How to secure WordPress admin login

How to Secure WordPress Admin Login (14 Effective Steps)

Last update on:

I bet you always go to sleep with a constant headache if you are a WP webmaster. The next morning you wake up and see that your beloved website was being hacked. Maybe your vital information is now loose.

I know how you feel because the feeling is mutual. I have been through there. That is why all website owners should know how to secure a WordPress login. For the think of WordPress login security, this article covers all the processes, step by step.

How to secure WordPress admin login

14 Effective Ways To Secure WordPress Admin Login

Here are the 14 steps that will help you secure your admin panel and the website itself:

1. Protect Your WP Website with WAF

WAF stands for Web Admin Firewall. By the names, you must have found out the functionality of it by now, There are several additional plugins that are best for this work. Starting with the names, Sucuri is perhaps the renowned one.

Sucuri Web Firewall

Sucuri is a one-stop solution for your website security. What this plugin does is that it first shifts the traffic to its own cloud proxy then they scan those. If the plea is safe, they grant access, but any malware or suspicious activities are blocked instantly.

There are other WAFs that work accurately as well. Some of those are MaxCDN, Cloudflare, Wordfence Security, and many more. So, choose the one that suits you and your website.

2. Protect Your Admin Directory

The WordPress admin directory is perhaps the most important piece of information on your website. You might agree with me on that. So, keep that protected with strong passwords.

I know that this is already protected with your own WP login password. But adding an extra layer of protection is always a good thing. It is very simple and effective at the same time. Try researching a bit and you can also set a custom password as well. You can use iThemes security pro to protect your completed WordPress directory.

iThemes security pro features

3. Strong Passwords, Less Worries

I have seen a lot of my friends using their birth years, anniversary, or their favorite pet’s name as their password. I admit that those are easier to remember. But you cannot deny the fact that these are predictable as well.

So what can you possibly do? Simple, pick a password that is unpredictable and hard to crack. Now, how to do that? Simple as well. You need to pick a password that has various combinations of letters (both uppercase and lowercase), numbers, and symbols. You can use a good tool called Strong password generate that I use to generate a strong password.

Secure Password Generator

I am not saying that the password should be a long one. But using these combinations of different attributes are really hard to guess and decode as well. So, put up a password that is unique and the combination of the attributes are unpredictable.

4. Two Step Verification

In recent years, two-step verification is certainly a life savior in some cases. What it does is that it create an additional security layer to your website. You simply log in with your user ID and password.

2FA login box

But two-step verification also generates a verification code and sends it to your phone. In this way, you will have control over your login sequence. Without you and your phone, no one can log in maliciously. WordFance free is good enough for 2FA along with other security. But If you have enough budget, you can go with iThemes Security because of the advanced 2FA feature.

5. Try to Log-in in one go

The multiple number of login attempts do hamper the integrity of the security. Also, logging in with different accounts on different devices can create a possible way of leaking information.

That is why try to use a single or a set of trusted devices for logging in to your website dashboard and try to avoid unnecessary failed login attempts. Just these little things matter the most in saving the website from malware attacks.

6. Restrict IP Addresses

Another thing you can do is to limit the IP Addresses that are allowed to login into your account. Only allow the IP addresses of you and your trusted associates. So, the website will be free of stress and safe from unwanted login attempts. Most of the plugins allow this security feature.

7. Don’t give any HINTS!

This is perhaps the stupidest thing to do. Picture this scenario for me. Suppose, you have set your password by your favorite city’s name. And you set a hint that it is your favorite city’s name.

You see right there? It is easily crackable. So, try to avoid unnecessary hints of usernames and passwords. This will save you from a lot of hustle and might save your website as well.

8. Urge your users to be sensible

As you are running a website. So there will be a set of users, this is pretty natural. To run the website successfully, you will be needing a set of helping hands. But these hands need to be sensible as well.

From this point above, try to urge them to maintain all the safety measures from their end as well. This will also prevent the chances of losing the website’s data. Ask them to set combined passwords, avoid unnecessary login from different devices.

9. Change your passwords frequently

Using the same passwords for a long time can increase the risk of attacks and malware events. So, try to change your passwords once in a while. But also keep in mind that you will have to remember the current passwords as well.

10. Always keep and eye on updates

WordPress is perhaps the most used platform for publishing your websites. That is why the team is working hard and coming up with updates. So, keep an eye on the updates. These updates increase your security level as well.

11. Custom Logins and Registration Pages Can Help

If your website needs a lot of registering and interference from the users, then it is at a risk of facing some unwanted actions. So, making a separate register and login pages will also limit the risk. One thing is that you can use a custom login page instead of the default WordPress login. WP User can be the best solution to create a custom registration form, login, and user profile for a WordPress site.

12. User Roles and Permission

It is important to read out all the permissions and your user roles. Set the user roles according to your priority. And always be fully sure to maintain a good workflow without violating any regulations.

WordPress user role editor

Thanks to WordPress’s powerful user management system, it is very easy and effective to add user roles. But be careful while choosing the roles. You really don’t want to give access to someone who does not deserve that. You can control overall user roles using the plugin called User Role Editor.

13. Don’t grant excess accessibility

In this segment of how to secure WordPress admin login, don’t allow excess users to have access to your website admin. If you give unwanted access, this might get you into trouble. So try to avoid this practice.

14. Clear out idle users

Now, this is a good option. You can set a timer. If a user stays idle for a limited amount of time, then he or she will be logged out. This will also help you prevent unwanted attacks. So, you can do that to increase security. I think the All In One WP Security & Firewall is good for this feature.

Wrapping Things Up!

You are the endpoint of this WordPress security guide. The above 14 effective steps that you should know on how to secure a WordPress admin login. Practice all of those steps carefully. Some of the steps might seem obvious and very little. But at the end of the day, these fine details do matter the most.

Now, I would like to take a leave. Be safe and be healthy. Keep up the hard work and maintain a healthy workflow. Remember, your creativity matters! 

What’s your Reaction?


  • Palash Talukder

    Palash Talukdar is a digital marketer & the founder of WP Basic Pro. He has been building and managing WordPress websites for 5+ years. He loves to write about WordPress, SEO, marketing, productivity, and web performance.

    View all posts
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Saeed Khosravi's Official Site