Every WordPress website sooner or later becomes the subject to malicious login attempts. If you read a codex, you’ve probably found the Brute Force Attacks article devoted to hacker attacks, and find some key tips on how to protect your website.
Except for this, there are some other wide spread ways to protect your website’s admin area, and they include:
A good strategy of protecting the login page from brute force is to hide the login page from hackers. This strategy is good for you only if your site login attempts are limited to admins, authors, editors and contributors. However, if you run a membership website where it allows user login, hiding the login page is not your variant.
So how to hide your login page from hackers? There are a few steps:
You can install a new WordPress in any subfolder of your server. After that you can run your WordPress from a subdirectory no matter you’re dealing with a new WP installation or an existing website.
Of course if you are moving the existing WP installation to the subdirectory, you should create a complete backup of your website in advance. Please read the detailed tutorial on how to create a backup here.
When you’re using a unique directory for WordPress, don’t create any predictable and easy-to-guess names for your folder. You can use anything like http://example.com/mycoolwebsite or http://example.com/hellothere or anything else like http://example.com/ghgjgf and this will be tough to predict. Just be sure you will remember the name of the directory or note it down somewhere not to forget.
By default, WordPress loads the login page called wp-login.php, but even if you type http://example.com/wp-admin, you will be automatically redirected to wp-login page.
If your WordPress is already installed in a unique directory (a subdirectory), you’ve added a directory between your domain name and wp-login.php.
However, even if you’ve invented the unique name for your directory, if a hacker tries to go to http://example.com/wp-login.php by typing wp-admin, they will be redirected to the correct login page which will look like http://example.com/ghgjgf/wp-login.php.
To prevent this redirect, you need to lock down access to wp-login.php and redirect it to any page you want or a 404 error page, and then replace it with a fully custom login URL which will also be hard to predict.
Of course you should create something easy to remember for you and hard to guess for others. For instance this can be something like http://example.com/ghgjgf/hitt or anything else.
We’d also like to present some useful plugins which will help you secure your WordPress login page as well as provide many more great features:
This is a good security plugin which will help to block malicious IPs automatically and manually, prevent from keylogging with virtual keyboard, and hide wp admin as well as change wp login URL.
More features of the plugin include bot protection with captcha in login, register & comment forms, protection from brute-force login attacks, login activities supervision, admin detection and username change, and more.View Demo
A WP module including a lot of security functions like the ability to totally hide the fact you are using WordPress, easily change URL paths, change file/plugin/theme names without physical modification, rename any string in the source code without modification in the original files, remove WordPress related meta tags, organize login redirection based on user roles, and more.View Demo
A powerful addition for Smart Security Tools plugin bringing additional tools for website protection related to WordPress login form. The addon comes with 3 main modules such as Login Limiter to prevent brute force login attacks, Login Honeypot to prevent logins from bots, and Blocked Usernames to prevent logins using listed usernames.View Demo
A very simple and powerful PHP script made to protect your login form against online brute force attacks. This can be combined with captcha, limited login attempts, user ban, and other techniques without conflicts.
The add-on protects your authentication code, so computers never reach it because they are fast. Only users using their real information to login will have access to the authentication code because they are not as fast.View Demo
As you see, it’s easy to protect your WordPress login page either by your own or using any available readymade solutions. Keep staying with us to read more tuts and other exciting things that will help you build and run your WordPress website with simplicity and fun.