Talking about WordPress login protection gets us to basic fundamentals of WordPress. Your first experience after WordPress installation brings you to its ‘login’ page. This page can be accessed using other suffixes such as: wp-login.php, wp-admin, admin, login.
Although very convenient, people are not realizing that everyone (including bad people) know about it. This means that everyone who is using WordPress have their website exposed to automatic bot scripts attacks.
These attacks are doing many bad things to your website and hosting. For example, automated scripts can, if not stopped, throw multiple attacks every second. These attacks can include brute-force password attacks, XML-rpc attacks, user enumeration attacks, spam attacks and other.
So, how to protect the login page? There are multiple ways to prevent these attacks, and the best one is to rename your login page.
By renaming the login page, you are not only protecting your website, but you are also saving your server resources. By protecting server resources your website has less chances to ever go offline or get hacked.
There are hundreds of plugins out there qualified to protect your login page, but I will name only one which is the best in renaming your login page:
So once you successfully login to your WordPress dashboard, head over to your plugins page and search for the ‘Rename wp-login.php’ plugin. Install it and activate.
Next, go to the Settings > Permalinks and then scroll down to the part which says:
“Login url”, and change it to your liking. Check the image below for more details:
DO NOT FORGET, your new login link. If you do, then just go to your hosting, find your file manager > find the plugin folder within your WordPress installation;
usually found in
When you find the folder, just rename it. I usually add something like “.disable“
This will deactivate the plugin and you will be able to login to your dashboard the normal way.
Anyhow, if you are not comfortable with this method, you can add other protection plugins. The one I recommend is WPBruiser plugin. This plugin will protect you from many other threats, including brute-force attacks and possible ddos attacks.
I usually use both; Rename wp-login.php and WPBruiser. They work great together.
If your server runs on Apache (you probably are if you are on shared hosting), you can also easily put to work protection via method called htpasswd. Using this plugin WP htpasswd, you will be able to protect your login in full. It means that in order to even get to entering credentials of your website, attacker would first had to hack the htpasswd username and password. This method makes it an “expensive” for attackers to even bother on spending their precious resources and time on your website.
Plugins like Wordfence, iThemes Security, Shield Security, Sucuri Security, and many others like that will just slow down the things for you, especially if you are on shared hosting which is usually very well protected on the server level and protects your website much better than these plugins. This is why I recommend on using simple, but brilliant, ways to protect your websites without slowing them down.