Login Security
Table of Contents
How to secure a WordPress website? (Video tutorial)
The options on this page will help you secure your WordPress wp-admin panel from various types of attacks.
Custom Login URL
WordPress default login URL is a common target of attackers and SPAM bots. With Security Optimizer plugin you have an option to change the URL to a custom one and avoid such attacks. If you have enabled user registration for your website you can change the default sign-up url as well.
Login Access
By default your WordPress login page can be accessed by anyone. You can use this functionality to allow access to the wp-admin only from your IP. If you are using a dynamic IP, then you can whitelist the range of possible IPs your ISP may assign to you to avoid any problems accessing the WordPress admin panel.
Two-factor Authentication for Admin & Editors Users
Two-step verification is one of the easiest and most secure ways to protect your data against hacking and identity theft. It works by combining something that only you know (username & password) with something only you have access to (your smartphone).
When you enable it, in addition to your regular username and password, you will start using a second password generated by an application on your smartphone. Therefore, even if one of the two factors is compromised, your data is still secure.
When you enable this option, all admin & editor users will be asked to configure their two-factor authentication on their next login.
Scan the QR code on the page with Google Authenticator on your phone and input the six digit code in order to log in.
Backup codes can be used in case you have lost access to your authenticator app. They are generated upon 2FA setup and once a backup code is used you will not be able to use it again.
Disable Common Usernames
Using common usernames like ‘admin’ is a security threat that often results in unauthorised access. By enabling this option we will disable the creation of common usernames and if you already have one ore more users with a weak username, we’ll ask you to provide new one(s). Additionally, when toggled a pop-up window will appear where you’ll be able to choose a new username and automatically replace the existing weak one(s).
Limit Login Attempts
Sets a limit to the number of times a given user can attempt to log in to your wp-admin with incorrect credentials. Once the login attempt limit is reached, the IP from which the attempts have originated will be blocked from accessing your login page for 1 hour and will be added in the Blocked tab of the Activity Log page. If the attempts continue after the first hour, the block will then be set for 24 hours and after that for 7 days.