WordPress login page is one of the most vulnerable website part. Of course, hackers perfectly know about it. That’s why your main priority, as a website owner is 100% login page protection.
There are dozens of solutions over the internet – different by complexity and implementation time. In this article, we will discuss the protection of your login page using plugins.
Table of Contents
Why do we need to protect WordPress login page?
You can access login page using one of the following options:
- By enter wp-login.php to the browser address bar;
- By following the wp-admin link.
In case you haven’t signed up, you’ll see authorization form.
The problem is that everyone (including hackers) know these addresses (links). Hackers create special bots trying to bypass website security, determine website’s CMS and to brute-force the login and password on wp-login and wp-admin pages.
Why are they want to hack into your site?
After accessing authorization page robots try to find the valid match of login and password – they check “Remember me” flag, “Sign in” button and start collating the passwords.
Now imagine the total load on your website during each of this collating attempt and pressing the “Sign in” button! Regular users may have trouble accessing the website. It is caused by robots attempting to find the valid match. This scheme is called “brute-force attack”.
The easiest way of protecting the website from brute-force attacks is to create a unique address of login page, which means using some other URL instead of wp-login or wp-admin. One more important thing: when accessing standard login pages “404 error” should be displayed. In this case, bot seeing the error simply leaves the website. Very smart and simple method!
How to protect WordPress login page using the Clearfy plugin
For the protection purposes, we are going to use one of our free plugins. First of them is Clearfy with embedded feature of protecting WordPress login page. There are also many useful functions in the plugin designed for website protection, optimization (including SEO) and speed improvement.
Protecting wp-admin folder
After you download the free Clearfy plugin, set it on the WordPress settings menu, you’ll see “Clearfy menu”. Then go to the “Defense” section, scroll down and search for the following phrase: “Protect your admin login”.
To disable access to the login page using wp-admin you can simply enable “Hide wp-admin” option and save settings.
Now each time you open wp-admin page you’ll get “404 error” message – the page doesn’t exist.
Protecting wp-login.php URL
To block wp-login.php access, you should just to turn “Hide Login Page” on. However, you should define a new address of login page before hiding the existing one. If you’ll try to hide authorization page without defining new address, the plugin won’t let you do that due to its special inner protection algorithm. Even if you enable the option and leave the field blank, your login page will still be accessible via wp-login.php:
Only when you define the new address, this feature will work.
Let’s define the new address and see how it works. For example, you’ve already entered the new address and saved the settings. We see that now the address of the login page is the following:
IMPORTANT: You should keep this new address and recovery link somewhere safe!
After changing login page, you’ll receive an e-mail from Clearfy plugin with the link to your new login address and the alternative recovery link.
Now let’s check how it works.
- Enter wp-admin and try to log in. You’ll get “404 error”;
- Copy the new login link and paste to the address bar;
- You’ll see authorization page. Everything works perfectly.
Changing access error type
By default the access error after activating the aforementioned options is “404 not found” but you can change it. Let’s set the “Access error type” to “Redirect to” and write some custom URL:
After saving settings, every attempt to access to wp-admin or wp-login.php will redirect bot or user to custom URL.
You can also set the “Forbidden 403” error instead off 404. Attempting to access to wp-admin or wp-login.php, user or bot will get something like:
It imitates that the website is not available, or authorization page doesn’t exist. However, you do know that the access to the website exists but only for you.
Protection of login page using WordPress Hide Login Page plugin
Our second plugin is much smaller than Clearfy. However, if you don’t need a fully-featured plugin, and protection of login page is your only goal, then you can easily install our small plugin named Hide Login Page
It has only one login page protection function and the same options as in Clearfy.
In this article, we’ve told why it’s important to protect WordPress login page and have shown you how to use our plugins for this. You can choose Clearfy or Hide My Login plugin in your case.
Always keep in mind that timely and reliable protection of your website save you a lot of time and money.