remember your unique passwords and usernames.
Some people use passphrases as opposed to passwords. Passphrases should be unique. They should not be famous lines from movies, literature, or music. You want to generate entropy with your password. This is where you take randomness from nature and turn it into numbers and letters with the goal of creating a unique and secure password/username .
Two Factor Authentication
If one lock on a door is good, two locks are better. Google Authenticator is a plug-in that you can add to WordPress that works with an app that you add to your smartphone. The plug-in creates a QR code that you can then scan with your mobile device. You will receive a personalized login code on your mobile device that you will need to input every time you login. Unless a hacker has physical access to your mobile phone, it’s going to be all but impossible for them to break in.
Control the Number of Login Attempts
Another way to prevent brute force attacks on your WordPress site is to limit the number of login attempts. When someone tries a brute force attack, they are trying to get your username and password right by using an endless number of combinations. However, by tracking the IP that is attempting to gain unauthorized access, you can block the IP address after a predetermined number of unsuccessful access attempts.
Hackers are resilient. They try to get around this by using multiple IP addresses with different origins of attack. Their goal is to throw hosting services and your WordPress security off guard. Thankfully, there are a number of plug-ins that you can add to your WordPress site that track IP addresses and limit the number of attempts to access your website.
SSL Secure Socket Layer
This is an additional security layer that makes the information that is received and sent from the server and the browser unreadable. This way, if a person intercepts information that’s being sent, it would be a garble. SSL is the standard for financial transactions or any time sensitive information is being shared.
SSL can be used on your WordPress login page to make the browser/server communication more secure. If you are a relatively small time operation, like a blogger or a small business, using a shared SSL or a free SSL that is provided by the hosting company is usually more than sufficient. However, if you are a larger corporation or if you are looking to keep the financial information of your customers secure, you may want to purchase a dedicated SSL certificate.
Keep Your Device Secure
Avoid logging in to your WordPress account on a public computer or using a public network. If using a public computer or a public network is unavoidable, make sure that you logout and delete all transaction logs before you leave the public network. Make sure that your home and business wireless networks are secure to prevent sharing private information with others. Finally, make sure that you have removed and have destroyed all of your WordPress login and personal information before you sell or give away your digital device.
Keep Login Information Secure Online and Off-Line
Off-line security involves not storing your password in places that other people can easily see. At times, because people find it difficult to remember their username and password, they will store them on a sticky note and put that sticky note on their monitor or write it on a whiteboard. This is just asking for someone to get access to and eventually break into your WordPress site.
Online security means updating your WordPress username and password regularly. You may want to change your password every month or two. The longer you use the same password, the more information you put at risk. Also, use different passwords for different accounts. Your WordPress password should not be the same password you use for your email, your banking, or for logging into social media.
These are just a few of the tips that we have seen that can help keep your WordPress login secure. Are there any other tips that we have missed? If so, we would love to hear from you. Let us know what you think in the comments section below.