WordPress security should be at the top of everyone’s priority list. It doesn’t take much effort to keep your website secure, but that small effort goes a long way and helps you avoid headaches down the road.
The simplest approach is to secure your login page with custom WordPress plugins. And in this post I’ve curated my top 8 plugins for login security focusing on free plugins only.
You do not need to install every one of these plugins for a secure site. You just need a couple good options that work best for your site and prevent against the most common attacks you face on a regular basis.
1. WPS Hide Login
Since WordPress is open source the code is easily available for anyone. This generally increases reports of bug fixes and security loopholes, but it also gives potential hackers a clear view of your login form structure.
Every WordPress site uses wp-login.php as the main login page. But you can change this URL with WPS Hide Login.
It’s a great plugin because it doesn’t change any of the core WordPress code. The login page name stays the same, but the URL is handled dynamically through PHP since it intercepts all incoming traffic. It can also move your /wp-admin/ folder to any other location you choose.
This simple plugin can go a long way to securing your website and it works for all WordPress add-ons like BuddyPress, bbPress, and WooCommerce.
2. Cerber Security
The Cerber Security plugin offers a suite of tools for handling login security. This helps you defend against brute force attacks on your system by limiting the total number of login requests for a set period of time.
You have full control over these settings for how many login attempts are allowed and how long it takes to reset. Plus you can blacklist certain IPs or even whitelist the good IPs if that’s easier.
And Cerber’s plugin also lets you hide the login URL much like the other plugin above. So you can even change the login location along with all these added security features.
So why wouldn’t everyone just use Cerber Security? Because it is a very technical plugin and it can bloat your WP install if you run too many features.
For some webmasters this is absolutely worth the setup time. For others this may be too much and feel too bloated compared to simpler solutions.
3. Login LockDown
The brute force password attempt is very common and very annoying. With Login LockDown you can track every single IP that tries to login and fails.
From this you can even limit any login IPs detected with too many failed login attempts. Great way to stop brute force attacks and the plugin is very simple to install.
Plus you have full control from the admin panel for how long you want to block IPs and how they should resolve(hours/days before allowing new login attempts).
4. WordPress 2-Step Verification
I’ve seen two-step authentication features on a ton of different websites over the past couple years. And I’ve had my doubts about this, but after realizing how many accounts the average person has I can see why two-step is so valuable.
This two-step system is where you log into a site successfully, but to complete the login you need to enter a code that goes to your cell phone. WordPress 2-Step Verification is a free plugin that brings this feature to any WordPress website.
You can get the code via text message or via email. They’re both secure options and while this can feel somewhat annoying it’s invaluable for larger websites.
The Loginizer plugin also stops brute force attacks by logging IP addresses and halting continuous login attempts. But this lets you go further than simply blocking repeat IPs.
You could also add a ReCAPTCHA form or add a security question after a certain number of logins. You can also require the two-step authentication much like in the previous plugin.
Loginizer is technically a free plugin but the pro version comes with a bunch more features like OAuth support, auto-blacklists, and a secret renaming scheme that makes the wp-login.php file look public, but really hides the login field elsewhere.
Many of these features can be found in other plugins so it’s only worth getting the pro if you want everything consolidated together.
6. Wordfence Security
Totaling well over 20+ million downloads Wordfence Security is the best free plugin for serious WP users.
The plugin is totally free and open source with new features added every so often. It comes packed with its own firewall and it auto-blocks common sketchy behaviors like fake Googlebots.
You can also manually block IPs using the Wordfence real-time blacklist. Naturally it also supports two-factor authentication and you can even setup a custom strength meter for all user passwords.
This is definitely a big plugin with a ton of features but it’s also the most popular choice for good reason.
7. WP Security Question
With the WP Security Question plugin you can add a custom security question with each login field. These questions can be specific to each user or global across all accounts.
This is great because even if someone gets access to your password they still can’t login to the dashboard without knowing your security question. It’s similar to the two-step authentication except this doesn’t require your phone.
The pro version of this plugin lets you add multiple security questions and includes hints. But with the free version you can still make a working question field so I suggest starting there and upgrading only if you really like the plugin.
8. Google Captcha
Most brute force attacks are run through bots. If you add the reCaptcha field you can block the less-advanced bots and simplify reduce the concerns of any brute force leaks.
Best of all this can work for any type of WordPress form including the signup field and every comment field. You get full control in the admin panel which features you want to setup.
If you’re not sure where to start I recommend a simple plugin like WPS Hide Login. This simply moves your login URL so bots won’t know where to look for it.
Of course you may need stricter measures so a larger plugin like Wordfence Security may offer more. Either way this list should have a little something for everybody and these plugins are guaranteed to keep your WordPress setup totally secure.