How do you keep your WP website safe?

**PaulEchere** · 26 January 2024, 5:05 am

I have just received a PW reset request email from one of my websites. Now the main thing I'm concerned about is how my username became known, because it isn't the generic "admin", it's pretty random tbh.

Now I'm wondering whether I should take some additional measures like hiding the login page (I know I should have done that a long time ago), something else?

**dannyx** · 26 January 2024, 7:14 am

Hiding the login page on large sites can be problematic, sometimes various errors come out when doing so. However, it is obviously worth doing.

There are also other options. You can, for example, set Google Captcha at login. Or IP blockade after several unsuccessful attempts and monitor login attempts whether your login is actually used by bots and humans or not. There are some less and more radical options. Do you use any security plugins?

**PaulEchere** · 26 January 2024, 7:30 am

I do actually use Google captcha one one of my websites (not the one I referred to above). And no, I don't have any security plugins, do you have any you can recommend?

**dannyx** · 26 January 2024, 8:11 am

I personally use Wordfence.
There you can see the login attempts and the logins that are used for that. 90% of the attempts are for admin login and domain name.
It also has a lot of cool features, real-time blocking, you can block entire countries, etc. Besides, it's a popular plugin so rules and threats are updated quite often.

I personally opted for Wordfence because I previously needed 2-3 security plugins, as one had one function and the other had another. Wordfence has it all in one place.

I don't know if I remember correctly, but Wordfence probably has the most downloads in its category, or high.

However, there are other good plugins, and surely someone else will comment on other solutions.

**Strider1973** · 26 January 2024, 8:22 am

Maybe they did a password reset with your email? Maybe by using [email protected]?

You can use a simple plugin like "WPS Hide Login" to use another login URL.

**PaulEchere** · 26 January 2024, 8:26 am

Thanks for the recommendations, I will check those out.

They did request a PW reset, but all that comes to my personal email address, which is likely very difficult to get into without having access to my phone.

**edgarf76** · 26 January 2024, 9:17 am

You may want to try sucuri.

**chaumi** · 26 January 2024, 11:44 am

This one does the trick for me, never yet had a problem and it doesn't appear to slow down the site at all...

https://wordpress.org/plugins/all-in...-and-firewall/

**universal4** · 26 January 2024, 12:30 pm

Hiding the login page is often referred to as "security by obscurity". While not 100% effective it will slow down a lot of script kiddies who spend their day scanning for default wp-login pages..

Some of the better security plugins may also prevent username discovery.

My preference to security plugins is WP Cerber.

Rick
Universal4

**baldidiot** · 27 January 2024, 5:07 am

Originally Posted by universal4

Hiding the login page is often referred to as "security by obscurity".

You beat me to it... It's basically the equivalent of hiding the front door.

The problem is that some people think that is sufficient, but it isn't. Even if it's hidden you still need to secure the door properly. Plus that won't stop them getting in through a window (if you want to continue the analogy).

I would suggest:

1. Cloudflare
2. Wordfence - set strict brute force protection, both on failed log ins (eg: set to block at 3 attempts) and an immediate lock out on incorrect usernames
3. 2 Factor

Also don't use the same email everywhere. If you're using the same email that you use to message people as the email on your wordpress account, they don't even need to know the username, they can just use the email.

**newcustomeroffer** · 27 January 2024, 10:03 am

Defender Pro is a nice WP plugin which allows you to create your own login URL, plus you can monitor and ban IPs that are acting suspiciously.

**NoDepositCasinos** · 16 February 2024, 10:47 am

Is there such a thing as too much security? Besides the possibility of slowing down the pages, are there any disadvantages to consider?

I use Wordfence, and as I write this, I'm implementing one of the tips shared in this thread. I haven't had any issues so far, but I aim to maintain reasonable security measures on my websites.

**universal4** · 16 February 2024, 2:53 pm

Originally Posted by NoDepositCasinos

Is there such a thing as too much security? Besides the possibility of slowing down the pages, are there any disadvantages to consider?

Good question however, as you design and or implement security changes ask yourself a few questions.

Is there any reason anyone on the planet other than you and or developers or writers need to know the url of the admin login? If you allow a lot of guest content from unverified sources that changes the answer.

And if you do block the login page, is there any reason not to block the ip of those who attempt to find it or attempt to hit the default wp-login?

IMO opinion the answer to both of those is to go ahead and block.

Since you chose wordfence, you should be fine in most cases. And you can test to make sure it is doing what you want by hitting your site using a vpn to see if it locks you out or reacts the way you want it to.

Rick
Universal4

**bon** · 18 February 2024, 5:35 am

For our sites, we usually limit the number of attempts to log in, make regular backups, and use security plugins (approximately the same ones we wrote about above). We are also now thinking about SSL/TLS Encryption.

I've already had cases when attackers steal the site and I'm sure it's better to prevent hacking

**DaftDog** · 18 February 2024, 6:20 am

I found this forum thread about WordPress security plugins quite interesting: https://www.webhostingtalk.com/showthread.php?t=1875698

**NoDepositCasinos** · 18 February 2024, 9:46 am

Originally Posted by universal4

Good question however, as you design and or implement security changes ask yourself a few questions.

Is there any reason anyone on the planet other than you and or developers or writers need to know the url of the admin login? If you allow a lot of guest content from unverified sources that changes the answer.

And if you do block the login page, is there any reason not to block the ip of those who attempt to find it or attempt to hit the default wp-login?

IMO opinion the answer to both of those is to go ahead and block.

Since you chose wordfence, you should be fine in most cases. And you can test to make sure it is doing what you want by hitting your site using a vpn to see if it locks you out or reacts the way you want it to.

Rick
Universal4

Thank you for the tips. I was worried about missing something.

I just took the test you recommended and everything seems to work properly.

**lapa221Q** · 20 February 2024, 3:01 am

keep your themes and plugins updated, use strong and unique passwords, limit login attempts, use a security plugin like iThemes Security, enable two-factor authentication, and regularly back up your site.

**baldidiot** · 28 February 2024, 12:26 pm

Originally Posted by NoDepositCasinos

Is there such a thing as too much security? Besides the possibility of slowing down the pages, are there any disadvantages to consider?

In theory if your security is too strict you could block legitimate users, so in theory yes there is such a thing as "too much". But it depends on what you're doing to secure the site and what your users are likely to do.

Eg: Set a flood protection to <10 / 5 minutes and you'll probably end up blocking some users.

Perhaps "too strict" is a better term to use than "too much security" for what I'm talking about though.

Thread: How do you keep your WP website safe?

LinkBack

Thread Tools

Search Thread

Display

How do you keep your WP website safe?

The Following User Says Thank You to PaulEchere For This Useful Post:

The Following 2 Users Say Thank You to dannyx For This Useful Post:

The Following User Says Thank You to baldidiot For This Useful Post:

The Following User Says Thank You to universal4 For This Useful Post:

The Following User Says Thank You to baldidiot For This Useful Post:

Posting Permissions