Securing your WordPress Administrator Login

Home / Blog / Articles / Securing your WordPress Administrator Login

Security is a vital component for all websites, big or small. If you own a website and put it online, you can’t do away with website security.

Website security is any activity that ensures website data is safe from exploitation. Such data includes usernames, passwords, and emails.

In case of an attack, this valuable data is vulnerable because hackers steal it for malicious purposes. As a result, your site will lose its reputation, which will affect its ranking on Google. Nowadays, Google blocklists such websites as malicious and unsafe for users.

The good news is we have a solution.

These are the steps to follow to secure your WordPress Administrator Login:

1. Secure Username and Password

The first attempt is to secure your username and password. Passwords are vital in protecting your WordPress website from hackers. Nevertheless, not all passwords are secure.

Do's & Dont's to secure your login
Do’s & Dont’s to secure your login

A strong and secure password has these qualities:

  • Eight characters or longer
  • Has no common terms or slogans
  • Contains a combination of symbols, numbers, Caps, or small letters. 
  • No obvious substitutions such as @ for a, 3 for e, and $ for s.
  • Avoid dictionary terms since password crackers use dictionaries to crack passwords. 
  • Finally, don’t use your name, phone, or address numbers as a Password.

A good username should have the following:

  • Never use your email as a username. This is because it exposes you to hackers and crackers on the internet. 
  • Your username should be non-identifiable but also not too hard to remember.
  • Never use your social security number, birthday, or full name as your username.
  • Finally, your username shouldn’t relate to your password.

2. Monitor Nulled Passwords 

Another way of securing your WordPress Administrator login is by monitoring nulled passwords. 

Nulled password is a list containing compromised passwords. You will want to confirm your password is not on the list of these vulnerable passwords.

You can do this by using a Firefox monitor. With this tool, you can find compromised information about yourself. Basically, it’s what hackers know about you.

Google also has a “check passwords” feature. This is handy to check if passwords you saved on your google account have been compromised.

Google Password Checker security
Google Password Checker

3. Google ReCaptcha on the Login 

ReCaptcha can also ensure a WordPress secure login process. It is a free service from Google that will protect your site from spam. 

This Google service provides a test on the login page that can differentiate between humans and robots. Henceforth, user data security is improved.

Here is what Google-captcha can do for you:

  • Increases security by reducing spam.
  • Blocks automated logins and digital data entry
  • It differentiates humans from computers and blocks these bots.

4. Two-Factor Authentication

You may use other complementary methods to block spam and hackers at login. For example, at M R K WP, we use Lockout jail in WP Defender and two-factor authentication, which Google Authenticator provides.

WP Defender

This is a WordPress Plugin that will secure your WordPress Administrator login. It is an all-in-one WordPress security tool on the WPMU Dev platform.

WP Defender plugin will secure your WordPress Administrator login
WP Defender plugin protection

The Defender plugin is designed to tackle several malicious threats to your site effectively.

  • It stops brute force attacks, SQL injections, and cross-site scripting XSS.
  • In addition, it scans your entire website to track down malware and viruses.
  • Can block malicious IP addresses attempting to log in with its firewall. Above all, it implements 2-factor authentication on your WordPress website. 
  • Defender also sends you email notifications when you have a lockout.

WP Defender has a Lockout jail feature that puts IP addresses in jail. This happens when you have attempted many failed logins. Above all, this feature gives you control over different attacks targeting your website. You can set how many attempts a user should make to trigger the lockout feature.

WP Defender lockout notification
WP Defender lockout notification
Google Authenticator 

Google Authenticator is a mobile application incorporated with a 2-Step Verification feature, also known as two-factor authentication. This process prompts users to provide two different authentication factors to verify their identity at login.

Google Authenticator assists in securing your WordPress Administrator login
Google Authenticator smartphone app
  • You need to download the application from the Google Play Store, set it up, and you are good to go.
  • After providing a valid password, Google Authenticator prompts a verification code generated by the app, which when entered in, grants you access. You cannot log in to your WP Admin account without going through this authentication process.

Two-factor authentication limits hackers from bypassing security to access a user’s account by adding another layer of protection to the login process. This makes it harder for hackers to access a user’s details or online accounts, even in cases where a password has been compromised.

5. Block Spambots with Advanced Networking or Cloudflare

Spambots are small applications that scan the internet, collecting sensitive information. Such information may include passwords, usernames, and emails. 

The most common ones are those that collect emails to build an email list for spamming. Spambots additionally consume server resources. Therefore as part of the process of securing WordPress, you need to block out all these bots.

These are the tools you can use to block spambots and secure your WordPress Administrator Login:

  • WP Advanced Networking
  • Use WP Engine – Global Edge Security
The WP Engine GES Firewall helps with securing your WordPress Administrator login
WP Engine GES Firewall
WP Engine Advanced Networking
  • It gives users secure and fast access to WordPress sites.
  • This tool also removes spambots attempting to log into your website.
  • The good news is that it is free for WP Engine customers. 
WP Engine – GES
  • Global Edge Security is WP Engine’s high-performance security solution.
  • It comes with a Web Application Firewall capable of keeping your website secure.
  • Additionally, It blocks threats and malicious bots while mitigating DDOS.

At M R K WP, we use Defender from WPMU as our primary tool for security, combined with WP Engine and GES add-on. 

If I am hosting with SpinupWP or a direct VPS service I will add a rule to my login using cloudflare to block unwanted login attempts.

Updating your website regularly whenever a new update is released is crucial for your sites health. Therefore, keeping WordPress up to date using a secure service provider is essential.

WordPress is one of the best CMS, making it a target for hackers. Your site is even more vulnerable to attacks if you keep running old versions of WordPress.

The CMS always has something to offer in its new releases. Such updates address burning issues such as bug fixes and viruses.

Therefore, always install the latest updates to take advantage of new security features.

Server Providers

Last but not least, ensure that you keep WordPress on a secure server provider like WP Engine, Kinsta, or Strattic.

WP Engine

WP Engine: This WordPress CMS platform offers a secure, fast, and managed WordPress hosting WP Engine offers excellent uptime and a great customer support team. You get automatic, encrypted backups of your site every night. WP Engine offers a better and faster connection for your site. In addition, it ensures that your site is up and running at all times.

Spinup WP - Hosting control panel.

SpinupWP: This tool is used for making your own server setups for WordPress. This tool has become a goto tool for any complex wordpress sites that need a little more grunt to perform. Every site has an aggressive nginx page cache with object cache built in. I combine this with Cloudflare and WP rocket for fast, secure and reliable WordPress sites.


Strattic: This is one of the highest levels of security performance for your site. With its services, you don’t need to install lots of plugins. Speed optimization is an inbuilt feature. In addition, it has a mechanism that converts WordPress websites to static and headless architecture. Doing this improves your website’s speed, performance, and security.

After you’ve secured your admin login, you should also make sure to have these general checks done to ensure overall WordPress security

If you want to know my setup for Defender you can view this tutorial where I share how to setup the free version of WP Defender on your WordPress website.

Frequently Asked Questions

How do I secure my WordPress site?

There are some measures you can implement to secure your site:

Have a good hosting provider. We recommend WP Engine.
Secure your login with multilayer security. We use Google Authenticator for verification on login using 2-Factor authentication. Consider a IP block if you are using Cloudflare DNS.
Your Admin password should be strong. We use Zoho vault, a password generator, and manager. Think 20 characters of more for your password. Don’t reuse the same password on multiple sites.
Strengthen your site’s security with a security plugin. WP defender is our preferred WordPress security.
Avoid using nulled themes or plugins. These are themes/plugins lacking protection credentials and authorship. They can be easily used to hack your site.
Always update your website. Website updates often times address issues that fix bugs and other issues on your site. If you need help with that, get a care plan for your wordpress site.

How do I secure my WordPress site without installing any plugins?

You can use a strong password and a secure username. Additionally, remove plugins and themes that you don’t need. Finally, update WordPress, plugins, and themes.
(PS: This is not a foolproof strategy against malicious attacks to your site)

Why does Chrome say my WordPress site is not secure?

This always happens if your WordPress site lacks an SSL certificate. So, install an SSL certificate on your WordPress site before anything else. Also, installing a WordPress security plugin like Simple SSL can solve the issue.

What is the best WordPress security plugin?

WordPress has many security plugins. But we recommend WP Defender, WP Engine-GES, and Cloudflare DNS.

How can I know if my WordPress website is hacked?

Some common symptoms to alert you of a hack on your site include:

– Unexpected drop in traffic
– Problematic Homepage
– You cannot access or log into your site
– Suspicious files and scripts on your website, that may look like WordPress files
– Server logs that are unknown to you.

What can I do if someone hacks into my WordPress site?

When you notice someone hacked into your WordPress site, do this:

– Reset your password to lock out the hacker.
– Back up your site, to avoid measures by the host, which may include your site being deleted to avoid their network being infected.
– Update your plugins and themes.
– Check and remove any compromised files by running a security audit. WP defender is a recommended option here.
– Clean out your database and notify WordPress support about the issue.

How do I add Google CAPTCHA to WordPress?

To add Google CAPTCHA to your WordPress site, go to your plugins, add new, and search for Google CAPTCHA. Once you have activated the plugin, Google CAPTCHA is now available.

Does WP Engine come with SSL for my WordPress site?

Yes, WP Engine includes an SSL certificate for your site. This will help search engines recognize your site as secure for users.

How do I block bad bots on my WordPress site?

You will have to incorporate some security measures to block bots on your WordPress site. At M R K WP, we use Google CAPTCHA, WP Defender, Good Authenticator, and Two-Factor Authentication.

How many times should I update my WordPress?

We recommend updating your WordPress every time a new version is available. This is because WordPress comes with new security measures in each version released.

Final Thoughts

These are some of the solutions you can put in place to improve the security of your WordPress site.  

Keeping all this in mind will help you run a healthy and secure website. Besides, your logins are safe from hackers, contributing to your website ranking.

I hope this article has helped you understand how to secure your WordPress login. Share these essential tips with someone who may need them.

If you do consider opting for WP Engine as your hosting platform, we have a partnership with them. Take advantage of the discounted offer by going to our partner page.

Get 3 months free with WP Engine
Get 3 months free with WP Engine