The WordPress login is a very sensitive area in terms of security. Hacking attempts often take place directly there, since many website operators exercise little security when choosing user names and passwords and do little else to prevent attacks. You can read here what you should do with the WP login.
Where can I find the WordPress login?
The WordPress login can be found by default at http://www.domain.de/wp-admin or at http://www.domain.de/wp-login.php. Because this is known, people often try to break in at this point from the outside. But more on that later.
What to do if the WordPress login no longer works?
There are various reasons why the WP login stopped working:
- Forgot access (e.g. forgot admin access)
To do this, you can generate a new password by clicking on the “Forgot your password” link under the login field.
- Logged in incorrectly too many times
This usually doesn’t matter with WordPress. However, if you use security plugins such as iThemes Security or WP Limit Login Attempts, you can usually set that after a certain number of failed login attempts the user’s IP address will be blocked for a certain period of time. This prevents so-called brute force attacks, which are intended to break into the dashboard in order to hack content directly in the backend. Usually you only have to wait a certain amount of time before you can try to log in again. Sometimes, however, access to the database or the .htaccess file is necessary in order to remove your own IP address there.
- serious system problems
After moving to another web host or renaming the website to another domain, there are sometimes login problems. Especially if the move didn’t go smoothly. If that’s the case, it’s best to hire a professional.
How to hide WordPress login?
So that brute force attacks are not possible in the first place, it makes sense to hide the WordPress login. This is best achieved with the help of the iThemes Security plugin (which you should use anyway to make the website more secure). There you can find professional settings, such as “Hide backend”, under the “Advanced” item. Activation is done quickly, all you have to do is come up with a term for the login that cannot be quickly guessed. That’s it.
How do you secure the WordPress login from brute force attacks?
In iThemes Security you can also limit the possible number of login attempts. This is done under “Local brute force protection”.
You specify how often someone can try to access it (5x should be enough) and you can also block access directly via the “admin” user. If you still use the “admin” user, create a new administrator user and delete this “admin” user first!
Protect WordPress login with 2-factor authentication
A 2-factor authentication can be used to protect the login as much as possible. A combination of a normal login and, for example, the generation of a unique code via a device such as a smartphone is used here. Examples of plugins are:
Use Sucuri to secure the website and the login
If you don’t know Sucuri, you should take a look here. This service provider first routes all traffic through its own firewall and thus prevents any attack on a website before it even reaches it. There is no more effective way to secure a website. In the area of login, Sucuri effectively protects against brute force attacks with its web application firewall. Theoretically, you wouldn’t even have to carry out security measures yourself. However, I consider a combination to be the best that can currently be achieved in terms of security.
Further measures to protect the login and WordPress websites
As already mentioned, the login is very sensitive and should be protected as much as possible. But not only the login, but the rest of the website as well. Therefore, it is best to take a look at the following tips for more WordPress security.
Last version from November 18, 2021 by network user René Dasbeck