We are discussing all the possible ways to Block direct access to wp-login.php which is nothing but the login URL. If the login URL is exposed, intruders will start running scripts to unlock the credentials. This will consume more of your hosting CPU which needs to be stopped. This is the only article you ever need to refer to protect your wp-login.php against Brute-Force attacks.
The first and foremost thing you need to do to keep your WordPress secure is to use a strong password for your account. We have done a lot of research over all these years to find the best possible way to protect wp-login.php. If you have any suggestions of yours, please let us know.
Before you proceed, let us understand that our motive is to block direct access to wp-login.php.
Changing Login URL
The easiest and simplest way to block direct access to wp-login.php is to change the login URL. It’s very simple. Just install the plugin from the WordPress Repository. Some security plugins may have this feature built-in.
You can also change the login URL without any plugins too with some modifications to the wp-login.php file in the root directory (public_html). We suggest the Plugin method which is easy and safe.
However, changing the Login URL may improve security, but it’s not worth it. Hackers also use xmlrpc.php to carry out brute-force attacks.
How do you know if there are any Brute-Force attempts on your website? Just install the Activity Log Plugin and verify the Logs. If you see any ‘Failed Login’ entries, it is understood that you need to block those attempts to save hosting resources.
Two Factor Authentication
There are some plugins on the WordPress Repository which will enable the second level of authentication once you have entered the right credentials. 2FA can be done through any Smartphone Authenticator App. There are some plugins that enable 2FA through text messages which is a paid service.
Technically these 2FA protections won’t be that useful. Because most of them will work after the Brute-Force has been conducted successfully. This means, once the Brute-Force script generates the right username and password combination, when the hacker logins, they have to enter the 2FA code which they don’t have. Hence they can’t continue to your site.
This is not a protection against Brute-Force as the hacker can still run scripts. It also consumes a lot of hosting resources. Hence not a secure way to protect websites.
Note: Some 2FA Plugins work along with the WordPress Login screen, while someone tries to brute-force, it will still consume a lot of resources.
The best protection for wp-login.php is the one that doesn’t load the ‘WordPress login Page’ itself in the first place.
htaccess Password Lock
This was one of the first security steps we used to follow. This works absolutely well for sites with single users/ limited users. What you do here is, you will protect the file /wp-login.php by adding a password for it in the .htaccess file.
There are some drawbacks to this method. Basically, you cannot Logout of your WordPress. And if you are running WooCommerce, definitely you should not be using this. The reason behind it is explained in the dedicated article on htaccess Password Protection for wp-login.php (The Final Solution).
Before you get access to the WordPress login page, you can add an extra layer of security over it. i.e. you need to pass through the ‘Firewall Lock’ page by entering firewall credentials in order to access the wp-login.php page.
In this case, the wp-login.php is not accessible to the public. When someone tries to login to your site, they will be first invited to bypass the firewall. Only then does the WordPress login page will load.
You need plugins for that. We suggest ‘Ninja Firewall‘ which we use for most of our client sites. There are other benefits from this plugin which is a different topic.
This method is what we recommend. This process doesn’t consume your Hosting Resources. The wp-login.php is protected at the domain level.
In order to apply this Firewall Rule to your site, your site must be already protected under Cloudflare and later you can add 2 simple rules. Once you do that, you will be the only one who will be accessing the WordPress login page. For others, access will be denied.
Please read this detailed article on Protecting wp-login.php by using Cloudflare Firewall for Free.
Among all these methods, Protecting wp-login.php through Firewall is the best security solution for WordPress.
When you block wp-login.php through Firewall/ other means, you may still see Brute-Force attempts. That is simply because your xmlrpc.php is not blocked. Block /xmlrpc.php either through Plugin or with another Cloudflare Firewall rule, don’t add any condition, just block it and forget about it. There will be NO more Brute force attempts.