One way to secure your WordPress Login is by ensuring maximum security for your login page, and that is even more urgent now with the COVID-19 pandemic providing cyber criminals with more than the usual number of vulnerable targets.  

As far as WordPress goes, practically everyone knows the standard login page URL—which is the page from which the website backend can be accessed, and which is why attackers attempt to find their way in through brute force attack.    


Users have a critical responsibility when it comes to ensuring the security of a WordPress website. That is, you must ensure that you have effective login security practices in place (e.g., customizing not only the login page URL but the page’s interaction as well). 

In any case, now is the best time to review your own WordPress login security practices in earnest. And while you’re at it, here are some helpful tips:    


Set up a website lockdown feature and ban users with failed logins

Having a lockdown feature for login failures can put a stop to the brute force attacks being carried out against your site. Your site simply gets locked whenever there is a hacking attempt with repetitive wrong passwords, and you get a notification of the suspicious activity. This can be accomplished through an effective WordPress security plugin, and Cloudflare has some protections that can be configured to help with this type of attack. 

Implement two-factor authentication 

A 2-factor authentication (2FA) is another good login practice for your WordPress website. With a 2-step authentication system, users choose two of the three possible factors to prove their identity. However, to provide the highest level of protection for your WordPress login page take out the username and password fields altogether. Go passwordless.

Despite growing clamor to take passwords out of the picture to step up cybersecurity, current two-step implementations still rely on a password for the knowledge component of 2FA.

To go passwordless, you can choose biometrics (inherence component) instead to pair with, say, a token or a PIN.  

Adjust your passwords

If you still prefer to use a password, change your passwords regularly to ensure WordPress login security. Further secure them by adding uppercase and lowercase letters, numbers, and special characters. Alternatively, you can use long passphrases. These are almost impossible for hackers to predict but easier for you to remember than random numbers and letters.

Log in using your email 

By default, you have to type in your username to log in to WordPress. However an email ID is a more secure approach than a username because email IDs are harder to predict. Additionally, creating a WordPress user account normally requires a unique email address, making it ID a valid login identifier.

Note: You can use a WordPress security plugin to set up login pages specifying users use log in with their email address.

Modify your login URL 

By default, the WordPress login page can be easily accessed by adding “wp-login.php” or “wp-admin” to the site’s main URL. Hackers who know the direct URL of your login page can attempt to log in with their Guess Work Database (GWDb). A database of guessed usernames and passwords, e.g., username: admin and password: p@ssword . . . with millions of such combinations.

But it’s also just as easy to modify your login URL. Provided that login attempt restrictions and adjustments have already been specified. The login URL can be replaced, and therefore getting rid of 99% of direct brute force attacks.

Modifying your login URL prevent an unauthorized entity from accessing your login page. 

Here are 3 examples of URL changes you can implement:

Change “wp-login.php” to “my_new_login”

Modify “/wp-admin/” to “my_new_admin”

Change “/wp-login.php?action=register” to “@nyth1nG”

Automatically log idle users out of your site

Users leaving your site’s “wp-admin” panel open on their screens can pose a serious WordPress login security threat. Anyone who chances upon the panel can change information on your website, alter a user account, or even break your site altogether. This is why it’s important that your site logs out users who have been idle for a certain stretch of time.

A security plugin will allow you to customize a time limit for idle users. Allowing you to ensure that they are automatically logged out.

Adopt single sign-on

SSO authentication allows users to verify multiple applications and websites through a single log-in. An SSO service provider will be a very convenient way for users to use password to access their WordPress website.


SSO systems are secured in encrypted storage and hidden behind multiple firewalls deep inside a company’s IT architecture. Thereby making it more difficult for attackers to access. SSO also helps monitor logins and user accounts, enabling administrators to watch out for suspicious activities and promptly act on them. Lastly, SSO facilitates account management and removal of inactive accounts.

Get started with a robust WordPress login security and simple SSO for the WordPress ecosystem.