If you are running on WordPress then you can follow those simple steps in assuring a better WordPress security of your website. There are many articles about this matter, many told you to use free or paid plugins, but I think you could take the matter in your own hands, and make little adjustments so your website will become more secure.
1. Redirect with .htaccess
The original .htaccess
file looks like this:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
so, after
RewriteBase /
add a new rule
RewriteBase /
RewriteRule ^login$ wp-login.php
Now you can access the login page using these 2 urls (/login
and /wp-login.php
). So we need to hide the wp-login.php links in your blog.
2. Change the links from wp-logins.php to /login
In your functions.php (or someone plugin) add this filter
add_filter('site_url', 'wplogin_filter', 10, 3);
function wplogin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-login\.php)/");
$new = array( "login");
return preg_replace( $old, $new, $url, 1);
}
Now, every time wordpress call site_url(“wp-login.php?action=xxx”); this function will redirect to /login.
3. Don’t use admin as your username
This should be the easy one to set up. Visit your profile page and choose something different then the admin
to be your username.
4. Use strong password for the Administrator Role
Assuming that you have only one user with the Administrator role, try to use a strong password, in which to include, lower and uppercase letters, symbols like: !, @, #, $, %, ^, &, ), (, -, =
and numeric characters.
5. Install a plugin that will prevent Force Brute Logins
There are many choosing options when it comes in choosing a Force Brute Plugin, and I think it’s only a matter of personal choice since basically all of them do the same thing. Prevent access to login page, if a non-valid login details have been entered more then X time, and it’s up to you which one you will choose to use.
Hi,
Would it be possible to change the login page name to something other than ‘login’ using this method? eg some security plugins like iThemes Security (which we use on all the sites we build) have an option to set the login page to a random set of letters like ‘fykx’, or something easy to remember but not easy to guess, like ‘login’ is.
Terry
Yes of course you can change it to something else, depending on what option you choose (via .htacccess file) or adding the custom function in your theme’s functions, you can simply change “login” to whatever you want.
Hope it helps,
Kind Regards