4 Top Tips for WordPress Login Security

Tiny Blue Rocket
5 min readMar 17, 2021


Sadly, an inevitability of owning a website is that people or bots will try to hack into your website. As much as it’s an utter frustration, it’s important we all take reasonable steps to prevent these attacks from being successful.

Around 41% of all successful hacking attempts are due to vulnerabilities with the website hosting. Proof that choosing a great hosting platform, not just the cheapest, is the best way to go.

Also, around 52% of all successful hacks are due to plugin vulnerabilities. This is why it’s important to keep plugins, themes and WordPress itself up-to-date.

While website owners cannot always be responsible for issues around the hosting or the plugins on their website, they can focus on their login security. Making the login page tricky for hackers to breach is a crucial step all business owners and website owners must take.

Let’s explore the top 4 steps everyone can take to secure their WordPress login page.

1. Use strong usernames and passwords

Starting with the most fundamentally easy and obvious step, you must be savvy with usernames and passwords.

Over the years I’ve worked with WordPress I’ve always kept an eye on the failed hacking attempts on my and my clients’ websites. With Wordfence, the perfect security plugin for WordPress websites, it gives you a list of recent failed attempts. What I have noticed is the common usernames used to attempt a hack.

Using ‘admin’, ‘user’ or the name of your business is a bad idea as a username. Obvious usernames might make it easier for you to remember them, but it also presents an open goal for hackers.

The same goes for passwords. Don’t make it obvious or predictable. Hackers are either humans or bots. A bot might try the sophisticated range of details, a human would simply pop in ‘admin’ or something blatant and see if it worked.

Choose complex usernames and passwords that are at least 16 characters long. They should include a range of uppercase, lowercase, numbers and symbols. Sound complicated? Use a tool like Dashlane or LastPass to help you generate strong usernames and passwords and then store them so you don’t have to remember them!

The first and most important step is to make hacking at least semi-sophisticated by using complex login details.

2. Limit login attempts with Wordfence

When it comes to the ‘art’ of hacking, the most common method is just brute force. Much like the police breaking down the door of a criminal, hackers will try to bash at your login form until they get in.

Expect hackers to try hundreds of times to get access before admitting defeat, if only temporarily. Having hackers trying hundreds of times can increase the probability of them getting it right, it can also cause a slow-down of your website whilst it’s being pounded.

The next key step in login security is to limit the login attempts someone can make at any one time. With Wordfence you can limit how many times an IP address can fail to log in before they are blocked from accessing your website.

You can also limit how many times someone can try to reset a password. Also, you can set how long a person is blocked. Increasing the blocking to two months prevents someone from coming back an hour later and trying again.

While these methods don’t stop humans or bots from switching IP addresses and trying again, it does slow down the rate at which they can bang on your back door. This will then prevent hackers from slowing down your website.

With Wordfence you can also see a list of IP addresses that have been prevented and block them permanently. Little steps like this can slow down the ability of hackers to try and gain access to your website.

3. Two-factor authentification

A third step you can take is to use two-factor authentification (2FA). You may well have come across 2FA already, if not it’s a system to ask for a second type of login details. Some companies like PayPal will text you a code or ring you with a code, others rely on 2FA apps.

With Wordfence you can easily set up 2FA for any user account. With a smartphone app like Authy or Google Authenticator, it will provide you with a code to put in after you’ve entered your login details.

The purpose of this is if somehow someone guesses your login details or finds a way to bypass the login details page, they will then need to tackle the 2FA. Without access to your phone, it makes cracking a 2FA screen quite a bit harder.

While using 2FA means logging into your website will be slower and you will need your smartphone on you to do so, it means you are adding an extra layer of complexity. Even if a hacker or bot cracks your username and password, they will need to an even higher level of skill to crack a 2FA!

4. Hide your login page

The final crucial step you can take is simply to hide your login page.

Would you walk around your nearest town high street handing out your home address to strangers? Of course not! You don’t want everyone to know where to find your house.

By default, the WordPress login page is at the same address. So a hacker doesn’t need any skill to find the location of your login page. Everyone, hacker or not, can guess where your login page is with or without any nefarious intentions.

A simple step you can take is to use the free WPS Hide Login plugin to create a new address for your website’s login page.

It’s a method I used over a year ago with clients’ websites and overnight I saw a big reduction in login hacking attempts. While hackers, especially bot-based ones, will still find the login page, it cuts out a fair few of the unsophisticated attacks and slows down the ease at which hackers can try to compromise your website.

In summary

Inevitably your WordPress website will face a hacking attempt maybe daily. All the steps you take sometimes cannot prevent the worst from happening. However, taking the four simple steps above ensure you can be confident you’ve done your best to protect your website.

By using robust login details, limiting failed attempts and blocking hackers, using 2FA and finally hiding your login page, you can be confident you have taken the necessary steps to prevent hackers and care for your site.



Tiny Blue Rocket

Pixel-perfect WordPress web design. All websites are built with the Elementor page builder and are designed to be really easy to edit & maintain.