This section provides information on how to avoid WordPress login attacks.
wp-login.php is the primary WordPress login path and is subject to abuse by bots or other spammers, similar to XML-RPC.
There are a few recommended actions you can take to protect yourself against login abuse.
We strongly recommend that you change your admin account name. Many attacks assume the default name,
Create a new user with administrator rights.
Log in with the new username, and then delete the
Use a plugin like WPS Hide Login to change the login path from
wp-login.phpto any path you choose, such as
Redirect all traffic from
wp-login.phpto the homepage or to another page like a
WordPress suggests password complexity guidelines when you create a user and password, but it does not enforce password rules.
Install a plugin like Better Passwords.
Set a minimum password length in the plugin and alert users if they try to use a password that has been collected in a known data breach.
Some attackers or lost visitors might try to create an account via the login page. This feature should be disabled.
Navigate to you WordPress admin page.
Select the Settings tab and uncheck Anyone can register on the Membership line.
Two Factor Authentication (2FA) and Multi-factor Authentication (MFA) are added layers of protection to ensure the security of your accounts beyond a username and password. Multi-factor refers to the capability to have more than two factors of authentication (for example: password, SMS, and email verification).
Use one of the many Two-Factor Authentication plugins to protect logins to your WordPress site.
Use your IdP's SSO as the login authority for your WordPress site.