WordPress security is a popular topic for a good reason. Consider: In January 2017 alone, WordFence reported an average of 26 million brute force attacks against WordPress websites per day. In the same report they recorded more complex, targeted attacks at an average of 4.7 million per day for the same time frame. That’s a lot of people (and bots) up to no good. The security of your WordPress website is a big deal, and a good place to start securing it is at the login screen. We’re about to take a look at 6 plugins that will up your WordPress login security. Join us for a few minutes and see what’s out there!
6 Plugins to Boost Your WordPress Login Security
We’ll start with a caveat: None of these plugins alone are meant as a replacement for a comprehensive WordPress security plugin. If you’re using a big dog plugin like WordFence, Sucuri, or Shield, they may offer the same features as many of the following plugins. Look at the plugins on this list as a way to augment your existing WordPress login security if your comprehensive security plugin doesn’t already address it. Here’s a review of 7 of the most effective comprehensive security plugins if you don’t have one already. Now let’s get to it.
Two-Factor Authentication is a great tool for WordPress login security, and perhaps the king of this list. To put it another way, if you’re excited by what you see in Clef you can probably just stop here and call it a day. Clef disables the traditional password login and replaces it with a 2-factor system for logging in. You’ll need to satisfy both identification factors/checkpoints before gaining access to your website. That might sound like a hassle, but it isn’t.
It isn’t, because the checkpoints you have to pass are simple but unique to you: your phone, and a fingerprint (or pin). How the heck does that work? Click through above and check them out. It’s very cool, and more importantly very secure. Even if someone nefarious steals your phone, without the second identification factor they aren’t accessing anything. Traditional attacks against your website also go nowhere because there’s not even a password login feature for them to attempt to exploit anymore.
Don’t care for Two-Factor Authentication and want to stick with a traditional WordPress login? Then beef up your login screen security. Brute Force Attacks, the primary type of attack made against WordPress sites, works by trying hundreds of thousands or millions of random letter/number/symbol combinations until it hits on the one that lets them in to your site. The easiest way to stop brute force attacks dead in their tracks? Freeze an IP address out after it’s made a certain number of attempts.
WP Limit Login Attempts does just what the name implies. It caps the number of login attempts from any one IP address to a configurable number set by you. The one downside to this is that as technology marches on, would-be hackers are developing ways to conduct brute force attacks from multiple IPs. Still, that’s currently an outlier scenario and login limits are going to prevent the vast majority of brute force attacks. Just be aware that its days as an effective defense are numbered unless they adapt their defensive strategy.
Cerber Security also limits login security, but they offer some related features in their plugin that makes them a more holistic choice the other login limiters. Like WP Limit Login Attempts, they cap the number of login attempts from a given IP. Cerber takes this a step farther by letting you monitor and log login attempts and related metadata, and blacklist abusive IPs and subnets. They also offer spam protection and the ability to disable/block access to feeds. There are other features that are tangentially related to login security, and some that are more security blankets than anything, like hiding your login screen (more on this below).
All in all, Cerber is a great plugin. It offers a bit more in-depth level of WordPress login security than a cut-and-dried login limiter without expanding to the level (and file size) of an all-in-one security solution.
WP Security Question gives you an extra layer of security by requiring an answer to a question(s) before granting access to the site. This works on registration, login, and forgot password screens, so it’s potentially useful in a number of areas on your site. This makes it a great plugin to use in conjunction with a login limiter.
Each user sets their own answer on their profile page to the questions you supply. Administrator level users can modify these answers from the admin if a user forgets their answers. There is both a free and a pro version of the plugin as well. The paid version just adds more versatility to the process in general. Specifically, it lets you define how the question is presented, attempts each user gets to answer correctly, randomly cycle questions, and other similar features.
Apocalypse Meow easily takes the prize for most awesome name on the list, and it just so happens to be a clever little plugin for protecting your WordPress login security to boot. It does a number of different things to improve security, some unique and some duplicated by other plugins on this list.
It is itself a login limiter. Set a login limit, and after that number of tries the sign-in form will simply be disabled for that user. It keeps a record of login attempts, and you can even set it up to send you an email when there’s a login from a new location. Perhaps my favorite feature unique to Apocalypse Meow is that it lets you specify password standards. That means you can disallow low security passwords like qwerty123, password, etc. Check them out for a full list of features, it’s a neat little plugin!
WPS Hide Login ‘hides’ the login page of your website by allowing you to change the URL for that page. It effectively renders the wp-admin directory and wp-login.php page inaccessible. The rationale behind this measure is that many brute force attacks simply skim the web for the standard login page URL until they find one to attack. Because these attacks are commonly carried out by mindless bots, changing the login page can avoid some of these attacks.
Here’s the thing though; this step is often put forward as a general WordPress security measure, but it’s really only effective against bots. It’s not even completely effective against bots though, and next to useless against an actual attentive human that knows what they’re doing. It’s a relatively simple matter to identify the login page even after it’s been changed, and for a motivated attacker it’s just a speed bump. Speed bumps can deter attackers skimming only for the lowest hanging fruit, so there’s value to be had in plugins like these. Just be sure they’re not your only line of defense.
Do you have a favorite WordPress login security plugin that you’d recommend? Have neat ideas for login security that aren’t covered here? Leave a comment below and let us know about them. Thanks for reading!