How to secure WordPress login page?

The WordPress login page has a form with two textboxes – one to enter the email address or the user name and another to enter the password. It also has a Submit button and a link through which you can reset the forgotten password. This page is one of the critical pages on the site as it gives access to the WP admin, aka dashboard. If the dashboard goes into the wrong hands, you or your site will be in a problem. Below, we’ve discussed several ways to secure a WP login page:

One of the several ways to protect this page is to use hide it. The easiest and quickest way to do this is to use one of the following plugins:

WPS Hide login

WPS Hide login

This plugin adds two options to the General Settings page of the WordPress CMS – change login name and set a page that the extension will redirect the user to when they try to access the wp-login.php page. Once you set the login page name and enter the name of the direction page, and save the settings, the plugin will hide the wp-login page from the world.

Ghost Security plugin

Ghost Security plugin

This plugin hides the WordPress login URL and changes the link to the three important pages on a WP site – registration, forgot password pages. It can also change the admin-ajax URL, wp-content, uploads, and comments path to the one you set. GSP can rename the plugins and themes folder names without breaking the site. It can detect brute force attacks and block the IP addresses responsible for the attack.

Use Fail2Ban

Fail2Ban, when configured and enabled on the server, will protect the wp-login page like a champion by blocking all users that have entered the user password wrong N times. You can set the value of N by editing the WordPress configuration file.

In this configuration file, you can specify the time for which you want Fail2Ban to block the IP address from accessing the site and the number of times after which the IP must be blocked after failed attempts. Fail2Ban uses the highly reliable Linux firewall iptables to block and unblock IP addresses. Unfortunately, you can use Fail2Ban only if you’ve root access and permission to install packages on a Linux server.

Limit access to the login page

Only certain IPs will be allowed to access the WP login page, and other IP addresses will be blocked in this method. This page explains the Access Control mechanism on the Apache webserver and has an example of the same. If you’re using the Nginx web server, you can use the allow directive that allows the IP address/addresses of your choice to access the login page. Similarly, if you don’t want certain IPs to access the wp-login.php page, you can use the deny directive to block the IP address.

Nginx has explained these two directives here on their site. As in the above method, you must have access to the webserver configuration files to implement this method of securing the WP login page. You must also have permission to edit the configuration files.


Pramod is the founder of wptls. He has been using WordPress for more than nine years. He builds web applications, and writes about his experiences with various WP products on this site.

Leave a Reply

Your email address will not be published. Required fields are marked *