The login area is like the front door of your website. It allows users to enter and exit, thus it needs to be protected. As such, you need to make sure your WordPress login URL is secure from hackers to keep your data and your customer’s data safe.
As technology has improved over the years, there are several ways to protect your login area in WordPress from a variety of threats. For example, trying to block a spam bot from registering is quite different than stopping a hacker from using a brute force attack.
As such, you need to understand how your login area is under attack and how you can protect it. Luckily, WordPress has a variety of popular plugins that you can use to increase the security of your login area.
Today, I will demonstrate how to find and protect your WordPress login URL.
Why Protect the Login URL in WordPress?
When was the last time you left your house and left the door unlocked or wide open?
Probably never, and the same should be said for your login area in WordPress.
When you first install your WordPress site, the login area is largely unguarded and easy to find. This is to ensure that it is easy for beginners to locate, as without having access to the backend of WordPress, you really can’t do anything.
Due to the popularity of the WordPress platform, hackers and other bad actors are targeting WordPress. As such, the default login area is highly vulnerable to automated attacks, but just to be clear, there is nothing insecure about WordPress.
This can be said for any popular platform. The login area is always a target to crack and exploit as it is the easiest way to compromise an account. As such, it is actually one of the first things you should update about your site.
However, first, we need to actually locate the login URL.
How to Find the Login URL in WordPress
Without access to the admin section of WordPress, you can’t really do anything to your WordPress install. As a result, the default WordPress URL is actually the same for every site with the unique part being the domain name.
For example, in the majority of cases, your WordPress login URL will look something like:
www.YourDomainName.com/wp-login
Typing this into your web browser with your real domain name should bring you to the login screen where you can enter your login credentials. While this is true for 99% of websites, it is possible to have a different WordPress environment that could alter the URL.
One such case is if you let your web host install WordPress for you. It is very normal for them to change the default URL to improve security. That said, since it is so common, it’s not exactly a secret and should still be changed.
In this case, the login URL might be:
www.YourDomainName.com/admin
Your web hosts should have provided you with the URL, so check any emails associated with it. If not, contact your web host for the login URL.
Another way it may change is if you have installed WordPress on a subdirectory. In this case, the URL could look like this:
www.YourDomainName.com/wordpress/wp-login.php
And that is really all there is to finding your login area URL. The first step in protecting your login area is to change this, so let’s begin.
How to Change the Login URL in WordPress
There are two main ways to change the login URL in WordPress. The first would be to do it by editing the .htaccess file, but this can be a bit much for beginners. Instead, the recommended way would be to use a plugin.
In this case, I will demonstrate how to use the WPS Hide Login plugin.
It is a lightweight plugin that allows you to change your login URL. That said, it actually doesn’t change any code in your files, but makes the default login page inaccessible and provides a new URL for you.
Due to how easy it is, it has become quite a popular tool with over 1 million active installs. Overall, the process only takes a few minutes, so let’s get right into it.
Step 1: Install WPS Hide Login
Begin by clicking on Plugins and selecting the Add New option on the left-hand admin panel.
Search for WPS Hide Login in the available search box. This will pull up additional plugins that you may find helpful.
Find the WPS Hide Login plugin and click on the “Install Now” button and activate the plugin for use.
Step 2: Change the WordPress Login URL
The plugin is quite easy to use and all you really need to do is enter the new URL. This plugin does not have a dedicated settings section and instead adds a section to the WordPress settings.
To find it, click on Settings and select the General option.
Scroll down to the bottom to find a new section that the plugin adds. There are two options in this section. The first allows you to enter a new URL slug. This will be the URL that you will use to log in to your website.
You can enter anything you want, but it is best to not make it obvious. Otherwise, someone could easily stumble into it.
The second option allows you to redirect users away from the original login URL. In this case, I recommend sending them to your 404 page, but you can choose whatever you want.
The only thing you should not do is enter the new login URL as that completely defeats the purpose of using this plugin.
After that, all you need to do is save the changes. With that, the login URL has been successfully changed.
Note: If you were to delete this plugin, the default login area would be restored. Again, the plugin does not actually change any code on the backend of your website, so there is no issue when it is deleted.
How to Protect Your Login Area in WordPress
Changing the WordPress login URL is only the first step. While this will help protect your URL, eventually, hackers and bad actors will find the address. As such, you need to have security measures in place for this eventuality.
As such, I will do my best to cover all of the ways you can protect your login area and highlight the best tools you can use for it.
1. Install A Security Plugin
Perhaps one of the most obvious, but effective strategies to protect your website is to install a security plugin for WordPress. These are tools that add security capabilities to your website and WordPress has a ton of them.
In most cases, you can install one for free and have it actively keep your website safe with a host of powerful features. For instance, they may include things like firewalls, brute force protection, malware scanning, and much more.
When it comes to picking the best security plugins, it’s not easy, but my personal recommendation is Wordfence.
It provides all of the core features your website needs for free and even has other features designed to protect your login area like enabling 2FA on your WordPress accounts. A security plugin should be the first plugin you install in WordPress.
2. Install an SSL Certificate
A Secure Socket Layer or SSL certificate is a file placed inside of your web server that ensures the domain name in the certificate matches your website’s domain name. This ensures that users can make a secure connection to the website that can be encrypted.
Naturally, this means that you have less of a chance of your login details, or other pieces of important information like your home address, phone number, social security number, or credit card being stolen.
You can tell when a website has an SSL certificate installed if it has “HTTPS” in the URL. Most web browsers will now tell you that a website is not secure if it lacks an SSL certificate, which can actually scare away visitors.
Thus, an SSL certificate doesn’t just keep your website safe, it also helps boost traffic.
3. Add Two-Factor Authentication (2FA)
When it comes to securing a login area, one of the best methods to do so is to require users to use two-factor authentication or 2FA. This simply requires the user to input a code after they enter their login credentials.
There are several types of 2FA. The most common methods include receiving the authentication code via text message, email, or through an authenticator app. Websites will typically allow the user to choose the method.
What this means is even if someone was able to steal your login credentials, they would also need access to one of these to get the authentication code. The code itself is randomly generated every time it is requested when logging in.
It can dramatically strengthen the security of your accounts, but keep in mind that many users may find 2FA to be annoying.
4. Limit the Number of Login Attempts
Believe it or not, most times hackers are able to log into your account, it is not because they actually stole your login information or penetrated a website’s security. Instead, they just kept trying until they guessed the correct password.
This is known as a brute force attack. In simple terms, a hacker just sets up a script to continuously try different passwords until it finds the correct one. This is the simplest and most effective way to break into an account.
Luckily, there is a very simple and effective way to prevent this.
Limit the number of login attempts. Typically, scripts will need thousands of login attempts to successfully crack a password. By limiting users to a handful, these kinds of attacks are no longer possible.
For instance, you can set failed login attempts to three. On the third failure, you could have the username or IP address blocked completely. And the Wordfence plugin I mentioned earlier has such a feature.
5. Password Protect Your Login Area
You may already think that your account is password protected and you are correct, but the login page itself is a different story. What this means is requiring a password to use the login area of WordPress.
To do this, you need to password-protect the wp-admin folder in your web server. This will ask you to create a new password that users must enter to access the file contents. In this case, those contents are the WordPress login area.
As such, if you password-protect this folder when you try to access the login area, you will be required to enter this password first. This essentially adds an extra layer of defense to the login section that makes it harder to do anything.
This should only be done when the admin login area is separated from the user login area. Otherwise, you would need to provide this password to every user, which would make it more of a hindrance than a safety feature.
6. Use Strong Passwords
Perhaps the simplest way to protect your login area is to ensure that all users use strong passwords. Even in this day and age, passwords like “123456” and “Password” are still used, and they continue to be security compromises.
Many websites require users to create a strong password that includes upper- & lower-case letters, numbers, and even symbols. By using a string combination like this, your account is less likely to be compromised.
There are several ways to force users to use strong passwords in WordPress, but the easiest method is to just use a plugin like No Weak Passwords. It ensures that passwords submitted are not common passwords that hackers can crack easily.
You should also inform staff to use unique passwords. The truth is many users want to use the same password on multiple accounts to remember them more easily, but this creates a domino effect if one account is compromised.
Another alternative is to require staff to use a password manager to help improve their own account security.
7. Disable WordPress Login Hints
If you have ever entered the wrong login information in WordPress, you may have noticed that it provides feedback based on what you have entered. These are login tips and are designed to tell the user what they did wrong.
For example, you may get a message that the username you entered does not exist, or you may get a message that the password entered was changed. As mentioned before, if that password was used on other sites, those accounts may have been compromised.
While they can help users quickly identify what they entered wrong, they also tell hackers helpful information they can use to crack an account. As such, many websites will remove these tips to more generic messages.
For example, let’s take a message like “The login credentials you have entered are incorrect.” This does not tell the user what is wrong, but instead that something is wrong. It can significantly increase account security.
8. Add CAPTCHA to the Login Area
The truth is that hackers are not manually going to a website’s login area to try and log in. Instead, they are using bots to do it for them, and when it comes to fighting bots, CAPTCHA is one of the best ways to do it.
CAPTCHA is a challenge-response system that asks users to complete a challenge to prove they are human. They come in all forms like identifying what text is on the screen, doing simple math problems, identifying items in a photo, and much more.
These systems keep bots from accessing your website because they cannot pass these challenges. Thus, they naturally protect your login area when they are active on them. In most cases, you can also add them to any form or any kind of user submission.
They are one of the best lines of defense against bots of any variety.
Keep the User Experience in Mind
We just covered a variety of ways that you can protect your login area in WordPress, but it is worth pointing out that some of these methods can actively harm the user experience.
For example, 2FA is highly effective, but it can get very frustrating to reach for your phone every time you want to log into your account. The same could be said for having to complete a CAPTCHA puzzle when trying to log in.
As such, your website needs to find a good balance between account security and the user experience.
And ultimately, this is different for every website. Always listen to feedback from your users, or if you receive a lot of messages or support tickets after implementing a security upgrade. This could be a sign that you have made it too difficult.
Most users won’t mind if it means their accounts are more secure, but if you make it more difficult to access an account, you could also risk losing customers to other sites they find easier to use.
It’s a big balancing act that is different for every site.
Protect Your WordPress Login Area Today
The login area of WordPress gives you access to the admin panel. As such, it is imperative that your website has security measures in place to keep this area safe. As this tutorial has demonstrated, there are several ways to do this.
While this might sound complicated, keeping your WordPress site safe is actually not that hard. It really comes down to installing the right plugins for the jobs. And when it comes to plugins, WordPress has them in spades.
Most all-in-one security plugins will have everything you need and most of them have robust free versions that are easy to use.
Did you change your login URL in WordPress? Have you considered password-protecting your login area?