“Alertness is the hidden discipline of familiarity,” wrote poet David Whyte.
In a similar vein, keeping your WordPress site as secure as possible means staying attentive to some of the more mundane aspects of your site.
(Hold that yawn — don’t do it!)
We’ve written before about the importance of following WP security best practices like keeping themes and plugins up to date, and choosing a stable, performance-focused WordPress hosting company like Flywheel.
But for this post, we wanted to focus on an often-overlooked defense: custom WP login pages.
We promise this topic is less yawn-inducing — and more sexy — than it appears.
Read on to find out:
What is a WordPress login page?
Every time you open the back-end of your site to edit a post or install a plugin, you go through a WordPress login page. The default UI looks like this:
It’s pretty well-known that if you want to log in to any WordPress site, you simply take the URL and put
/wp-admin.php at the end. Boom, there’s the login screen!
Across the internet today, you may have heard that incidences of brute force attacks are unfortunately high, particularly against WP sites. These types of attacks quickly cycle through login attempts to try to break into your site. If you’re using easy passwords like “password” or “123456789” then chances are, your site has been hacked or will be very shortly.
Brute force attacks seek to attack you where you’re most vulnerable. Successful attacks can result in hackers tampering with your site, stealing payment info, or in the worst case — taking full control of your site.
The site admin also receives the default login username “admin.” If you haven’t changed this username since you launched your site, pause here and go do that now. If hackers know your username, they’re even closer to making it into the back-end of your site.
In summary, leaving your login page unchanged with all these predictable, commonly-known default settings essentially gives hackers a major leg up when trying to break into your site.
Why changing your default WordPress login page can boost site security
By making a few simple changes to your login page, you can greatly reduce the likelihood that brute force attacks will be successful.
Use a strong password and change your default admin username. From there, there are a few other simple changes to help protect your login page, such as finding a tool that helps you limit your login attempts.
You should also consider changing your default URL to something unique that doesn’t use the predictable /wp-admin.php at the end. This alone will remove you from the ranks of WordPress site owners that haven’t bothered to adjust their default login URL.
This simple trick will make hackerswork extra hard just to find your login screen. With the other changes mentioned, you’ll be light years ahead of the status quo. (Woo!)
How to change your default WordPress login page
While you can build your own custom WP login page in CSS, there are also no-code options for those who are less tech-inclined and more time-constrained. A great choice is LoginPress, the easy no-code WordPress login page builder.
As a WordPress plugin, you just download it, design your login page using drag-and-drop tools, select your preferred settings —and you’re good to go! For a limited time, AppSumo has a lifetime deal on LoginPress for only $39.
Not only does LoginPress allow you to customize your login page URL and limit login attempts, but you can also make your login screen look great. (And here’s the fun part!)
Security plus elegance? Yes please! Built on the Customizer API, you can live preview every change you make in real time:
If you run a membership site or manage a large team of writers, this tool lets you redesign your login page to match your brand’s exact look and feel.
Start from scratch or use one of LoginPress’s template designs to quickly implement an editable layout.
Edit the microcopy on your login page including welcome messages, error messages, and forgotten password text. Customize every element of the page — from login placement to logos to backgrounds to text fields.
Coding a login page this cohesive and visually striking would take way more time than it takes to install and configure this easy plugin. (But they also thought of you tech-savvy folks, giving you the option to edit LoginPress in CSS as well.)
While limiting login attempts, you can also track attempts by user to further prevent brute force attacks. You can choose the login attempt limit for each user and can even preset the time each user must wait between login attempts.
For even more security, add Google reCaptcha to your login screen.
LoginPress’s Auto Login even creates unique URLs for users to bypass the login screen entirely for direct access their account. You get access to every auto-login URL in the plugin back-end so you can add/remove URLs as needed.
If you’re looking for a well-maintained plugin to boost WordPress login screen security and cohesiveness, this is the one for you.
And while you’re here, bookmark AppSumo’s new store of lifetime deals on powerful WordPress tools.
If you’re on the lookout for a new tool to further optimize your Flywheel-hosted site, be sure to check AppSumo’s rotating selection of exclusive WP tools including themes, plugins, and add-on packs.
Looking for more tips and tricks to keep your site secure?
There are a slew of WordPress security plugins out there, but there are actually a variety of ways to protect against security issues that don’t require a plugin (and are actually a lot better at keeping hackers out!) There’s no foolproof way to completely make your site secure, but there are some simple steps you can take to boost security and put up a good fight.
This ebook will teach you why sites get hacked in the first place and then walk you through 11 of the best security tips for WordPress. Ready? Let’s toughen up your site!