Back to blog
Security Tips6 min read

WordPress Login Page Security: Hardening Your First Line of Defense

April 3, 2025·WO Security Shield Team
wordpresslogin securityhardeningbrute force
WordPress Login Page Security: Hardening Your First Line of Defense

The WordPress login page at /wp-login.php and /wp-admin/ is the first thing attackers hit. Automated bots cycle through millions of credential combinations every day. A standard WordPress install gives them everything they need — a predictable URL, user enumeration via the REST API, and no rate limiting by default.

Here's how to lock it down.

1. Change the login URL

Moving /wp-login.php to a custom path is one of the simplest and most effective changes you can make. It won't stop a determined attacker who scans your site, but it eliminates the vast majority of automated bots that only probe the default path.

WO Security Shield lets you set a custom login URL in one click under Hardening → Login Path. The default path is immediately blocked with a 404.

2. Limit login attempts

WordPress doesn't limit failed login attempts out of the box. A bot can try 10,000 passwords and WordPress won't slow it down. For an in-depth look at how these attacks work, see our guide on stopping brute force attacks.

Enable login throttling:

  • 5 failed attempts → 15-minute lockout
  • 10 failed attempts → 24-hour lockout
  • Log every lockout with IP address
// The logic WO Security Shield uses internally
if ( $failed_attempts >= 5 ) {
    set_transient( 'wss_lockout_' . $ip_hash, time(), 15 * MINUTE_IN_SECONDS );
    wp_die( 'Too many failed attempts. Try again later.' );
}

3. Block user enumeration

By default, visiting /?author=1 on any WordPress site reveals the username of the first registered user. Attackers use this to harvest all usernames before running a credential attack.

Block it:

// Add to functions.php or a security plugin
add_action( 'template_redirect', function() {
    if ( is_author() && ! is_admin() ) {
        wp_redirect( home_url(), 301 );
        exit;
    }
});

WO Security Shield blocks author enumeration and also masks usernames in the REST API (/wp-json/wp/v2/users).

4. Enable two-factor authentication

Even if an attacker gets hold of a valid password (via phishing, data breach, or brute force), 2FA stops them cold. Require it for all admin-level accounts at minimum.

See our full guide: Setting Up Two-Factor Authentication on WordPress with WO Security Shield

5. Disable XML-RPC if you don't need it

XML-RPC is a legacy WordPress API that supports multicall attacks — a single request can attempt hundreds of username/password combinations at once, bypassing standard rate limiting.

Unless you're using Jetpack or a mobile app that requires XML-RPC, disable it entirely. See our XML-RPC attack guide for details.

6. Add HTTP security headers to the login page

X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'

These headers prevent your login page from being embedded in an iframe (clickjacking) or having its form fields hijacked by injected scripts.

7. Use a strong, unique password and never reuse it

Password managers like 1Password, Bitwarden, or Dashlane make this trivial. A 20-character random password is uncrackable with current technology regardless of how many attempts are made.

The login page is low-hanging fruit for attackers. Hardening it takes less than 30 minutes and eliminates the most common attack vectors against your WordPress site. For a broader view, see our full WordPress security checklist. WO Security Shield handles most of these settings automatically.

Advanced Login Security Techniques

Beyond the basics of strong passwords and 2FA, here are advanced techniques that significantly reduce your login page attack surface.

Custom Login URL: Why It Works

Moving your login page from /wp-login.php to a custom URL like /my-secure-portal isn't "security through obscurity" — it's a practical traffic filter.

The reality:

  • 95%+ of brute force attacks are automated bots targeting /wp-login.php specifically
  • These bots don't crawl your site first — they spray the default URL
  • A custom login URL returns 404 to these bots, and they move on

Setup in WO Security Shield: Go to Login Security → Custom login path → enter your preferred slug (e.g., secure-login).

Important: Bookmark your new login URL. The old /wp-login.php will return a 404 for everyone, including you.

IP-Based Login Restrictions

If your team always logs in from the same office or VPN:

// In .htaccess — restrict wp-login.php to specific IPs
<Files wp-login.php>
  Require ip 203.0.113.0/24
  Require ip 198.51.100.50
</Files>

Caveat: This only works if your team has static IPs. For remote teams with dynamic IPs, use a VPN with a fixed exit IP instead.

Login Attempt Analysis

WO Security Shield's activity log tracks every login attempt with:

  • Timestamp — when the attempt occurred
  • IP address — where it came from
  • Username tried — reveals which accounts attackers are targeting
  • Success/failure — distinguish legitimate users from attackers
  • Country — geographic origin of the attempt

This data helps you:

  1. Identify which usernames are being targeted (and whether they actually exist)
  2. Spot patterns — are attacks coming from a specific IP range?
  3. Detect compromised accounts — a successful login from an unusual country/IP is a red flag

Login Cookie Security

WordPress login cookies (wordpress_logged_in_*) can be stolen through XSS attacks or network sniffing. Protect them:

// In wp-config.php
define('FORCE_SSL_ADMIN', true);

// Additional cookie security (WordPress 5.2+)
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.cookie_samesite', 'Strict');

Failed Login Response Timing

A subtle but important detail: WordPress responds differently to "invalid username" vs "wrong password for valid username" — and the response time differs slightly. Attackers can use this timing difference to enumerate valid usernames.

WO Security Shield normalises login error messages and response times to prevent this information leak.

Monitoring Login Activity

What normal login activity looks like

  • 1-5 legitimate logins per day (your team)
  • Occasional failed attempts (typos)
  • Consistent IP addresses and countries

What an attack looks like

  • Hundreds of failed attempts per hour
  • Multiple usernames tried in sequence
  • IPs from countries where you have no users
  • Attempts at unusual hours (3am in your timezone)
  • XML-RPC multicall requests (brute force amplification)

Setting up login alerts

Configure WO Security Shield to email you when:

  • A new admin user is created
  • A login succeeds from a new country/IP
  • Failed login attempts exceed your threshold
  • An account gets locked out

These alerts give you real-time awareness of who's trying to access your site — and whether they're succeeding.

The Login Security Stack

For maximum protection, layer these defenses:

  1. Strong, unique password — baseline requirement
  2. Two-factor authentication — blocks credential-based attacks
  3. Custom login URL — eliminates automated bot traffic
  4. Rate limiting — stops brute force attempts
  5. IP logging and alerting — awareness of attack patterns
  6. Cookie security — prevents session theft
  7. Error message hardening — prevents username enumeration

Each layer catches attacks that slip through the previous one. Together, they make your login page virtually impenetrable to automated attacks.

WO Security Shield

Is your WordPress site protected?

Run a free malware scan in under 2 minutes. No credit card required.

Start free trialMore articles