WordPress Login Security That Actually Works

The bad news: Multiple countries are trying to hack your site.

Source: recent WordFence activity for my site

The good news: You can fix this in two easy steps.

As part of my website spin up checklist I always make sure to lockdown security right away so it’s not a concern on day one. If I don’t, a client is almost guaranteed to ask about strange activity they might see in one of their plugins tracking users (PS – not a creepy thing, it really helps developers like me solve problems that arise as it gives important log info).

Step One: Change your default WordPress login.

For many years I would ignore this step as it seemed “pointless” knowing that bots and various scripts are always being ran for all WordPress websites and that it’s simply default annoying behavior, but nothing to worry about.

And it’s true, you can technically ignore this step. But why let those bots constantly ping wp-login.php when you can quickly change that? Give your web server a rest, they are a little exhausted from worrying about random visitors.

My personal favorite is WPS Hide Login but you can choose from any of the other highly rated options.
Best bet is to make a unique login which can be a bunch of jumbled text and letters or a known word followed by a number. So you could do website.com/8d8cy0z or maybe something like website.com/companyname-login23 for example. You don’t want just text as this can be predicted by some attackers.
Document this and make sure people bookmark it.

Step Two: Disable XML-RPC.

XML-RPC is an outdated authentication method that legacy blogger tools use. It’s not needed for 99% of websites so don’t fret about breaking anything.

If you’re not a dev and want a simple solution, I suggest:

Disable-XML-RPC API plugin. Add it, enable it, boom done. It was other features you can use but the default settings work fine.

WordFence has a fantastic suite of security options in their free version. If lots of non-relevant security options overwhelm you, skip this. But there is a checkbox in Login Security and you can enable if needed.

If you’re a dev and refuse to add more plugin bloat, I suggest:

Disable via editing the .htaccess file with the following:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

Ask your hosting provider to disable it. (WPEngine for example already has this done for any site created with their platform since April 2022.)

Both Steps Are Needed

As you can see, both methods are used on most sites. I have noticed this myself when I only did one of the steps listed here and ignored the other.

Setup Time: ~5 Minutes

These simple steps are worth it in my opinion to help block all those pesky bots and give reassurance to others. Small business or large enterprise, the same needs will always be there in terms of basic security.

Tagged Security, WordPress