Protect WordPress login page – Here’s a question: How many hack attempts do you think are made of WordPress websites every minute? Oh. 100? A 1000? A ten thousand?

This isn’t close, even. Each single minute of the day, 90,978 hack attempts are made on WordPress sites. Hackers use different methods to break into a site, and login pages for WordPress are often targeted. Hackers programme bots to attack WordPress website login pages and attempt to gain access to the dashboard. This type of attack is referred to as brute force attacks, where the bot repeatedly attempts different username and password combinations on the login page until it breaks in. Enforcing login protection against such attacks could harden your WordPress site. Going forward, we’ll talk about exactly what we mean by the term login protection.

What is Login Protection?

Login protection, as the name suggests, implies protecting the login page of your WordPress site. The goal is to prevent individuals from guessing your credentials and gaining unauthorised access to your website. Here are a handful of things you can do to protect the login page for WordPress:

  • Use a Unique Username
  • Use a Strong Password
  • Enforce Two-Factor Authentication
  • CAPTCHA-based Protection
  • Limit Failed Login Attempts
  • Set Login Page to Expire

Taking each of the steps will help you secure the login page for WordPress. In the paragraphs below, we’ll discuss what they mean and how to implement these steps.

How to Protect WordPress Login Page:


Use a Unique Username

The site owner can change the username, but many site owners choose to leave it as it is. WordPress comes with a default username,’ admin.’ It gives the hacker bots one less thing to worry about when the programmed bot comes to the login page of one such website where the username is ‘admin’. All you have to do now is figure out your password. Hacker bots are one step closer to breaking into your site with half the job already done. Users are therefore urged to use a unique username for better site security. Unique means unlike anything else, or being one of a kind, by definition. Using a combination of things, you can create a unique username. Say you’re going to combine your favourite basketball name with your grandmother’s. That’ll give you a unique username that’ll be difficult to guess for hacker bots.

Use a Strong Password

Generally, there are two parts to a WordPress login page. One for your username and one for your password. We have already discussed why usernames should be unique and how they should be created. It is as important to have a unique or strong password as to have a distinctive username. There will be 15 characters in a strong password, which will be a combination of letters, numerals and symbols. The catch here is that it is hard to recall strong passwords. Imagine remembering a password like ‘K#AOBlSkVFTw.’ Unless you have a photographic memory, it’s impossible to remember. This is why it is recommended to store your credentials in an encrypted sheet so that whenever you want, only you can access it.

Enforce Two-Factor Authentication

As the names suggest, two-factor authentication means that two times before you are allowed to access the WordPress dashboard, you will have evidence that you are a valid user. Most two-factor authentication works this way:

Fill in the login page with login credentials for WordPress (username & password). You’ll land on a page where you’ll be asked to insert a code, instead of taking you to the WordPress dashboard. On your mobile phone, you will receive a code. You will be allowed to access the site only after inserting the code you have just received into the website. How does login protection help with this? Assume that a hacker is capable of cracking your login credentials. He’d still have to enter the correct code, which will only appear on your phone, to access the site. There is no way for him to access your site’s dashboard unless the hacker has stolen your phone.

You can use plugins like Two-Factor Authentication (by miniOrange), Two-Factor Authentication etc. to implement two-factor authentication.

Enable CAPTCHA-based Protection

To determine if the user is a human or not, CAPTCHA is used. Therefore, captcha-based protection is excellent for avoiding attacks by brute force. Bots are deployed to guess login credentials in these types of attacks and they constantly keep trying out distinct usernames and passwords. Such attacks have an impact on the speed of the website, not to mention the disaster that will happen if they manage to break into the site. It will lock out the bots from the login page if a captcha is deployed after a few failed attempts. What? How? Say that you are installing a security plugin based on Captcha on your site. A hackerbot comes to the login page on your website and tries to log in. A captcha is deployed after 3 failed login attempts. The bots can get access to the login page again only after the captcha is solved. Bots can not fix a captcha, so they stop attacking your site and move on to the next target. The two most popular Captcha plugins available are the really simple CAPTCHA and Google CAPTCHA.

Limit Failed Login Attempts

Another very effective method of protecting the WordPress login page is to limit login attempts. This essentially implies that the user (or hacker in this situation) will be blocked from entering the login page for 24 hours or more after a few failed login attempts (depends on your configuration). By modifying the .htaccess file, one can restrict login attempts, but unless one is technically adept, we would not recommend this technique. Instead, it is ideal to use a plugin for owners of websites who have no technical knowledge of how WordPress works. Standalone plugins can be used, such as WP Limit Login Attempts, or security plugins such as MalCare or NinjaFirewall. These security plugins come with built-in firewall functions that restrict login attempts. The only drawback here is that you, the owner of the site, forgets his credentials and enters the wrong ones, he will also be locked out. But there are, of course, options to whitelist IP addresses with some security plugins that will help prevent your IP address from getting blocked in the first place.

Set Login Page to Expire

This will ensure that there is only a limited time for the user to log into the site. The login page will expire after a certain time. You will be blocked from accessing the WordPress login page if you are unable to log in by that time. For your login page, there are two ways to set up an expiry period. One, to protect the WordPress login page, you can use a plugin such as Login Security Solution or you can place the following code in your WordPress theme. The code is here:


add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_30_minutes’ ); 

function keep_me_logged_in_for_30_minutes( $expirein ) { 

return 1800; // 30 minutes in seconds 


It should be noted that plugins such as NinjaFirewall, WordFence, and iThemes allow site owners to set the login page expiry time manually.

It is obvious that there are a number of ways for login protection to be achieved. Some of the legitimate ways of doing it are the ones we have listed above, but there are several misleading recommendations out there to protect the WordPress login page.

How Not to Protect Your WordPress Login Page

There is one clear login security suggestion that we would like to warn you about. As it is claimed, it fails to secure the WordPress login page. Let’s have a peek.

Hide Login Page, Move it to Custom URL

Anyone who has used WordPress learns about their home page by now. Anything like this goes like this: No matter what website you have, inserting ‘/wp-admin’ at the end of the website URL will take you to the login page as long as it’s on WordPress. So if you move the login page from to, it will cover your login page, right? Since hack attempts are automatic, such as brute force attacks, the bot will not find your login page and move on to the next target. But security is not assured by this. About why? Well, since many website owners use plugins like iThemes to allow their login page to have a custom URL. Chances are, the same plugin is used by hundreds of other site owners. Your custom URL is, therefore, not unique to your site. In order to figure out what custom URL it produces and then attack such URLs, hackers will use iThemes. Hiding your login page just offers you a false sense of security by moving it to a custom URL.

Towards You Over

There are several ways for you to protect the WordPress login page, as you can see. We will advise you to take a few instead of taking only one step. In protecting a web server, layered security is easier. Please write to us if you have any comments on the post.