The constant FORCE_SSL_ADMIN can be set to true in the wp-config.php file to force all logins and all admin sessions to happen over SSL.

Example

define('FORCE_SSL_ADMIN', true);

Protecting your login page cannot be accomplished by any one specific technique, but there are certainly steps you can take to make any attacks far less likely to succeed.

Your site’s login page is certainly one of the more vulnerable pages on your website, so let’s get started on making your WordPress site’s login page a little bit more secure.

Brute forcing login pages is one of the common form of web attacks that your website is likely to face. If you have an easy to guess password or username, your website will almost certainly be not just a target but eventually a victim.

Splash Data compiled a list of frequently used passwords for 2014.

Password by rank in terms of usage.

• 123456
• password
• 12345
• 12345678
• qwerty
• 123456789
• 1234
• baseball
• dragon
• football

If you use one of those passwords and your website receives any traffic at all, your website will almost certainly be taken down sooner or later.

Use strong passwords and unusual usernames. Previously with WordPress, you had to start out with a default admin username, but that is no longer so. Still, most new web admins use the default username and need to change their username. You can use Admin Renamer Extended to change your admin username.

With security plugins, you can easily enforce strong passwords on all your users. You wouldn’t want someone with an editor level access to use weak passwords now, would you? It compromises your security greatly.

Use a randomized password generator tool available online like Secure Password Generator or Norton’s Password Generator or LastPass. All of them are free to use.

If you have difficulty remembering your passwords, you can use KeePass Password Safe or Dashlane’s password manager.

A hacker needs to find your login page, if he or she intends to brute force the login page to gain access. You can prevent this by employing what some call security through obscurity, the idea that hiding your login page will protect you, seeing as the attacker cannot identify a potential point of entry. Your website would be the equivalent of a bank without a door or any other public access point.

Most WordPress websites have the login entry point at yourwebsite.com/login.php.

Try typing webhostingsecretrevealed.net/login.php into your browser’s address bar. Doesn’t work, does it ? Because it doesn’t exist. The login entry for WHSR is located on a different URL. Similarly, you can change the access point on your website to something else. Essentially we change the login page URL.

Similar to the login.php page, there is the wp-admin directory which also needs to be protected. It is fairly easy to do with either of the two plugins – WPS Hide Login and Protect Your Admin.