WordPress Login Security: A Complete Guide

WordPress is unquestionably one of the most popular CMS available in the market not without good reason. There have been noticeable attacks on WordPress websites over the years. Apart from the admin area, the login area is always on the list of prime targets for hackers. Through this blog, we will discuss some simple yet effective steps to ensure WordPress Login Security.

Steps to follow for WordPress Login Security

1. Limit Login Attempts

One of the best ways to secure the login page of your website is to limit the login attempts. Limiting login attempts strictly to 3-5 times will automatically block out the next login attempts for some time.

The best way to limit login attempts is with the help of a plugin. For example, Limit Login Attempts- Reloaded. WordPress allows an unlimited number of attempts, which makes it easier for a hacker to brute-force his/her way in. A security plugin can help you block an IP address from making attempts more than specified.

Some of you might prefer limiting the login attempts manually than to use a security steps – https://www.getastra.com/blog/cms/wordpress-security/wordpress-security-guide/

To manually limit login attempts, you must follow these steps carefully. Before starting the procedure, you must take a backup of your entire website in case everything goes wrong.

  • Login to your account and open the Cpanel. From there, select File Manager.
  • Locate the function.php file from your active theme folder. Now add the following codes to this folder:
Read Also :   Tips for DBMS Administrators for Foolproof Database Recovery

function check_attempted_login( $user, $username, $password ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );

        if ( $datas[‘tried’] >= 3 ) {

            $until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );

            $time = time_to_go( $until );

            return new WP_Error( ‘too_many_tried’,  sprintf( __( ‘<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );



    return $user;


add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 );

function login_failed( $username ) {

    if ( get_transient( ‘attempted_login’ ) ) {

        $datas = get_transient( ‘attempted_login’ );


        if ( $datas[‘tried’] <= 3 )

            set_transient( ‘attempted_login’, $datas , 300 );

    } else {

        $datas = array(

            ‘tried’     => 1


        set_transient( ‘attempted_login’, $datas , 300 );



add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 );

function time_to_go($timestamp)


    // converting the mysql timestamp to php time

    $periods = array(








    );$lengths = array(








    $current_timestamp = time();

    $difference = abs($current_timestamp – $timestamp);

    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {

        $difference /= $lengths[$i];


    $difference = round($difference);

    if (isset($difference)) {

        if ($difference != 1)

            $periods[$i] .= “s”;$output = “$difference $periods[$i]”;

            return $output;



Source: PHPPOT

2. Two-factor Authentication

Implementing two-factor authentication adds an extra layer of security to your login page. As the name suggests, it is a combination of two different authentication levels. For example, a combination of a password and a security question, a secret code, or a set of characters of your choosing.

You can use the plugin Google Authenticator that is made solely for the purpose of multi-factor authentication.

3. Remove the WP version number

Hackers generally go for the WordPress version to check for vulnerabilities. Hence, the first thing you should do to secure the login page of your website is to remove your WP version number. The number should be removed from everywhere including URLs, headers, and meta tags. Add the following codes to the function.php file.

Read Also :   Key Ways to Secure Your Backups From Ransomware

You can follow WordPress removal steps from here – https://www.getastra.com/blog/911/wordpress-hacked/

To remove the version number from the header:

Add these codes to remove the version number from the RSS feed:

To remove from styles and scripts:

4. Change your Login URL

The default login URL of a WordPress website is yourwebsitename.com/wp-admin. A hacker can directly gain access to your login page and brute-force their way in. A simple alteration to the login URL can enhance your WordPress login security. You can use the WP Hardening plugin for the same.

5. Use a rock-solid firewall

Instead of using distributed plugins to do different tasks, it is always better to use a plugin where you can get all the features combined. Astra Security has everything your website might need in one place at an affordable price. You can block all attacks with the use of the Astra firewall including brute-force attacks, SQL injection attacks, bad bot attacks, etc.


It is clear from the above blog how important it is to secure the login page of your website. We all know that 100% security is a myth, the best step you can take to secure your website is to reduce the risks to the security of your website. With the help of Astra and the above-mentioned steps, you can reduce the risks and strengthen your WordPress login security. If you have further queries related to Astra, drop by some comments and we will be happy to help.

Leave a Reply

Your email address will not be published. Required fields are marked *