Limit login attempts
My favorite bonus recommendation for securing your WordPress login screen is to setup a login limiter. In less nerdy terms, this tool gives users a set number of attempts to login. If a user goes over that number, they are banned from trying again for a set length of time. They may even be blocked from your site entirely if your restrictions are set to do so.
Why does this help?
The biggest culprit for hacked WordPress sites is brute force attacks — meaning a bot trying username + password combos until they break into your site. If they don’t get access, they might be able to take down your site by the strain they put on your server if your resources are limited. By setting a cutoff for how many attempts each user gets, you are keeping your site safe from these types of attacks.
While you might think it’s smart to set the limit to 1 attempt, keep in mind that we are all human + will occasionally type a password incorrectly or copy the wrong details from our password vault. Which is why I suggest 3-4 attempts for all of my clients using this tool.
I also like to block users that fail their attempts for at least an hour + then blacklist them after 2-4 attempts. This setting really depends on how many users your site has because if it’s a membership site, you’ll want to be a tad more lenient to avoid getting tons of customer service emails. If your site only has 2-5 users, you can be more strict + keep your team informed that they need to be careful typing out their login info.
How to add this security feature
Some hosting companies set a login limit up by default, which is awesome! But if your host isn’t one of those, you can add this feature simply by adding a plugin to your WordPress site.
If you want to cover the basics, Login LockDown will do the trick. The only bummer is that this plugin hasn’t been updated in a few years. It still does exactly what it’s supposed to, but if you want something that is current, my best recommendation is Wordfence. This plugin does more than just protect your login screen, so beware that you will need to configure more settings when you activate this option.
Captcha
You can also get your login screen to require more than just a username + a password. I don’t love these types of plugins because they make using any tool that auto completes your login forms tougher to use + I also don’t love when the site user is required to prove they aren’t a bot (versus making the bot do that work), but if you are worried about your security, this is another way to keep your site safer than it is out of the box.
Why does this help?
Just like the login limit settings, these additions to your login screen will keep bots from successfully logging in to your WordPress account. Bots aren’t able to read captchas or other visuals, so they will fail your login requirements each time.
Note: This does not protect you from individuals trying to break into your site, so it’s worth using both instead of relying only on the captcha to keep your WordPress site safe.
How to add this security feature
There are tons of plugins that help add a captcha or checkbox to your login page, but the two that I’ve seen work the best are Better WordPress reCAPTCHA + WP Captcha.
I prefer Better WordPress reCAPTCHA because it’s a simple checkbox to your users vs the other options that make your users do math or decipher a garbled image of text + numbers before they can login. This plugin also gives you the ability to add that same checkbox to your comment form — which can really reduce the number of spam comments your site receives.
Again, these two security options are not something every WordPress site needs. But if you want to up your security game, it’s worth limiting login attempts at the very least + then adding a captcha if you want to do everything possible to lockdown your site from hackers + bots.