Avoid WordPress Login Attacks
Learn how to avoid WordPress login attacks.
Discuss in our Forum Discuss in SlackThis section provides information on how to avoid WordPress login attacks.
Avoid WordPress Login Attacks
wp-login.php
is the primary WordPress login path and is subject to abuse by bots or other spammers, similar to XML-RPC.
There are a few recommended actions you can take to protect yourself against login abuse.
Change the Admin Account Name
We strongly recommend that you change your admin account name. Many attacks assume the default name, admin
.
Create a new user with administrator rights.
Log in with the new username, and then delete the
admin
user.
Change the wp-login.php Path
Use a plugin like WPS Hide Login to change the login path from
wp-login.php
to any path you choose, such as/login
or/admin
.Redirect all traffic from
wp-login.php
to the homepage or to another page like a404
.
Enforce Complex Passwords
WordPress suggests password complexity guidelines when you create a user and password, but it does not enforce password rules.
Install a plugin like Better Passwords.
Set a minimum password length in the plugin and alert users if they try to use a password that has been collected in a known data breach.
Disable "Anyone Can Register"
Some attackers or lost visitors might try to create an account via the login page. This feature should be disabled.
Navigate to you WordPress admin page.
Select the Settings tab and uncheck Anyone can register on the Membership line.
Add Multi-factor Authentication (MFA)
Two Factor Authentication (2FA) and Multi-factor Authentication (MFA) are added layers of protection to ensure the security of your accounts beyond a username and password. Multi-factor refers to the capability to have more than two factors of authentication (for example: password, SMS, and email verification).
Use one of the many Two-Factor Authentication plugins to protect logins to your WordPress site.
Use Single Sign-On (SSO)
SSO often includes or requires MFA to help secure your site. Some workspaces use an Identity Provider (IdP) for Single Sign-On, including, Google Workspace and Microsoft AzureAD.
Use your IdP's SSO as the login authority for your WordPress site.
Optional. Use plugins, such as WP SAML Auth or MiniOrange, to simplify the SSO integration with your IdP.