3 WordPress Login Page Security Threats

When it comes to all our online work, security is something we have always been pretty conscientious. But in our opinion, making sure that a WordPress site is secure is not something that we ever do too much of to the point of one of our Monkeys being fulltime employed (obsessed) to maintain!

This was recently brought ot our latest staff meeting, by the aforementioned Security Flying Monkey, to us when “Limit Login Attempts” (which we have installed on all our own sites) reported multiple login attempts last week from more than one IP address. She also discovered that someone had attempted to login to our Facebook and Twitter account.

“EEEEK!” said the other Flying Monkeys!

With those recent events batting about in our heads, we thought we’d take the opportunity to share some of the security threats concerning the login page on WordPress sites that most folk are blissfully unaware of.

Now of course there are plenty of basic steps we can all take to improve the security of your WP site (such as changing the default “admin” username and setting strong passwords which we sincerely hope you do FIRST thing!), you may want to check these ones out too in regards to the login…

Leaving Universal Registration Option Open

This is a really simple one — is your WordPress site currently set up so that anyone can register as a user? This is only really necessary if you are running some sort of community or social site, as opposed to a more “normal” website.

So if you are not running a site expecting lots of members, you would  be preventing people from having ANY opportunity to register.

You can do this really easily  by going to Settings > General in your sidebar, and unticking Members: Anyone Can register. Easy huh?

Leaving Login Name Confirmation Turned On

By default, the WordPress login screen will inform you as to whether you have got either the the username or the password wrong.

This effectively makes it twice as easy for any hackers to gain access to your site — they can figure out what your username is without even having to know or even trying to know the password. This is simply not information you should make readily available.

As you are now expecting, this can be easily fixed with a little bit of code in your functions.php file:

function failed_login() {
return ‘The login information you have entered is incorrect.’;
add_filter(‘login_errors’, ‘failed_login’);

Now when there is a failed login attempt, the site won’t answer whether the  username or password was wrong.

Limit Login Attempts

Brute Force Login Attempts

And now for the big baddie, and along the same angle as the last security issue, we have the dreaded brute force login attempts.

Limit Login AttemptsThis is when someone (or more than likely something, as this will be a baddie-server somewhere working tirelessly to break down your walls!) will attempt to gain access to your WordPress website by attempting a ginormous number of different username and password combinations. Such a process is of course made a damn site more difficult by adding the above code to your functions.php file, but you can all but kill the chance of a successful brute force login attempt by limiting the number of login attempts by any specific IP address.

The Army recommends that everyone simply install and activate the Limit Login Attempts plugin. This simple plugin offers you the ability to customize how many login attempts someone should have, and how long they are locked out for if unsuccessful. I consider it a must-have for any WordPress blogger.

Limit Login Attempts plugin

Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies.

This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login AttemptsLimit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.


  • Limit the number of retry attempts when logging in (for each IP). Fully customizable
  • Limit the number of attempts to log in using auth cookies in same way
  • Informs user about remaining retries or lockout time on login page
  • Optional logging, optional email notification
  • Handles server behind reverse proxy
  • It is possible to whitelist IPs using a filter. But you probably shouldn’t. 🙂

What Security Issues Do You Consider a Threat to Your Site?

We are of course just talking about login hacks here, but we consider the above tips very good methods for closing potential security vulnerabilities at the login page on a WordPress site. We don’t want to frighten you (heck YES WE DO! loL!) into thinking that WordPress is a totally unsafe content management system (because it seriously isn’t), but it is much better to be safe than sorry.

With that in mind, we’d love to know what suggestions you have for making WordPress more secure. Let us know by leaving us a comment below!

Shopping Cart
Scroll to Top