Out of the box, WordPress is fairly secure. This used to be great, until WordPress gained its wild popularity, and began to power over 25% of the internet.
Now, due to this popularity, WordPress is a prime target of millions of hackers around the world. Most WordPress sites leave the default security settings untouched, so these are the focus of attacks.
The good news is that just a few, well-placed changes to your site will put you in a much more secure position. Attackers will take their attention away from your site because there are much easier targets available.
Brute Force Attacks
Every WordPress site has the default admin login page of sitename.com/wp-login. This means attackers can easily find this page. Combine this with the fact that there is no default limit on login attempts, and you have a very dangerous situation.
I’ll never forget the first time I decided to see how many malicious login attempts one of my sites was getting. After a quick check, I found there were thousands per day. Yes, thousands. And this particular site didn’t even have much traffic.
You should always change your username from ‘admin’ and have a strong password. But, the best way to protect against brute force attacks is by changing your admin login URL to something attackers can’t find.
Changing Your Login URL
Luckily, there is a nice, free plugin called WPS Hide Login that makes this process very easy. Like other plugins for WordPress, there are many good alternatives, but this is my favorite. Here is how to get it up and running on your site right now.
WPS Hide Login – Installation
1. Find it in the WordPress plugin directory
- In your WordPress Admin area, go to Plugins -> Add New
- Search for ‘WPS Hide Login’
Here’s how it looks in my results:
2. Install and activate
- Click Install
- Once installed, click Activate
3. Choose your new login URL
- Go to Plugins -> Installed Plugins
- Under WPS Hide Login, click Settings
- Scroll down to the WPS Hide Login section, and choose your new URL (it will default to just com/login
Tip: Pick something that’s easy to remember for you, but impossible to guess.
That’s it! You may want to log out and check your new login page. Just make sure you remember your new URL. Nice work, you’ve just taken a key step to securing your WordPress site.