Table of Contents
Are you experiencing issues relating to dropped website speed and traffic, a defaced homepage, unexpected login errors, and suspicious users on your WordPress site?
It’s likely your website has been hacked.
WordPress is the most popular content management system, and it powers 42% of the web. Originally launched as a blogging platform, WordPress has now become a popular choice for developing websites because of being easy to use, SEO-friendly, feature-rich, versatile, and easily customizable.
Kinsta’s latest WordPress stats reveals that more than 500 WordPress sites are built every day. Nevertheless, as WordPress gained popularity, the number of threats and attacks also increased. According to a study by Sucuri, 74% of the 8,000 infected websites were WordPress-based.
The website is the lifeblood of a business, and attacks on it can drain your budget dry and destroy it. Thus, if you have a WordPress website that is experiencing frequent attacks, you should read this article till the end.
In this article, we will run you through some of the vital tips that prove to be useful in keeping your website secure. Using these tips, you’ll be able to protect your website’s login from unauthorized access and attacks.
10 Essential Tips to Prevent Unauthorised Access to Your WordPress Login
Login pages are the most vulnerable parts of a website since they can be accessed by anyone connected to the internet. Hence, it tends to be the most targeted part of the website for hackers to breach a system and leak their database.
Check out these tried-and-tested tips for protecting your WordPress site against hacks, attacks, and other login-related security breaches.
1. Use a Website Application Firewall Plugin
The foremost thing to consider to make your WordPress website/web app secure is the Website Application Firewall(WAF). The WAF monitors the website traffic and blocks suspicious requests accordingly.
WordPress offers two kinds of firewall plugins- DNS Level Website Firewalls and Application Level Firewalls.
DNS-level website firewalls route your website traffic through their cloud proxy servers, where the traffic gets filtered based on authenticity. Application Level Firewall checks the traffic after it reaches the server however before loading most WordPress scripts.
Many WordPress plugins are available that can be used to enable a firewall in your website, such as Sucuri, Cloudflare, MaxCDN, MalCare Security, Wordfence Security, Jetpack, etc.
2. Make Sure Your Admin Username is Unique
The login starts with the username and so does its security. Generally, people do not consider the username when discussing website security. However, it is equally as vital to the login process as a password.
Logging into a website requires both of these credentials, failing at either limits access. Thus, you should avoid using obvious usernames like name@abc; make sure your username is unique. Leave no scopes for the attackers to get into your website.
3. Never Use A Short & Simple Password
Approximately 80% of hacker-related breaches are caused by weak passwords or stolen credentials. Hence make sure you use strong passwords for your accounts. You should avoid using passwords like admin, 1234, or your name for this purpose.
Our recommendations are to use a mixture of letters, numbers, and special characters for your password. Hackers have a harder time guessing your passwords this way. If you find it difficult to remember( which is the biggest reason why people use a simple password) you can leverage a password generator or manager to create and remember the passwords for you.
4. Disable Hints in the Login Process
A hint during the login process gives the attacker an idea of the current status of the login process. Based on this they can take further steps. Do not display any hints during the login process.
For example, if someone enters a wrong password, do not display the hint about the exact problem. This way he will keep on wondering, what went wrong- the password or user name. And until they will figure it out, they might reach the limit on attempted logins.
To hide the login hints, add the following code to your theme’s function.php file or a site-specific plugin.
return ‘Something is wrong!’;
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );
5. Set a Limit on the Number of Login Attempts
It needs several attempts and guesswork to figure out the passwords. Considering this fact, you can set a limit on the number of login attempts. This works great in the case of the brute force attack, in which the attacker tries to break into your website by guessing and trying your password.
WordPress websites are vulnerable to such attacks since they allow unlimited login attempts. You can prevent this by setting the number of login attempts to a specific count, for example, 5.
When a user makes 5 failed login attempts, he will be temporarily locked for some period of time. To do this, you can use the Login Lockdown plugin. Activate the plugin, make the necessary settings according to your need and click the update settings button.
- Source: wpbeginner
6. Enable Two-Step Verification to WordPress Login Screen
To be doubly sure of the secure login, use a two-step authentication process. You can do this by integrating Google authentication into your website. This adds an extra layer of security to the website.
- Source: wpbeginnerThe Google Authenticator app on your phone is used to generate a verification code that is entered whenever a user attempts a login through such an arrangement. The website will not allow you to log in until you enter both the code and password. Even if an attacker is able to guess your WordPress password, they will still need to use the Google Authenticator code to log in.
7. Always Keep WordPress and Plugins Updated
The use of outdated WordPress versions and plugins acts as a backdoor for attackers to enter your website. Due to its open-source nature, WordPress source code can be accessed by anyone. A downside is that hackers can also study it and devise ways to break into websites.
An attacker is likely familiar with outdated websites and plugins, exposing you to easy-to-crack vulnerabilities. Hence, in order to prevent this from happening to your website, make sure you are using the latest version of WordPress and plugins. Updated versions come with bug fixes and new features, making your website secure and efficient.
8. Use Custom Login Page for Your Website
From the WordPress login page, website owners can register, create accounts, log in and access their web pages. While you may manage which resources users can and cannot access by managing the accessibility criteria for your site, limiting their access is impossible since you need the pages in order to do so.
It is therefore recommended to create a custom login page for your website, in order to have better control over your website and users. By configuring a custom login page for your website, you can control who is able to access certain pages of a website, such as a login and registration.
9. Limit Login Access to Your Admin Folder
Another way to protect your WordPress site is to allow only a limited number of IP addresses to access it. It is applicable when you are certain about the number of users who are supposed to access the Admin folder.
To leverage it in your website you can add the following to the .htaccess file of your Admin folder or /wp-admin/ folder.
AuthName “WordPress Admin Access Control”
order deny, allow
deny from all
# whitelist Jhon’s IP address
allow from xx.xx.xx.xxx
# whitelist Larsen’s IP address
allow from xx.xx.xx.xxx
# whitelist Janet’s IP address
allow from xx.xx.xx.xxx
# whitelist Summer’s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Once you have added the IP addresses, you are good to go. The only drawback is that to access the website from a new IP address, you need to first add it to the list.
Be sure to not change your Root .htaccess file; instead, you need to edit the one in /wp-admin/.htaccess. Should you not be able to locate the file in your Admin folder, then you can create a blank file with the name .htaccess.
10. Limit Dashboard Access
Not every user of your website should be given access to your dashboard; few of them are only there to consume the content available on the website. Therefore, allowing everyone to access the dashboard may pose a threat to your website.
All users of WordPress are allowed access to the admin area of the website by default. So, if you want to restrict user access to the Admin dashboard, you can use the Remove Dashboard Access plugin on your website.
Remove Dashboard Access allows you to choose the user roles, such as administrators, editors, or authors, based on your requirements. In addition to this, you can also restrict access by capability- the actions that the user can carry out on a website.
Want to Keep Your WordPress Website Login Safe?
While WordPress is considered a very secure platform, there are still ways in which hackers can gain access to your website. Several ways exist to protect your WordPress login from unauthorized access, and we hope that this post gave you the ones you need.
By following the above tips, you can protect your website from threats and attacks. In case your website is already hacked, you should let the experts fix it.
You can Hire WordPress Developer if you need assistance with the security of your WordPress website, or if you have any other questions about WordPress security. Besides the security part, our developer can also assist you with developing WordPress websites, designing themes, plugin development, WordPress migration as well as maintenance and support for your website. We appreciate your reading, and hope that you have a wonderful day!
Wanna know more about WordPress Security?
You may find this helpful:
WordPress Security: How do you protect your WordPress site in 10 easy steps?