Logging in to WordPress
WordPress login security is a big deal.
Being able to login to a WordPress website is like having the key to the kingdom.
Once you’re in, it’s yours.
You can do whatever you like with that website from then on.
That’s why is super important to make sure that you’re only allowing the right people to gain access.
Basically – keep out the baddies.
The bad news (there’s good news coming, don’t worry) – there’s a lot of baddies.
WordPress websites are extremely easy to get into if you know how. And a lot of people know how.
Usernames and passwords are leaked online all the time. Hackers get hold of them and then hit your website repeatedly, using software that automates the process thousands of times over, until they either:
- Succeed – not good
- Are stopped – good
In September this year, Glow prevented over 50,000 hack attempts across the websites using our platform. A report conducted by the FSB also reported that cyber attacks cost small businesses a combined £4.5 billion a year.
The good news (told you) is that there’s lots of things you can do to make your WordPress website more secure.
Think of it like adding layers.
The more layers there are, the harder it’ll be to get through.
So here’s what we’ll cover today …
Finding the login page
New installations of WordPress will load with the login page ending in /admin or /login. For example:
Using either of the above will show you the login screen.
If not, try /wp-admin or /wp-login, like so:
Once you’ve found the login screen, move on to our 3 tips below.
#1 Change the default login URL
As we just said, the default login URL for a WordPress website will be one of those above.
So guess where one of the first places to start for dodgy login attempts will be?
Ok so here’s how to fix this …
1. Login to your website.
2. Next, go to Plugins from the main left hand menu and click Add New.
3. In the top right corner, search for WPS Hide Login. This is a 5 star rated plugin with almost 1 million downloads (at the time of writing).
4. Now click Install Now and then Activate.
5. Go to Settings in left hand menu and click on WPS Hide Login.
6. Type your new URL (something memorable – just make sure it isn’t one of those default ones listed earlier) into the Login URL field.
7. Next, type a redirection URL in the next box – this is the page that will show if anyone tries to access the default /wp-admin login screen when they’re not logged in.
8. Click save changes
And that’s it!
This will have changed your login URL immediately and is an effective for keeping out casual hackers.
Warning – expert hackers with more sophisticated methods could still find a way to login, even with this prevention technique in place. So don’t leave this as the only barrier you turn on.
#2 Change the default admin username
Every WordPress installation comes with one user.
The username for that user is always ‘admin’.
Much like the previous tip, every hacker knows this, so it’ll be one of the first things they try when assessing your WordPress login security, in order to gain entry to your website.
Here’s how you fix it …
2. Go to Users
3. Click Add New
4. Complete profile
5. Log out
6. Login as the new user you just created
7. Go to Users
8. Click tickbox next to admin user
9. Choose from Action dropdown – delete
There will no longer be an ‘admin’ user on your website so that’s another nice block in place.
#3 Enable 2 Factor Authentication
If you have any other accounts with companies online (and we know you have hundreds!) you’ll likely have recently been prompted to set this up.
2 Factor or Multi Factor Authentication is a way of confirming people who are trying to gain access to a website are who they are saying they are.
It significantly improves the login security for your WordPress website too so we strongly recommend getting this setup.
And it’s really easy to do.
Here’s how …
2. Go to Plugins and click Add New
3. In the top right corner, search for Wordfence
4. Click Install Now and then Activate
5. Hover over Wordfence from main left menu and click login security
6. Now on your mobile, open the Google Authenticator app (or download it first if you need to, it’s free)
7. Click the plus (+) icon in the top right corner and from the popup at the bottom of your screen choose scan barcode
8. Point your phone at your laptop where the barcode is showing on Wordfence, keeping the barcode within the green box that shows on your phone
9. Once it registers, you will see a 6 digit code on your phone with your website address beneath it
10. On your laptop, on the right hand side of your screen, type the 6 digit code you see on your phone into the box at the bottom.
Note: the codes are time sensitive so if they turn red whilst you’re entering the number, wait until they turn blue again (the code will change) and enter that new number.
11. It should go through almost immediately and there will be a message in the middle of the screen that says something like ‘Wordfence two-factor authentication is currently active on your account. You may deactivate it by clicking the button below.’
And that’s it – now when a login attempt happens for the user that you enabled 2FA for, they will be asked for the 6 digit code from their mobile.
Given that very few people (if any) will have access to your mobile at the exact moment that login is attempted, you can see how effective this method can be at keeping the wrong people out.
It really does pay to take more care over the security of your WordPress website and the login area is hugely important as it sees a huge amount of hack attempts.
Follow our steps carefully and your WordPress website will end the day much more secure than it started!