This is how you protect your WordPress login from unwanted access

This is how you protect your WordPress login from unwanted access

I’ve wanted to write this article for a long time because I think many WordPress users underestimate how important the Securing your own WP login is. Due to so-called brute force attacks (more information about brute force attacks), it happens again and again that the logins of WordPress pages are specifically attacked.

This can massively restrict the accessibility of the website because the server is overloaded by the numerous attacks and if the login is not sufficiently secured, in the worst case it can even happen that your own WordPress site is hacked. Luckily, there are helpful WordPress plugins and precautions to successfully prevent this from happening.

1. Choose a secure password

The first and easiest step is to choose a secure username and password for the WordPress login. on none In this case the username should be “admin”. Since this has long been the default username for WordPress sites, this username is particularly insecure.

For a secure password, you can either use a password manager or create a password from a random arrangement of words. Check out the article on secure WordPress passwords on for tons of helpful tips and tools.

2. Limit the number of login attempts

By default, the number of login attempts in WordPress is unlimited. This is of course another security risk that you can easily get a grip on with the help of the “Limited Login Attempts” plugin. The plugin allows you to limit the login attempts per IP address to eg 3 possible attempts. If this number is exceeded, the IP address will be blocked from accessing your WordPress site for a certain period of time (the period can be selected in the plugin settings).

3. 2-fold authentication with Google Authenticator

Additional security is provided by additional two-step authentication, which you can easily set up using the Google Authenticator app and the Google Authenticator WordPress plugin. The whole thing works in such a way that every time you log in, you not only have to enter your WordPress username and password, but also an additional Google Authenticator code, which is generated again and again via the Google Authenticator app.

Google Authenticator plugin settings for WordPress.

So this method requires that you always have your mobile device (smartphone or tablet) at hand when you want to work in the WordPress admin. This is a bit more complex, but offers a very secure additional protection against login attacks.

Setup is easy with the WordPress plugin “Google Authenticator”. After installing the plugin and downloading the Google Authenticator app (Android app, iOS app), you can simply use the barcode in the WordPress plugin settings to link the plugin to your app. If you now open the Google Authenticator app, the login code for your WordPress site will be generated again and again at regular intervals and you can enter the code in your WordPress login screen.

The Google Authenticator iPhone app.The Google Authenticator iPhone app.The Google Authenticator code must be entered in the WordPress login.The Google Authenticator code must be entered in the WordPress login.

Of course, you can also use the app to set up dual authentication for several websites and services.

4. Set up an extra password via the .htaccess file

For everyone who has access to the .htaccess file, there is also the option of setting up an additional password via the .htaccess file. This has the advantage that the actual WP login cannot be called up at all, so brute force attacks can be blocked before the actual attack attempt. Of course, this greatly protects the calls to your WordPress site and the availability of the website is always guaranteed.

Additional password query via the .htaccess file.Additional password query via the .htaccess file.

Setting up a .htaccess login is not that complicated either. You only need Access to your .htaccess file via your FTP access (unfortunately this is not possible with all hosting offers) and one code editorto edit the .htaccess and create a new .htpasswd file (this file contains your password).

.htaccess password- How it works

First you have to create a new, empty file with the name .htpasswd in the main directory of your website (i.e. where the .htaccess file should already be) via your FTP access.

You then download the new, still empty file locally on your computer and open it in a code editor. With the help of the online htpasswd generator you can now enter a username and password and create the content for the .htpasswd file.

Code for the .htpasswd file via the htpasswd online generator.Code for the .htpasswd file via the .htpasswd online generator.

Now you have to create the code for the .htaccess file. You can copy this code to do this, but you still have to determine your own AuthUserFile path to your .htpasswd file and replace it in the code. To find out the path, you can use the How to find the full path to a file using PHP guide and code on the .htaccess tools website.


AuthType Basic
AuthName “My Protected Area”
AuthUserFile /path/to/.htpasswd
Require valid user


If you have added the code to the .htaccess file and also uploaded the new .htpasswd file with your code to the main directory of your website, the password prompt should now appear in the browser, providing additional protection for your login.

You can also find a detailed description of how to set up a .htaccess password for your WordPress site in the article “Initiative: More security for WordPress through admin protection” on the ebiene Playground blog.


As you can see, there is really a lot you can do to protect your own WordPress login from unauthorized access. What other tips, tools, and guides do you know that are helpful in securing WordPress sites? I really appreciate your feedback and tips!

WordPress Login Url und Anmeldeseite Previous post This is how you get to the admin area
Back to go and no end Next post Back to go and no end