Protecting your login page cannot be accomplished by any one specific technique, but there are certainly steps you can take to make any attacks far less likely to succeed.
Your site’s login page is certainly one of the more vulnerable pages on your website, so let’s get started on making your WordPress site login page a little bit more secure.
#1. Use a Strong Password and A Weird Username
Brute forcing login pages is one of the common form of web attacks that your website is likely to face. If you have an easy to guess password or username, your website will almost certainly be not just a target but eventually a victim.
Splash Data compiled a list of frequently used passwords for 2014.
Password by rank in terms of usage.
If you use one of those passwords and your website receives any traffic at all, your website will almost certainly be taken down sooner or later.
Use strong passwords and unusual usernames. Previously with WordPress, you had to start out with a default admin username, but that is no longer so. Still, most new web admins use the default username and need to change their username. You can use Admin Renamer Extended to change your admin username.
With security plugins, you can easily enforce strong passwords on all your users. You wouldn’t want someone with an editor level access to use weak passwords now, would you? It compromises your security greatly.
Use a randomized password generator tool available online like Secure Password Generator or Norton’s Password Generator or LastPass. All of them are free to use.
If you have difficulty remembering your passwords, you can use KeePass Password Safe or Dashlane’s password manager.
#2. Hide The Login Page and Wp-Admin Page
A hacker needs to find your login page, if he or she intends to brute force the login page to gain access. You can prevent this by employing what some call security through obscurity, the idea that hiding your login page will protect you, seeing as the attacker cannot identify a potential point of entry. Your website would be the equivalent of a bank without a door or any other public access point.
Most WordPress websites have the login entry point at yourwebsite.com/login.php.
Try typing webhostingsecretrevealed.net/login.php into your browser’s address bar. Doesn’t work, does it ? Because it doesn’t exist. The login entry for WHSR is located on a different URL. Similarly, you can change the access point on your website to something else. Essentially we change the login page URL.
Similar to the login.php page, there is the wp-admin directory which also needs to be protected. It is fairly easy to do with either of the two plugins – WPS Hide Login and Protect Your Admin.
SSL or Secure Socket Layer is an extra layer of security which makes any information that you send and receive between your browser and server unreadable. If someone were to intercept the information, they wouldn’t be able to read it and it wouldn’t make any sense.
SSL is always used for financial transaction portals and whenever any sensitive information is shared. Websites store a great deal of information about users and SSL helps keep that information safe.
Similarly, SSL operates on Login Pages by making the browser to server communication process a lot more secure.
You will need an SSL certificate which can be purchased from your web host, or sometimes you also get it free with the most basic of shared hosting plans. Really Simple SSL and WP Force SSL both help you setup SSL on your website, once you’ve purchased the SSL certificate.
#4. Limiting Number Of Login Attempts
This is one incredibly simple technique to stop brute force attacks on your login page right in their tracks. A brute force attack works by attempting to get your username and password right by trying multiple combinations over and over.
If the particular IP which is perpetrating the attack is tracked, then you can block out the repeated brute forcing attempts and keep your site secure. This is also why global DDOS attacks occur with multiple IP addresses with different origins of attack, to throw hosting services and website security off guard.
Login LockDown and Login Security Solution both offer great solutions to protect your website’s login pages. They track IP addresses and limit the number of login attempts to protect your website.
#5. Two Factor Authentication
Google Authenticator is a WordPress plugin that operates via an app installed on your Android/iPhone/Blackberry. The plugin generates a QR code which you can scan with your mobile device or you can enter the secret code manually.
Your login will require an authentication code which is generated on your mobile device for login. The plugin can be used on a user by user basis and isn’t recommended for users will less privileges. Given that it is highly unlikely that the hacker has any physical access to your mobile device, your website’s login page will be very secure indeed (assuming there are no other vulnerabilities).
We’ve discussed hiding/renaming the login page and wp-admin directory, enabling SSL on login pages, using two factor authentication, limiting login attempts and using strong passwords and unusual usernames. You should also be aware that some web hosts mandate some of these security practices on their users.
If you’d like to, you can also use a full fledged security plugin like iThemes Security or Wordfence which offer many login protection features in addition to overall WordPress site security measures.
No WordPress security article is complete without mentioning that security can always be compromised. Plan ahead and back up your website with a free tool like Updraft Plus or a premium solution provider like VaultPress or BackUp Buddy.
I hope the article was helpful and made your website a bit safer.