The WordPress login page is publicly accessible on every WordPress site by default. That makes it a natural target — automated tools scan for it constantly, trying username and password combinations at scale. The default setup gives attackers everything they need to start trying.
What makes the default login setup a problem
- Predictable URL — The login page is at
/wp-adminor/wp-login.phpon every default WordPress installation. Attackers know exactly where to look - No limit on login attempts — By default, WordPress allows unlimited login attempts. Brute-force tools can try thousands of combinations without being stopped
- The “admin” username — Still used on many sites. It removes half the guesswork for attackers who already know the username and only need the password
- No second layer of verification — A correct password is all that stands between an attacker and full admin access
How to make login significantly more secure
- Use a username that is not “admin” — anything unique and not publicly associated with you
- Use a strong, unique password — long, random, not reused from other accounts
- Enable two-factor authentication — even if a password is compromised, a second factor blocks access
- Limit login attempts — lock out IPs after repeated failures
- Consider restricting access to the login URL by IP if your team accesses the site from fixed locations
This is a setup task, not an ongoing burden
Most of these measures are configured once and then run in the background. The effort is low relative to the protection they provide. Skipping them because they seem like small details is how sites end up compromised.
Login security is part of what we review in a website checkup and keep in place through WordPress maintenance. More in our security knowledge base.
Dealing with a hacked or infected site? Learn about our malware removal service →