The login page is the most attacked part of any WordPress site. Lock it down.
- Use a strong, unique admin password and avoid the username "admin."
- Limit login attempts with a plugin (for example, Limit Login Attempts Reloaded) to block brute-force attacks.
- Enable two-factor authentication with a security plugin.
- Password-protect the login at the server level with Directory Privacy (article 154) on
wp-admin. - Keep WordPress, themes, and plugins updated (article 90).
Tip: A security plugin like Wordfence bundles login protection, firewalling, and malware scanning in one.
