Secure WordPress Login

The WordPress login is one of the most popular attack targets of the content management system among hackers. With so-called brute force attacks, they try their hand at numerous password combinations in order to take over WordPress.

WordPress login is accessible for everyone

If you want to log in to WordPress, you can access the login page using the following URLs:

• yourpage.com/wp-admin  
• yourpage.com/login 

And you'll get to the login form for your WordPress installation.

However, these two URLs are the classic standard path that can be used to access any login to a WordPress page. This means that even strangers can call up the login form of your WordPress page at any time.

This is why you should make sure that your WordPress login is protected against hackers and spam. We would like to show you in our article today how easy it is and what possibilities you have.

Lock xmlrpc.php via .htaccess

Various external programs can access the WordPress system via the xmlrpc.php file. This can be very useful if you use plugins that need to communicate with other systems outside WordPress.

However, there is the danger that WordPress can be remote-controlled by a hacker attack. By means of a brute force attack, hackers could query several password combinations at once until they have found the correct password for the login.

To avoid this, you should disable the function of this file via the .htaccess file.

Deactivate xmlrpc.php

Open the .htaccess file and add the following lines:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

This completely blocks the xmlrpc.php file and it no longer poses any danger to you or your WordPress installation.

Alternatives to login protection

In addition to the login protection for WordPress, you also have numerous alternatives at your disposal. These are easy to implement and offer you at least a basic protection when it comes to securing the WordPress login page.

TWO-FACTOR AUTHENTICATION

With two-factor authentication you can secure your WordPress login with double protection. This means that before you can enter your normal login data for WordPress, you must enter an authentication code. This is generated with the help of the Google Authenticator, for example.

To use two-factor authentication, we recommend a plugin like Two-Factor. You can download the plugin from the official WordPress plugin directory or install it directly from the WordPress backend.

Once you have installed the plugin, you have to set it up first. There are up to 4 options available:

1. E-Mail
2. Temporary password (Google Authenticator)
3. FIDO Universal 2nd Factor
4. Backup Verification Codes

Options 1 and 2 are certainly the simplest methods of implementing two-factor authentication.

With option 1 you will receive an authentication code by mail, which you have to enter afterwards. Option 2 gives you a temporary password, which must be scanned and entered using the Google Authenticator app via QR code.

reCAPTCHA

A so-called Captcha code on the WordPress login page can ensure that a human and not a machine (bot) is acting on the website.

Only if the Captcha code is confirmed successfully, the site visitor can send the entered data. The captcha code is mainly used on login pages, contact forms, comment functions, and many other online forms.

To use this login protection for WordPress, you can use a plugin like the Login reCAPTCHA. With this plugin you can only send login data after the reCAPTCHA field has been confirmed.

To do this, the user must confirm under the login field that he is not a robot. If there is any uncertainty, the user will also be shown pictures which he must confirm.

To use the above-mentioned plugin you need a site- and secret-key from Google.

Using a Password Manager

Another easy way to protect WordPress from unauthorized access is to use a secure password that you only use for your WordPress login - not for any email login, Netflix, or other online services.

The following features should have a secure password:

• at least 8 characters
• upper and lower case letters
• figures
• special characters

If you create a password using these 4 features, you can be sure that it is secure. To avoid having to remember all the passwords for all services used, we recommend that you use a password manager.

Within this password manager, you can save your password and retrieve it at any time if you need it. To be able to access the password manager, you have to create a master password once, with which you can then access all stored passwords or access data.

Password managers with a browser add-on also automatically recognize which page you are on and even fill out the login form on their own. So you don't have any work to do anymore.

We can recommend the following password managers to you:  

• 1Password
• Avira Password Manager
• KeePass
• LastPass

Bottom line

A login protection for WordPress is part of the basic security for every user of the content management system. As you can see above, it's not difficult to build in protection mechanisms that can protect you from hackers or spam.

We, therefore, recommend that you use at least one of these methods to ensure the security of your WordPress website.