5 Tips to Tough Up Your WordPress Login Security
No matter the size of your website, losing your site data or not being able to access your own website can be a nerve-wracking experience. WordPress, which powers more than 25% of the Web, is one of the most targeted websites for hackers.
In this post we will be looking at a few more tips to help you make your WordPress site harder to breach.
1. Bcrypt Password Hashing
WordPress was started in 2003 when PHP and the Web in general were still in their early days. Facebook was not around yet, PHP did not even have OOP (Object-oriented Programming) architecture built-in; hence, WordPress inherited legacies that are no longer ideal today – including how it encrypts the password.
WordPress to this day still uses MD5 hashing. Basically, what it does is to turn your
123456 password into something like
However, since computers are now more sophisticated than 10 years ago this hashed password can now be easily reversed into its bare form almost instantly.
PHP has native encrypting since 5.5 and If your WordPress is running in PHP5.5 or above, there is handy plugin called wp-password-bcrypt that allows you to embrace this native utility in PHP.
2. Enable WordPress.com Protect
Brute-force is a common hacking attempt where attackers try logging in to your website by guessing numerous possible passwords, typically words found in the dictionary. This is the reason why you should set a hard-to-guess password.
Automattic, the people behind WordPress.com, has acquired one of the most popular WordPress plugins that can counter brute-force attacks. It is called BruteProtect, and it is integrated with Jetpack.
Based on our experience, it has tremendously helped us combat brute-force attacks more than close to a million times.
To get it, you need to install Jetpack’s latest version and connect your website to WordPress.com. Then enable the “Protect” module, and white-listing your own IP address as well.
3. Hide Your Login URL
WordPress is very well-known for the login page,
wp-login.php. Hence hackers know which exact page to direct their brute-force attacks. You can make it harder for them by disguising your WordPress login URL.
Fortunately, there are a few plugins that provide this utility:
4. Disable “Forget Password”
The “Forget Password” utility in the login form is a way in for attackers, who usually go through an SQL injection to get your login credentials. If there are only a few people who have access to the admin area, it might be better to switch it off.
To do so, create a new file upload – name it
First we change the lost password URL:
Remove the link. Unfortunately, WordPress does not provide a proper hook to do this neatly through an
Lastly, we redirect the “Lost Password” URL to the login screen.
5. Enable HTTPS
HTTPS gives your site an extra layer of security with data transmission. It may also give you a boost in Google search rankings. And now you can get valid HTTPS cert for free through the communal initiative Let’s Encrypt.
For WordPress websites you can easily obtain a Let’s Encrypt certificate with WP Encrypt. So there is no reason why you should not deploy HTTPS in your website today.
I just like to leave you with the reminder that in spite of all these attempts, our websites could still be subject to attacks, hacks and to being compromised by hackers through means beyond our comprehension. Even large companies like Dropbox and LinkedIn have fallen prey to security threats.
As a last resort, remember to regularly back up your website’s files and database whenever you can.