Why Should You Care About WordPress Login Security?
As a WordPress website owner, you probably spent lots of your valuable time and/or lots of your hard earned money to get your website off the ground and running. Of course, you want to protect it from the bad guys.
Basic WordPress Login Security Can Help Protect You
Did you know that your site's login page is one of the most common entry points for hackers? Taking action on some basic login security measures can help protect your website and ensure that you don't have to start from square one if some hacker comes in and wipes out everything that you've created. Can you imagine that? Yuk!
3 Easy Actions To Take For Securing Your WordPress Website
Action Item #1 – Look for the Default “Admin” Username
The “admin” username is one of the most hacked usernames and until recently it was the default username given during the WordPress installation process. If you've had your website for a while, you may have this username. Knowing the username is half of the login process and you don't want to make hacking your site easy for anyone.
This is an easy fix though. If you find you have the “admin” username, do this:
- From the Users area in your WordPress dashboard, create a new username with the administrator user role. (You're going to need to use a different email address than the one used by the “admin”.)
- Log out and then log back in with the new username you just created.
- Go back to the Users area and find and delete the “admin” user. When it asks you what to do with the content created by the “admin”, select attribute all content to the new username.
Watch this video to see these steps in action.
Action Item #2 – Limit the Number of Login Attempts
Most hackers are not trying to break into any one WordPress site at a time. They're using automated programs to generate large volumes of guesses as to what your login information might be.
Limiting the number of attempts that someone or some program can make to login can put a quick stop to these repetitive wrong guesses by locking them out and sending you a notification.
This is another easy fix too with the help of a plugin. There's more than one plugin that will do this, but the one I like and currently use is Loginizer Security, which you can download from the WordPress Plugin Repository. To install this plugin, do this:
- From your WordPress dashboard, go to Plugins, then click the Add New button.
- Over on the top right of the screen, enter “Loginizer Security” in the Search plugins box. Loginizer should be the first option you see.
- Now install and activate the Loginizer plugin. This will add a new menu item in your dashboard named Loginizer Security.
- By default, the brute force protection is immediately enabled but you can further customize your settings by clicking on Brute Force under Loginizer Security from the dashboard. Here you can set the number of attempts before the lockout and how long to lockout should last.
Action Item #3 – Use Strong Passwords and Change Them Regularly
Unfortunately, anyone that knows WordPress and especially a hacker, knows where to find the login page and may even know how to find your username. Having a strong password and even enforcing strong passwords for other users is going to go a very long way in protecting your site and will minimize the chance of your password from being guessed by any hacking method.
You can use a password manager (like LastPass) or the password generator built into WordPress to create a strong password. This is how you can change your password:
- Under Users in the WordPress dashboard, select Your Profile
- Scroll down to Account Management and click on the Generate Password button. You can use the newly generated password or paste in your own strong passsword.
- Click the Update Profile button and you're done.
- Optionally, you can create a reminder in your preferred calendar to update your password again in 3-6 months.
Other General WordPress Security Measures You Should Take
For the average WordPress website, these three easy actions should keep your website pretty safe but there are a few more things you can do. Here are my suggestions:
- Ensure you have at website backup process in place and that it's backing up all the files that you would need to restore your site.
- Keep your WordPress website software updated to the newest versions.
- Evaluate new plugins before installing them. I like to see when the last time the author updated the plugin. I'll also check the reviews and support page. You don't want to install a plugin that hasn't been updated in over a year or one that gets bad reviews.
- Add your website to Google Search Console. Google will let you know if they have a problem with your site and if they suspect it's been hacked.
I hope you found these WordPress login security measures helpful. If you have any questions or comments related to WordPress login security, please leave them in the comments below or contact me for a free consultation.