The WordPress login page is one of the most vulnerable parts of websites. Of course, hackers perfectly know about it. That’s why you, as a website owner, should provide 100% protection of the login page. There are dozens of solutions over the internet – different by complexity and implementation time. In this article, we will teach you how to protect the WordPress login page using plugins.
Table of Contents
Why Do We Need to Protect the WordPress Login Page
You can access the login page using one of the following methods:
- enter wp-login.php to the browser address bar;
- follow the wp-admin link.
In case you haven’t signed in, you’ll see the authorization form.
The problem is that everyone knows these addresses (links), including hackers. Hackers create special bots trying to bypass the website security, find the website’s CMS, and brute-force the login and password on wp-login and wp-admin pages.
Why Do They Want to Hack Your Website?
After accessing the login page robots try to find the valid combination of the login and password – they activate the Remember me flag, and Sign in button, and start sorting the passwords.
Now imagine the total load on your website producing by each sorting attempt pressing the Sign in button! Regular users may have trouble accessing the website. It is caused by robots attempting to find a valid match. This scheme is called brute-force attack.
The easiest way of protecting the website from brute-force attacks is to create a unique address of the login page, which means replacing wp-login or wp-admin with other URLs. One more thing: when accessing standard login pages the 404 error should be displayed. In this case, the bot sees the error and simply leaves the website. Super simple and effective!
How to Protect the WordPress Login Page with Clearfy
In order to protect the website, we are going to use one of our free plugins. First of one is Clearfy with the in-built feature of protecting the WordPress login page. This plugin has many other useful features, including website security, optimization (with SEO), and speed improvement.
Protecting the wp-admin Folder
After you download Clearfy and install it on the website, you’ll see Clearfy menu. Open it, go to the security tab. and search for Protect your admin login.
Enable Hide wp-admin if you want to forbid access to the login page. Don’t forget to save the changes.
Now each time you open the wp-admin page you’ll get a 404 error message – the page doesn’t seem to exist.
Protecting wp-login.php URL
To block access to wp-login.php, you should just activate the feature named Hide Login Page. But first, make sure to set up a new address of the login page. The plugin won’t let you hide the login page without defining a new one first due to its internal protection algorithm. Even if you enable the option and leave the field blank, your login page will still be accessible via wp-login.php:
This feature works only after you set up the new address.
Let’s set up the new address and see how it works. For example, you’ve already entered the new address and saved the settings. We see that now the login page URL is the following:
IMPORTANT: Keep this new address and the recovery link somewhere safe!
Once you change the login page, you’ll get a confirmation e-mail from Clearfy with your new login URL and the alternative recovery link.
Now let’s check how it works.
- Enter wp-admin and try to log in. You’ll see 404 error.
- Copy the new login link and paste it to the address bar.
- Now you see the login page. Everything works great.
Changing the Access Error Type
Once you activate Hide login page, you will see the 404 not found access error by default. However, you can change the type of the access error. Let’s set Access error type to Redirect to and fil in a custom URL:
After saving the settings, each attempt to access wp-admin or wp-login.php will redirect the bot or the user to the custom URL.
You can also replace 404 error with 403 Forbidden. And each time someone tries to access wp-admin or wp-login.php, he will see something like this:
It looks like the website either doesn’t work or the login page doesn’t exist. At the same time, you know that your website does work, but only for you.
Protect the WordPress Login Page with Hide Login Page
Our second plugin is much smaller than Clearfy. However, if you don’t need a fully-featured plugin, and your only goal is to protect the WordPress login page, then consider choosing Hide Login Page.
It has only one function and the features are similar to Clearfy’s.
In this article, we’ve discussed why it is so important to protect the WordPress login page and showed you how our plugins Clearfy and Hide Login Page work.
Keep in mind that timely and reliable protection of your website saves you a lot of time and money.