Secure WordPress login

Secure WordPress login

The WordPress login is one of the most popular targets for attacking the content management system by hackers. With so-called brute force attacks, they try numerous password combinations in order to be able to take over WordPress. Here we present the most common attack targets and how you can protect your WordPress login against attacks with a few simple changes. We also show you two plugins that make your login even more secure.

WordPress login is within everyone’s reach

If you want to log into WordPress, you can access the login page using the following URLs:


And you’ll be taken to the login form for your WordPress installation.

However, these two URLs are the classic standard path that can be used to access any login on a WordPress site. This means that strangers can also access the login form on your WordPress site at any time.

This is exactly why you should ensure that your WordPress login is protected against hackers and spam as best as possible. In today’s article we would like to show you how easy it is and what options you have.

Lock xmlrpc.php via .htaccess

Various external programs can access the WordPress system via the xmlrpc.php file. Of course, this can be very useful if you use plugins that need to communicate with other systems outside of WordPress.

However, there is also the danger here that WordPress can be remotely controlled by a hacker attack. Using a brute force attack, hackers could query several password combinations at once until they found the correct password for the login.

To avoid this, you should disable the function of this file via the .htaccess file.

Disable xmlrpc.php

Open the .htaccess file and add the following lines there:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all

This completely blocks the xmlrpc.php file and no longer poses a threat to you and your WordPress installation.

Alternatives to login protection

In addition to login protection for WordPress, there are also numerous alternatives available to you. These are easy to implement and offer you at least basic protection when it comes to securing the WordPress login page.

Two-Factor Authentication

With two-factor authentication, you secure your WordPress login with double protection. This means before you can enter your normal login data for WordPress, you have to enter a so-called authentication code. This is generated with the help of the Google Authenticator, for example.

To be able to use two-factor authentication, we recommend a plugin like Two-Factor. You can download the plugin from the official WordPress plugin directory or install it directly via the WordPress backend.

Once you have installed the plugin, you must first set it up. You have a total of 4 options:

  1. e-mail
  2. Temporary password (Google Authenticator)
  3. FIDO Universal 2nd Factor
  4. Backup verification codes

Options 1 and 2 are certainly the easiest methods to implement two-factor authentication.

With option 1 you will receive an authentication code by email, which you must then enter. With option 2 you will receive a temporary password, which must be scanned and entered via the Google Authenticator app via QR code.


Through a so-called Captcha code it can be ensured on the WordPress login page that a human and not a machine (bot) is acting on the website.

The site visitor can only send the entered data once the Captcha code has been successfully confirmed. The Captcha code is mainly used on login pages, in contact forms, comment functions and many other online forms.

In order to be able to use this login protection for WordPress, you can use a plugin such as the login reCAPTCHA. With the use of the plugin, registration data can only be sent once the reCAPTCHA field has been confirmed.

To do this, the user must confirm under the login field that he is not a robot. If there is any uncertainty, the user is also shown images that he must confirm.

In order to be able to use the plugin mentioned above, you need a site and secret key from Google.

Use password manager

Another and very simple way to protect WordPress from unauthorized access is to use a strong password that you only use for your WordPress login – and not for email login, Netflix or other online services.

A secure password should have the following characteristics:

  • at least 8 characters
  • Upper and lowercase letter
  • Counting
  • special character

If you create a password based on these 4 characteristics, you can be sure that it is secure. So that you don’t have to remember all the passwords for all the services you use, we recommend a password manager.

Within this password manager you can save the password and retrieve it anytime you need it. In order to be able to access the password manager, you have to create a master password once, with which you can then access all saved passwords or access data.

Password managers with a browser add-on also automatically recognize which page you are on and even fill out the login form independently. So you don’t have to do any more work with the input.

We can recommend the following password managers:


Login protection for WordPress is part of the basic security for every user of the content management system. As you can see above, it is not at all difficult to build in protection mechanisms that can protect you from hackers or spam.

We therefore recommend that you use at least one of the methods mentioned to ensure the security of your WordPress website.

How to find the WordPress login for your website Previous post How to find the WordPress login for your website
Distribute roles and protect login area Next post Distribute roles and protect login area