Any WordPress site’s Admin login is likely to be the first place any hacker worthy of the name will look, as it’s very easy to find. All you need to do is type in the domain name of your site followed by either /wp-admin or /wp-login.php and there it is. A cybercriminal also knows the default username given by WordPress is ‘admin’. As a result, they can start making brute force attacks on your website within seconds. So, what measures can you take to make your WordPress login page more secure? How to change the wp admin URL in WordPress Changing your wp admin URL is pretty straightforward and immediately adds a layer of security, making it more difficult for anyone seeking to gain entry to your site via this route. Every hacker knows that domain.com/wp-admin is the default route to a WordPress login page but would they know that the route to YOUR website is yoursite.com/ilovemyfavouritefood or even yoursite.com/onlyiwillknowthis? All of this is made possible by using a plugin called WPS Hide Login. It’s free, very easy to use and works not by rewriting any existing files but by simply intercepting a page request and rerouting to a URL location which you can choose once the plugin is installed. Make a note somewhere of your new URL in the event you should ever forget it in the future. Important if you’ve chosen something quite elaborate and inventive! Unfortunately this action will likely only deter the most amateur criminal from trying to sneak into your website via the backdoor. More work will be needed to make your site more secure. ???? A note for FariHost users: changing the WordPress Admin URL circumvents a lot of the 20i platform rules relating to /wp-admin and /wp-login.php, including our own brute force protection. So while it can be a good step, it should only be done alongside the other techniques mentioned in this post and not alone. Change your admin username / create a new administrator profile If every hacker knows the default username for the primary user of a WordPress website is ‘admin’, it stands to reason that one of the first things you should do is…change it. This, again, is a fairly simple procedure. In the main dashboard you can create a new user, which will also allow you to generate a new (unique) username. Then you can delete the original user and, at the same time, say goodbye to ‘admin’. You could use the unique email ID – which is created alongside any new profile – as your new username. This would add an extra layer of security against any brute force attacks. If the user profile you’re deleting was initially assigned the role of administrator (usually the case if it was the first user generated), remember to re-assign this role to the new user you’ve created. On deletion of the old profile you should also choose ‘attribute all content to’ the new Administrator profile in order to transfer and save any historical site content. ???? If you’re using FariHost WordPress Hosting, you can create and manage users from your WordPress Tools dashboard. Strong password generators Choosing a strong password is a simple way to protect your WordPress site from a potential cyber attack. Due to the sheer number of passwords we use for different websites, it is becoming more prudent to try and steer clear of passwords littered with upper case, lower case, numbers and symbols – because they’re harder to remember. But easy-to-remember passwords are easy to guess. So we’d recommend using an online tool, which will create a random password for you, such as Strong Password Generator. This site basically does all the heavy lifting by generating a secure password, based on your requirements. 20i hosting also provides a strong password generator for you to use. A password manager, such as 1Password, LastPass or Dashlane will store all of your passwords for you in a secure environment, so you don’t have to remember them. Two-factor authentication Two-factor authentication (2FA) is becoming more common across a host of websites: mainstream sites like Google, Facebook and Twitter are using it now. As the name suggests, this involves a two-step process. First, a user provides their usual login details to a website. Second, they’re asked to input a passcode. This is sent via another source: usually text, phone app or email. 2FA is proving to be quite an effective layer of security as it’s nigh-on impossible for crims to have access to both components required for this process. So it really is something you should look to install for your WordPress site. ???? You can implement 2FA for your FariHost account within your control panel. Instructions on how to do this can be found here: 2FA, or you can log in right away to our security details page. Brute force attacks Essentially, a brute force attack is when a criminal tries to guess what your username and password are. It’s an automated attempt to take advantage of any weak online passwords. As these attacks are automated, they can run into tens of thousands each day. This is precisely why it’s essential you take appropriate steps to create a strong username and password along with implementing two factor authentication. These measures should help prevent any brute force attack on your WordPress website. Limit login attempts with StackProtect There are also special plugins and online tools available which will limit the number of incorrect login attempts made on your site. ???? Rather than use a plugin, at 20i we use an automated security tool called StackProtect. StackProtect monitors all requests to common login pages. It blocks any criteria matching malicious activity. This powerful software has the capacity to block millions of attempts each day. Automatically log out idle users It’s so easy for a user to become distracted when working on a website: leaving a page open whilst away from a desk, for example. This could allow an opportunist hacker the equivalent of an open goal to make changes. It poses an unexpected security risk. You’ll note that pretty much all financial websites will automatically suspend any session once activity ceases for more than a few minutes. For a WordPress website, there are a number of security plugins – specifically Inactive Logout and BulletProof Security – which are designed to give you the same functionality. Both are free and offer a range of parameters which will allow you to choose a specific timescale before logging a user out of a session, along with bespoke message settings. Security questions on login For additional peace of mind you can also add one or more security questions during the wp-admin login process by installing the WP security questions plugin. Once installed, just visit your settings page and activate the plugin to configure the range of specific security questions you wish to set for users.