We will explain how to increase the security of the WordPress login screen in order of importance.

Make your password complex

The most important thing to do to prevent unauthorized logins on the WordPress login screen is to make the password for administrator privileges complex.
Hackers use a dictionary of commonly used passwords and programmatically repeat one login enforcement after another to try to log in with administrator privileges. It is also dangerous to use the same or similar user ID and password. It is also possible to programmatically retrieve the WordPress user ID and then try the password itself, or add a number such as 01 to it and try one after the other.

A complex password is one that meets the following criteria

A meaningless string of characters.
At least one alphanumeric character, one uppercase letter, one lowercase letter, and one symbol.
At least 12 characters

↓Such a password would theoretically take more than 80,000 years to break in a brute force attack!

From a password strength testing tool

Attach a capture to the login screen


Adding a capture to the login screen can dramatically reduce the probability that a program will automatically break the password.
If there is a capture on the login screen, the program must solve the capture while still performing brute force login enforcement, and few hackers currently use such sophisticated programs.

Changing the URL of the login screen

Changing the URL of the login screen using a security plug-in or other means also increases the security of the login screen.
Hackers must first examine the URL of the login screen before they can run a login-breaking program on a site with a changed login URL, and in most cases changing the URL will not expose the login URL to hackers.

Countermeasure for XMLRPC.php

WordPress has a mechanism called XMLRPC that allows posts to be added without using the WordPress admin page.

However, the login ID and password are sent to this XMLRPC, and if the submission is not successful, it means that the password is different.

Therefore, it is necessary to take countermeasures such as disabling the XMLRPC function or using security plug-ins to detect and block excessive access to XMLRPC.

In any case, the basis for increasing the security of the login screen is password complexity. It is important to change passwords to ones that cannot be broken even by brute force attacks.