The key to a WordPress account is the WordPress login tab. Anyone with access to the administrator of WordPress gets power over the whole platform.

Hundreds of thousands of websites are hacked every single day. In hopes of taking control of the site, hackers attempt to break the login keys of the WordPress admin. No website is too tiny for hacks. At MalCare, we reported more than 10,000 blocked login attempts in a single week on a tiny website.

So if you feel your website is too small to catch the interest of a hacker, think again.

Since many small websites do not have the right security mechanisms in place, they are becoming an easy target. The need for website protection, big or small, is urgent and necessary.

In order to target millions of WordPress websites on the Internet, hackers use automated software. And one of the most often targeted sections of a WordPress site is the login tab. Cracking a login password would grant them direct access to the administrator of WordPress. Therefore on your WordPress username, it is necessary to enforce the correct security. We are going to look at the various strategies in this post that will help you to do that.

What Are the Different WordPress Login Protection Techniques?

There are several ways to connect to WordPress safely. It is possible to split login protection techniques into three sections: basic, advanced and miscellaneous login protection techniques. Although critical techniques are of the highest importance and absolutely required, further security is offered by specialised and miscellaneous techniques. They help to make it harder for the web to break.

Not only the basics, but also the intermediate and miscellaneous login security methods will be addressed in this article so that your WordPress login page will be as safe as possible.

The following are the strategies for login security that we are going to explore.

a) Essentials Login Protection Techniques:

  1. Enforce Strong Passwords
  2. Use Unique Username
  3. Change Your Display Name
  4. Prevent Discovery of Username

b) Advanced Login Protection Techniques:

  1. CAPTCHA-based Protection
  2. Blocking Suspicious IP Addresses
  3. Protect Yourself Against Global Bot Network
  4. Use HTTP Authentication
  5. Install SSL Certificate
  6. Implement Two-Factor Authentication

c) Miscellaneous Login Protection Techniques:

  1. Set Passwords to Expire
  2. Change WordPress Login Page Slug
  3. Auto-Logout When No Activity
  4. Restrict Dashboard Access for a Specific Time
  5. Change WordPress Security Keys
  6. Country Blocking

a. Essentials Login Protection Techniques:

There are 5 important strategies for login security and in the following paragraphs we will address them one by one. The very first approach is to—

1. Enforce Strong Passwords

Password cracking techniques have greatly matured over the last few years. Within a few minutes, a quick to guess password can be broken. You can protect against such advanced password cracking strategies by providing good passwords.

To allow people to use secure passwords, WordPress goes to a certain extent. It auto-generates strong passwords, but with a weak password, you can still create an account. And its shortcoming rests therein. WordPress supports the use of, but does not execute, secure passwords.


Educate the managers of your site on the value of having a good password. From time to time, check up on them. If they are already generating new user accounts with a poor password, keeping them responsible. Adjust their positions if they are unable to adequately conduct their administrative work.

It minimises the chances of a data violation by using a secure password. But it’s hard to recall good passwords unless you’ve got a few tricks up your sleeves. How to handle WordPress passwords is discussed in this article.

2. Use Unique Username

Securing passwords is a vital step in securing your login credentials, but any credentials have a second component: the username. If it is easy to guess the code, so the hacker just has to work on the password. Although if the username is not identified, that will make the hacker’s task a lot harder.

WordPress allowed individuals before a few years ago to use “admin” as a username. Hundreds of thousands of websites have used “admin” as a username to make it easier to target themselves.

Although WordPress has stopped auto-suggesting “admin” as a username, it is still used by many individuals. We also need to take action to ensure that accounts are not generated using common usernames like “admin.”

You need to make sure that no one uses any of the targeted usernames that include “admin,” “test,” “administrator,” and “root,” not just “admin.” This is a detailed list of widely used usernames you need to stop.

Share all the admin users with this list. Any time they build a new user account, they can consult this list. In addition, go through the site’s current users, and if you find a username that fits the list of popular usernames, then change them.


3. Change Your Display Name

We have not stopped the hackers entirely by using special usernames. They’re going to try to identify the usernames associated with your site. One of the ways they can get the user name for your account is to show the name.

For instance, my show name is “Lawrence” on our web.

login-protection-displayname“My nickname is “Lawrence” too.

Using the same username and view name is not unusual.

Changing the name of the show would make discovering my username more difficult for a hacker.

Thankfully, WordPress lets users change the name of their show. And then, I changed the name of my show from ‘Lawrence’ to ‘Phoebe.’

Changed-display-name-login-protectionHackers will pick up the word “Phoebe” when my website is attacked and seek to log into my site with it. Inevitably, they would fail.

Login modifications do not really hide the username. In my author slug, my username is already available in (i.e. URL). It would be identified by hackers if they know where to look.


4. Prevent Discovery of Username

Another way hackers can discover username, apart from the author slug, is by using the WordPress Rest API. It’s a 2016 released core WordPress function. And it helps us to explore a WordPress site’s user knowledge. A basic URL is everything they have to do:

We ran the URL on our WordPress fansite to see if it actually showed a site’s usernames: http:/ And it shows all of the details about only one but all of our website subscribers.


We didn’t want to deliberately leave a door open for hackers, of course. Place the following code snippet in the function.php file to avoid username detection.

add_filter( 'rest_endpoints', function( $endpoints ){

    if ( isset( $endpoints['/wp/v2/users'] ) ) {

        unset( $endpoints['/wp/v2/users'] );


    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {

        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );


    return $endpoints;


When anyone wants to enter this URL, it masks the user list and provides an error of 500-http:/


b. Advanced Login Protection Techniques:

1. CAPTCHA-based Protection

Automated bots are designed by hackers to initiate attacks at the same time on several websites. These bots attempt different username and password combinations several times within the span of a few seconds. And they do not pause until the correct ones are identified. This form of attack is known as a brute force attack, and is one of the most popular WordPress website attacks.

We use CAPTCHA-based security to safeguard our platform from brute force attacks.

MalCare immediately creates a CAPTCHA anytime someone attempts to log into our website and fails three consecutive times. An picture grid appears as you solve the “I’m not a robot” CAPTCHA, where you have to select equivalent images of a “bus” or a “crosswalk” or whatever you are told to select. Do you have to worry about how this helps to secure your login page?

Image grids can only be overcome by a human being. Bots are unable to read images and can not enter the login page until they correct the grid. Bots are discouraged from making any further effort to break the login credentials in this manner.

login-protection-CAPTCHA-basedCAPTCHA defence is designed to save your credentials from being cracked by bots. But what if we could block hacker bots from permanently accessing our site?

2. Blocking Suspicious IP Addresses

Each computer (computer, laptop, tablet) is linked to an IP address. Also there is an IP address for the computer on which you are reading this post. Hack attempts from a certain IP are being made on your website. Your site should be secure if you can find the IP address and block it.

login-protection-failed-IP-1024x512We have installed the MalCare Security Program on our platform already. One of the many things MalCare does is that it gives us the IP addresses of users who have been unsuccessfully attempting to login.

We found how some of the IP addresses refused to log in on a regular basis while passing through this log. We have found how some of these IP addresses used generic usernames such as “adm2016” to try to login. Our conviction that these IP addresses are malicious and need to be blocked is reinforced by this.

We attempted to block any suspicious IPs we saw in our logs over the span of a week. In our .htaccess file, we put the following code:

order allow,deny 

deny from 

allow from all

“” is one of the IP’s we banned. You can replace it with the IP address that you want to ban.

While executing IP blocking,  we learnt 3 things quickly:

1> We removed a real user from the site unintentionally and had to unblock them.

2> Hackers will only change their IP and try targeting our username again.

3> While there are times where administrators mistakenly blocked their own IP addresses, it did not happen with us, showing that manually blocking IP addresses is a dangerous task.

In this light, it is helpful to enter a network level defence as it stops bad IP address (or traffic) from entering our site automatically.

3. Protect yourself from the Global Bot Network

Rarely can hackers attack a single location. Instead, they simultaneously attack several sites. They use the same IP address that gets registered by protection plugins such as MalCare in the process of these attacks. The plugin extracts data from malicious login attempts made in their network on all websites and blacklists the IP that executes such malicious login attempts.

It is tested against the blacklisted IP addresses each time an IP makes a request on your site.

If the message is fraudulent, if it is not allowed to proceed, then it is blocked from accessing your site. The great thing is that the whole process is automatic, meaning you don’t have to think about any of your users getting inadvertently disabled.

4. Use HTTP Authentication

HTTP authentication gives the login page an external layer of security. When you open the website with a special HTTP authentication credential, it prohibits you from using your passwords.


The module, HTTP Auth, helps you to quickly encrypt your site’s admin password. We set up a special HTTP authentication certificate using HTTP Auth and spread it among users. One person overlooked what the passwords for authentication were within a couple of weeks. He found that there was no chance of retrieving the forgotten passwords in order to get in contact with another person.

We will remind you when someone forgets their HTTP authentication credentials, because we have more than one person. For single-user websites, forgetting the credentials would mean that you don’t have someone to ask you to help out. By deleting the plugin from the File Manager, the only solution is to enter your site.

In addition, credentials for HTTP authentication may be stolen, especially if no SSL certificate is installed on your site. Hence, you must mount an SSL certificate to use HTTP authentication.

5. Install SSL Certificate

Some of you will see a green lock at the beginning of the URL of your site when you build a WordPress site, and some will not see the lock. The lock ensures no one is snooping around, reading the login credentials you use to enter the web. A website without this lock is in danger of revealing such confidential data inadvertently.


Therefore you need to turn to HTTPS if your domain doesn’t have the green lock. By buying an SSL licence, you can do this. Back in the old days, the SSL certificate was used on either payment sites or website login areas. But with the push by Google to make the web secure, more websites are converting completely to HTTPS. Earlier, until the introduction of free resources such as Let’s Encrypt, it was hard to buy an SSL certificate, anybody may add SSL certificates on their web.

6. Implement Two-Factor Authentication

Have you ever seen how Gmail authenticates users by sending a code to your mobile after signing in? In order to enter your account, you use the code. A related functionality also comes with Facebook as it helps better secure your Facebook account. It is definitely the wave of the future, with more and more providers adopting two-factor authentication.

It is also possible to secure WordPress pages using two-factor authentication (2FA). There are several 2FA plugins allowing two-factor authentication to be introduced by WordPress pages. We wanted to try the Mini Orange plugin because the very famous Google Authenticator software works in tandem with it. [Full disclosure: The two-factor authentication function is in use and the feature will soon be activated by MalCare users.]


It was quick to instal the plugin and set up the programme. We signed out and tried signing into our site again after setting it up. We used our user name and password, as standard. Then, we landed on a page calling for an OTP instead of sending us to the WordPress dashboard. OTP stands for a passcode that we can get from our phone’s Google Authenticator app.

This configuration means that the site can only be reached by valid users like me. Hackers who may have broken my password would need to get the special passcode, which is only usable on my mobile, in the worst case situation.

Since two-factor authentication depends heavily on the device, it would not be feasible for individuals without one to enforce this form of security on their web. In addition, if you happen to lose your mobile, unless you delete the plugin from the File Manager, it would be difficult to log in to the site.

We come to the close of sophisticated login security mechanisms with this. We’ll explore some miscellaneous tactics that will allow you to further protect your login page for WordPress.

3. Miscellaneous Login Protection Techniques:

a. Set Passwords to Expire

Every few months, institutions like banks need us to update our passwords. It can be a hassle, but it can still have certain advantages. For starters, even if someone breaks your password, if you change your password regularly, they will only have a short window to exploit the details.

The ‘Expire Passwords’ plugin helps you to configure your passwords to expire after several days. If a user logs in after the time specified, they will be routed to the screen to restore the password.


Does it help improve site security?

The drawbacks of setting passwords to expire are debatable because they can build a new user account instead of using your account while someone already has access to your site. They’ll simply set a new password when forced.

b. Changing WordPress Login Slug Page

All WordPress pages come with a “” default login page that looks like this. Since WordPress login is one of the most frequently targeted areas of a WordPress site, they won’t try to break the passwords if hackers can’t reach the login page.

“iThemes uses a feature called “Hidden Backend” to change our login page from https:/ to https:/ iThemes has a feature called “Hide Backend.

We attempted to enter the regular login page after the update (https:/, but we were shown a message that the page was not found.

Although your login page is hidden by this strategy, it does not actually shield your WordPress site in any way. Protection tools like iThemes can update your login URL to the default address given to you by the tool. Just as I updated my login slug to the auto-suggested “wplogin,” for their login page, several other websites using iThemes use a similar URL style.


Does it help improve site security?

Changing the URL of the WordPress login page is probably the most recommended tactic which can be effective against login attacks. But for professional hackers, this is once again very easy to bypass.

They can even find the WordPress login page if hackers know the format. Fortunately, the default slug may be changed to something special and impossible to guess.

However if they are not sufficiently notified, modifying the login page slug without prior knowledge can prove to be inconvenient to your site users.

c. Auto-Logout When No Activity

Running a multi-user network comes with its own range of difficulties. Many of the members of my site operate remotely from their house for example. When the users go out to tend to urgent business but without signing out the risks of violation of user privileges will be greater.

When the consumer is inactive, we want our site to be secure. We have therefore agreed to auto-logout any user who is inactive for a particular period of time using the “Idle Session Logout” functionality of Bulletproof Security. This protection plugin helps one to set a time at the end of which all inactive accounts are automatically logged out.


Does it help improve site security?

If anyone tries to snoop through the website while a user goes to tend to urgent business, odds are that they can do so right after the user leaves.

In comparison, it was slightly irritating for users who have a habit of being idle for any time in the middle of their job to have to log in and time they want to go back to work.

d. Restrict Dashboard Access for a Specific Time

Every day, restricting entry to the WordPress dashboard for a certain period is another way to protect the site when there is no traffic. Typically, at night, because no one works on the platform.

We checked out the iThemes Protection Plugin on our website. It comes with a “Away Mode” that prohibits our dashboard from being reached during the time we define in the Settings.

Does it help improve site security?

We found over the course of using this feature that we couldn’t log into the platform during an emergency until the curfew time was over. Therefore, for all WordPress websites, this form of protection is not sufficient.

e. Change WordPress Security Keys

Ever wondered how login credentials are stored by your browser? Your authentication information is stored in the cookie in an encrypted way after signing into your user account. To strengthen the encryption of login data contained in your cookie, WordPress uses random variables called security keys.

A total of four identification keys are in use and they look like this:

login-protection-security-keys-codeWhile challenging, cracking your encrypted password is not impossible. If you think the site has been compromised, all visitors, including the hacker, can automatically log out by modifying the security keys. Since it is impossible to crack the encrypted password, logging the hacker out will prevent him from breaching your website the same way again.

You need to edit the wp-config file to alter the website’s security keys. It is a very critical file for WordPress and should be viewed with care. An irreversible catastrophe will result from one misstep. A platform such as MalCare Protection Service can also be used by users without any technical understanding of WordPress files to modify their security keys. MalCare comes with a “Site Hardening” feature that helps users to change the configuration file’s security keys without having to edit it manually.

Does it help improve site security?

Altering all passwords is one of the first post-hack interventions. And if the passwords have been reset, they will restore access to the site if the hackers have the security keys. Therefore it is important to update the security keys along with the passwords if a site is compromised.

f. Country Blocking

Hacker organisations often mount a major assault on websites across the globe. The purpose of this form of attack is to inflict significant harm to websites. The good news is that there’s an easy way to defend your web from threats like this. You can opt to block the country if you make too many questionable failed login attempts from the same country. But this can only be accomplished after making sure that a significant volume of traffic from that specific country is not drawn from your web.

We found on our Westworld Fansite website that many failed login attempts from the United States were being made. But the bulk of our traffic also comes from the US, so we couldn’t block the country.


Does it help improve site security?

Nation blocking helps minimise hack attempts, but when depending too much on this technique for defence, you need to tread with caution.

Over to You

Although it is not difficult to harden your login screen, learning what steps to take and how to build them will make all the difference. You will sleep well at night ensuring that the key to your website is designed to tackle all sorts of hack attacks including brute force attacks, phishing attacks, SEO spam, etc. by using a robust login security technique. Do not fail to perform website backups to guarantee that you are still prepared for the worst, whether it be by using authentication extensions or by manual login safety measures.