With millions of active WordPress installations, it’s a popular target for those that want to do harm to your site, no matter how big or small. Here are some simple things you can do right now to stop brute force attacks against your WordPress login.

Identify Security Issues

It’s a good idea to install a WordPress security plugin such as Wordfence. This will give you detailed insight about what’s going on with your website security and can also send automated alerts.

One of the many wonderful things about Wordfence is the option to automatically block the IP of anyone trying to login with a username that does not exist.

Secure Your Admin Username

Automated systems love to brute force sites with usernames such as:

  • admin
  • administrator
  • + any username they can find from posts or pages

I recommend creating a unique admin username with spaces and punctuation, edit the profile, and “exclude user from author sitemap”. Also, stop posting as admin... see below.

Secure Your Password

You’re asking for trouble using usernames and passwords like this:

  • Username: admin
  • Password: 12345

I recommend using a password manager such as 1Password to store your logins and create secure passwords. You’ll never forget a password again!

Stop Posting as Site Admin

Keep your site administration account and posting account separate. Why? Posting as admin lets everyone see your admin username. If everyone can see your admin username, they have one of the two things they need to login as admin, making the job much easier.

There’s no super easy way to change your account username. One method is to create two new users, one for site administration and one for posting. You can then attribute all posts and pages to your posting account, have a more secure administration account, and delete the now unused account(s).

Add Google reCAPTCHA to Your Login

Add Google reCAPTCHA to your login such as Google Captcha (reCAPTCHA) by BestWebSoft, it’s “tough on bots, easy on humans”. More info on Google’s blog about their new “No CAPTCHA reCAPTCHA”.

Two-Factor Authentication (2FA)

Two-factor authentication identifies you by using two different components. These may be something you know, something you possess or something that is inseparable from you.

Some examples of WordPress plugins for 2FA include:

Hide Your Login Page (wp-login.php)

How do you completely subvert a login brute force attack? Hide the login page! With tens of millions of WordPress installations, it’s no secret where the login page is: yoursite.com/wp-login.php

You can hide your login page with a plugin such as WPS Hide Login. Now you can change the name of your login page to anything you like, and yoursite.com/wp-login.php will render as if it does not exist if accessed directly. This is particularly useful if you’re the only site user, just don’t forget your new login page URL!

After you hide your login page, it’s a good idea to remove the clickable login link from your site. In most cases, it’s a matter of removing the ‘Meta’ widget under ‘Appearance / Widgets’. Although you can keep this widget active, any links on your site that direct to wp-login.php will redirect to your new hidden login URL, which is a problem if you want to keep it secret.