Learn how to strengthen the security of your login pages in WordPress.

Login pages are some of the most attacked parts of WordPress. Attackers will obviously try to gain access and as such you need proper protection for these pages. This tutorial will show you how to strengthen the security of your WordPress Login pages via several plugins.

1. XO Security

XO Security is a plugin to enhance login related security.

XO Security is a plugin to enhance login related security.
This plugin does not write to .htaccess file. Besides Apache, LiteSpeed, Nginx and IIS also work.

Here are what XO Security will help your WordPress site's security:

  • Record login log.
  • Limit login attempts.
  • Login Alert.
  • Add Captcha to the login form and comment form.
  • Change the URL of the login page.
  • Disable login by mail address.
  • Disable login by user name.
  • Change login error message.
  • Disable XML-RPC and XML-RPC Pingback.
  • Disable REST API.
  • Change REST API URL prefix.
  • Disable author archive page.
  • Remove comment author class of comments list.
  • WooCommerce login page protection.
  • Anti-spam comment.
  • Hide WordPress version information.
  • Edit the author slug.
  • Disable RSS and Atom feeds.

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' XO Security ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

xo-security tutorial screenshot 1
xo-security tutorial screenshot 2
xo-security tutorial screenshot 3

Reference

Read more here.

Read Individually.


2. WP Hide & Security Enhancer

Hide WordPress, wp-content, wp-includes, wp-admin, login URL, plugins, themes etc. Block the default URLs. Security Headers etc.

WP-Hide will help you hide core files, login page, theme and plugins paths from being shown on front side. This is a huge improvement over Site Security, since no one will know whether you are running or not a WordPress. It also provides a simple way to clean up html by removing all WordPress fingerprints.

No file and directory change!
No file and directory will be changed anywhere. Everything is processed virtually. The plugin code uses URL rewrite techniques and WordPress filters to apply all internal functionality and features. Everything is done automatically without user intervention required at all.

Real hide of WordPress core files and plugins
The plugin not only allows you to change default URLs of you WordPress, but it also hides/blocks such defaults. Other similar plugins, just change the slugs, but the defaults are still accessible, obviously revealing WordPress as CMS.

You can change the default WordPress login URL from wp-admin and wp-login.php to something totally arbitrary. No one will ever know where to try to guess a login and hack into your site. It becomes totally invisible.

Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes make ita vulnerable spot for every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin.
Statistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites.
Over 99,9% of hacked WordPress websites are target of automated malware scripts, which search for certain WordPress fingerprints. This plugin hides or replaces those traces, making the hacking boots attacks useless.

It works well with custom WordPress directory structures,e.g. custom plugins, themes, and upload folders.

Main plugin functionality:

  • Customizes Admin URL
  • Blocks default admin URL
  • Blocks any direct folder access to completely hide the structure
  • Customize wp-login.php filename
  • Blocks default wp-login.php
  • Blocks default wp-signup.php
  • Blocks XML-RPC API
  • Creates New XML-RPC paths
  • Adjusts theme URL
  • Creates New child Theme URL
  • Changes theme style file name
  • Cleans any headers for theme style file
  • Customizes wp-include
  • Blocks default wp-include paths
  • Blocks default wp-content
  • Customizes plugins URL
  • Changes Individual plugin URL
  • Blocks default plugins paths
  • Creates New upload URL
  • Blocks default upload URL
  • Removes WordPress version
  • Blocks Meta Generator
  • Disables the emoji and required javascript code
  • Removes pingback tag
  • Removes wlwmanifest Meta
  • Removes rsd_link Meta
  • Removes wpemoji
  • Minifies Html, Css, JavaScript
  • Security Headers

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' WP Hide & Security Enhancer ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

wp-hide-security-enhancer tutorial screenshot 1
wp-hide-security-enhancer tutorial screenshot 2
wp-hide-security-enhancer tutorial screenshot 3

Reference

Read more here.

Read Individually.


3. Loginizer

Loginizer is a WordPress security plugin which helps you fight against bruteforce attacks.

Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve security of your website.

Loginizer is actively used by more than 1000000+ WordPress websites.

Here are its free features:

  • Brute force protection. IPs trying to brute force your website will be blocked for 15 minutes after 3 failed login attempts. After multiple lockouts the IP is blocked for 24 hours. This is the default configuration and can be changed from Loginizer -> Brute force page in WordPress admin panel.
  • Failed login attempts logs.
  • Blacklist IPs
  • Whitelist IPs
  • Custom error messages on failed login.
  • Permission check for important files and folders.

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' Loginizer ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

loginizer tutorial screenshot 1
loginizer tutorial screenshot 2
loginizer tutorial screenshot 3

Reference

Read more here.

Read Individually.


Categorized in: