Chapters in this post:
Since I implement almost every website for my customers with WordPress, customers always ask how they can log into WordPress. Since this question also comes up frequently on the Internet, I would like to make a short and concise article about it here.
WordPress Login? /wp-admin/ is the magic word
If you have installed your domain – let’s say https://www.sir-apfelot.de – with WordPress, then the login to the admin area is usually one of these two URLs:
So you just add /wp-admin/ or /wp-login/ to your homepage and you get to the standard login area of WordPress.
htaccess protection and WordPress login url change
If you go to the above URL on my blog, you will find that there is still a small protection in place. I have additionally protected the login URL via htaccess.
Why? Because you have two logins in front of the WordPress admin and it is quite unlikely that a hacker will crack both.
A second popular way to protect the WordPress admin is to change the login URL. This means that you choose a different virtual folder instead of /wp-admin/.
This change can be realized with these two plugins:
Personally, however, customizing the login URL is a bit confusing for me, since I have to log into some WordPress sites many times a day and I get confused every time I get a 404 error instead of a login form. For this reason, I usually leave the URL for my customers as it is and work with a different solution.
Limit Login Attempts Reloaded – Protection against brute force attacks
The usual procedure for cracking a WordPress login is via so-called brute force attacks – i.e. simply trying out login and password combinations.
You get the login quickly, since WordPress usually reveals the user names via the author archives and then you only have to throw lists with the most common passwords against the XMLRPC interface of WordPress and see when you have found the password.
Short insertion with other WordPress themes:
Unfortunately, WordPress itself does not yet have any effective protection to prevent such attacks, but there is a plugin called “Limit Login Attempts Reloaded” that effectively fends off such attacks by only allowing a certain number of attempts before the IP or username is blocked.
With the Pro version you can even set the time between login attempts to get longer and use many other functions to protect WordPress from unauthorized access.
WordPress login help from Sir Apfelot
If you need help securing your WordPress blog or need assistance with a hacked WordPress, please let me know. I take care of a number of customer sites and am happy to support you.
Maybe also interesting?
Jens has been running the blog since 2012. He acts as Sir Apfelot for his readers and helps them with problems of a technical nature. In his spare time he rides electric unicycles, takes photos (preferably with the iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions to current bugs.