The constant FORCE_SSL_ADMIN can be set to true in the wp-config.php file to force all logins and all admin sessions to happen over SSL.

Example

define('FORCE_SSL_ADMIN', true);

Protecting your login page cannot be accomplished by any one specific technique, but there are certainly steps you can take to make any attacks far less likely to succeed.

Your site’s login page is certainly one of the more vulnerable pages on your website, so let’s get started on making your WordPress site’s login page a little bit more secure.

Brute forcing login pages is one of the common form of web attacks that your website is likely to face. If you have an easy to guess password or username, your website will almost certainly be not just a target but eventually a victim.

Splash Data compiled a list of frequently used passwords for 2014.

Password by rank in terms of usage.

123456 password 12345 12345678 qwerty 123456789 1234 baseball dragon football If you use one of those passwords and your website receives any traffic at all, your website will almost certainly be taken down sooner or later.

Use strong passwords and unusual usernames. Previously with WordPress, you had to start out with a default admin username, but that is no longer so. Still, most new web admins use the default username and need to change their username. You can use Admin Renamer Extended to change your admin username.

With security plugins, you can easily enforce strong passwords on all your users. You wouldn’t want someone with an editor level access to use weak passwords now, would you? It compromises your security greatly.

Use a randomized password generator tool available online like Secure Password Generator or Norton’s Password Generator or LastPass. All of them are free to use.

If you have difficulty remembering your passwords, you can use KeePass Password Safe or Dashlane’s password manager.