How To: Protect Your WordPress Login against Hackers

Hackers have already taken over the world.

There is enough statistical data about information security that no system is secure.

Hackers are evolving and there are enough tools and techniques available online, which can easily teach anyone to become a hacker.

No system is completely secure, everything is hackable. The reason is simple; creativity has no limits and it’s tough to make any system stand in the path of the human mind. But, we can not really leave the WordPress website just for the belief that it will be hacked one day or another.

The weakest part of WordPress is its login page. Everyone knows its limitations and hackers especially would like to brute force the login page to get access to the WordPress dashboard. Once, hackers reach the dashboard, they have infinite power and can easily cause havoc to the website.

Right usage of security plugins, practices and one-time change to the WordPress platform can bring down the chances of it’s being hacked by the hacker. There are tons of plugins, tutorials and other stuff that can help you achieve this and today we will go through ways to protect the WordPress login from hackers.

1. Use limit login Attempts

BurteForce attacks are common — the hackers will try every possible combination and come up with a combination that works. So, how would you stop it? Limit the number of login attempts? Yup, you are right.

And to achieve the desired result, it is best to use Limit Login Attempts plugin. The plugin has over 1 million installation and works perfectly with the latest 4.1.1 build.

The plugin can be used to limit the number of retries anyone have to the login prompt. In case of the breach, it blocks the IP and thwarts any attempts to brute force the login page of WordPress.

Download Limit Login Attempts here.

2. Limit WordPress admin logins by IP address

If it’s just you that needs to have access to your admin area, add this code to your .htaccess file located in the root document of your domain ensuring that you have tick “show hidden files”.cPanel hidden files

3. For single IP address access use:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^<strong>123\.123\.123\.123</strong>$
RewriteRule ^(.*)$ - [R=403,L]


For multiple IP access use:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^<strong>123\.123\.123\.121</strong>$
RewriteCond %{REMOTE_ADDR} !^<strong>123\.123\.123\.122</strong>$
RewriteCond %{REMOTE_ADDR} !^<strong>123\.123\.123\.123</strong>$
RewriteRule ^(.*)$ - [R=403,L]

Please note you need to replace 123\.123\.123\.121 with your own IP address. If you don’t know it visit:

4. Change default username from admin to something else.

I have been using WordPress for the past six months and have come up with hundreds of WordPress clients that I handle, who has one thing in common. The username of the blog, yup, its “admin”.

For quite the obvious reasons, it is a good practice to make another superuser and delete the admin username. Keep this practice going for every WordPress website you ever make in your life. This can save you your precious blog.

The reason is simple; hackers try the default settings that come up with the WordPress blog from your hosting. And, I cannot press the need for changing the password as well. The default password is a killer too for the security of your login page.

Let’s discuss it in the next point.

5. Use creative long password

Passwords are necessary for protection. We all love short and sweet password as they are easy to remember and use. But, they come with a cost. The weak passwords such as 123456, name123, schooname123 etc. are so common that hackers use it to brute force the login page. The brute force dictionary contains all these password by default and can easily crack the login page in minutes.

So, what constitutes a good password?

Any alphanumeric password that contains alphabets, special characters and numbers are the best passwords out there. But there is a catch, users can also create a very simple password. For example name123#, the combination is easy to crack using the brute force attacks.

How to overcome human error in creating passwords?

The answer is to use automated password generator. The most famous is password generator. The password generator generates high-strength passwords.

6. Use Google Captcha

I love Google Captcha. It provides the basic login protection to the WordPress page. I use both login limit and Google Captcha on my WordPress blog. Even though, one can work fine, I would argue against it as it provides protection against the automated brute force attacks, much better than the login limits plugin.

You will find tons of Google Captcha plugins on the WordPress, but Google Captcha by BestWebSoft Plugin is the best choice. Its clean implementation of the Google Captcha on the login page. Moreover, you can use the plugin with other forms on your WordPress blog, increasing the scope of the usage of the Google Captcha in the WordPress blog.

7. Change the default URL of the Login Page

I, already mentioned how hackers exploit the default settings that are set during the installation of the WordPress website. Another aspect that is highly vulnerable is the login page URL.

The default URL page of WordPress login is

So, what’s the catch here? The best approach is to complete change the login web page of the WordPress website. This way, most of the hackers will leave at the very first instance of them not finding the login page.

The change login page is great for the organization that works on WordPress website and have lots of users that constantly login and logout of the system.

There is a great article on changing the default URL of the Login page on manage wp. I recommend you to go through the link and change the default login URL to something different.

Wrap Up

The Login page is the entry point to the most powerful place in any website, i.e. WordPress dashboard. From the dashboard(with the right privilege) can easily change all the different aspects of the Website. The Dashboard can also be used to conquer the whole website and stole important information about plugins, settings, and content.

To safeguard your website against hackers, it’s a good practice to regular backup your website. Generally, web hosting providers backup your website, but there is a general rule to create backups on your own.

WordPress is an amazing platform, but not taking care of the basic security settings can easily give the incentive to the hackers to break into the system. I have gone through the problem of not securing the login page and my login history always shows someone attempting to login in. With the use of login limit attempt and Google Captcha, the false login attempts have been completely minimized.

Have anything to add to the story? Comment below and let us know.

Editorial Staff

Editorial Staff at 85ideas is a team of WordPress experts led by Brian Harris. Here to share amazing tuts, guides and collections.

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.