Login Security

The options on this page will help you secure your WordPress wp-admin panel from various types of attacks.

Login Access

By default your WordPress login page can be accessed by anyone. You can use this functionality to allow access to the wp-admin only from your IP. If you are using a dynamic IP, then you can whitelist the range of possible IPs your ISP may assign to you to avoid any problems accessing the WordPress admin panel.

Two-factor Authentication for Admin & Editors Users

Two-step verification is one of the easiest and most secure ways to protect your data against hacking and identity theft. It works by combining something that only you know (username & password) with something only you have access to (your smartphone).

When you enable it, in addition to your regular username and password, you will start using a second password generated by an application on your smartphone. Therefore, even if one of the two factors is compromised, your data is still secure.

When you enable this option, all admin & editor users will be asked to configure their two-factor authentication on their next login.

Scan the QR code on the page with Google Authenticator on your phone and input the six digit code in order to log in.

Disable the “admin” Username

This is the most commonly used administrator username and hackers fairly often use a combination of it and a randomly guessed password to brute-force the WordPress admin panel. This option is enabled by default and it disables the creation of new users with the username “admin”. If there’s an existing user called “admin”, you will be asked to provide a new username.

Limit Login Attempts

Sets a limit to the number of times a given user can attempt to log in to your wp-admin with incorrect credentials. Once the login attempt limit is reached, the IP from which the attempts have originated will be blocked for 1 hour. If the attempts continue after the first hour, the limit will then be set for 24 hours and after that for 7 days.

Share This Article