If you have not done anything to protect your WordPress site, most probably you are not safe. By default, WordPress only comes with a single login mechanism. Anyone that has your username and password can easily login to your site and wreak havoc. The only way to prevent it is to tighten the security of your site so other people won’t be able to crack into your site easily.

1. Google Authenticator

The Google Authenticator plugin makes use of the Google Authenticator mobile app to provide a two-factor authentication login to your WordPress site.

NoteBefore activating Google Authenticator, make sure that you have enabled two-factor authentication in your Google account and installed the Google Authenticator app in your Android, iPhone or Blackberry phone.

Once you have installed and activated the plugin, go to the “Users -> Your Profile” section and you should see the Google Authenticator settings.


Check the box beside “Active” and save the changes. Next time you login, it will prompt you to enter the secret key. If you failed to enter the correct code, you will not be able to login.


Google Authenticator

2. One Time Password

One Time Password allows you to login to your WordPress without using your real password. It generates a list of passwords that you can use to login to your site. These passwords are valid only for a single session, so even when the password is stolen, others won’t be able to login to your site. This is particularly useful if you are travelling but need to login to your site in a cybercafe.

Once installed and activated, go to the One Time Password section to generate your password list. Enter a passphrase and click the “Generate” button.


Print out the generated password list and bring it with you wherever you go.


When you need to login, it will show a sequence number. You just have to match the sequence number with your password list and enter the password accordingly.


One Time Password

3. WP Login Security

WP Login Security works via the IP address. It first requires administrators to register or whitelist their IP address. Next, it will detect the IP address whenever the administrator logins. If the IP address is not recognized, it will send an email to the administrator with a link that contains a one-time key.


A good thing about this plugin is that there is little or no configurations required. You just activate it and it is good to go.

WP Login security

4. Login Lockdown

We have mentioned Login Lockdown before in our previous post on WordPress security. We are going to mention it again here because it is truly a useful plugin. What it does is to records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.

Login Lockdown

5. WP Firewall 2

This plugin is not directly related to the login field, but it protects your site by investigating web requests to identify malicious attack. It is able to stop the attack before it causes damage to your database.

After activating, you can find the configuration options under the Firewall section. The default options are often good enough for everyone and you seldom have to make any changes.


WordPress Firewall 2

The above mentioned methods are only some of the ways to protect your WordPress site, don’t forget to check out: