A Guide to Website Login Security

We recently discussed how upcoming changes to Google Chrome and Mozilla Firefox make an SSL certificate for your website even more important. Yet adding this layer of security still isn’t enough to stop hackers from potentially accessing the backend of your website.

We’ve seen websites that aren’t very popular, or with any sensitive data to steal, hit with brute force attacks from bots to the tune of 100+ login attempts an hour—every single day. The impact can be significant; website often bog down with all the unnecessary traffic and hackers might even guess your password.

Want better peace of mind your website is safe? Continue reading for security tips and actionable advice to secure your website without breaking the bank or becoming overwhelmed in the process.

1. Install an SSL Certificate

Please read our last post on the important of SSL certificates and available options for all the nitty gritty details.

2. Use Longer Passwords

Generate a long string of words using dice paired with a service like LastPass to store them and automatically sign into your website. The old advice to add wacky characters to your password and end up with a bunch of gibberish has been shot down, so you can essentially pick something like “thisismypasswordanditsjustwords” without being quite that obvious or using a popular quote, lyric, etc. Even saving passwords to Google Chrome for auto logins (and not using a third-party service like LastPass) is better than coming up with your own passwords and reusing them on other websites. Worst thing that happens? You reset a forgotten or lost password and continue onward.


Note SquareSpace users are faced with a double-edged sword. On one hand, out-of-the-box security features are better than WordPress, but the ability to scale is close to nil. Make sure you’re taking advantage of their free SSL certificate and using, as well as updating, a random password. The next few tips are unfortunately WordPress-only at the time of this writing.

3. Enable Two-Factor Authentication (WordPress)

While SquareSpace website owners are out of luck here, WordPress websites and other platforms offer two-factor authentication options. If your login page doesn’t recognize your computer, a code is texted to your phone to input after successfully entering a password. This added layer of protection is much like debit card: not only do you need the physical card, you need to know the pin number. Enabling two-factor authentication on any important login page (i.e. DropBox, email, banking, etc.) means even a password in the hands of hackers isn’t a calamity.

We love the simplicity of this plugin for two-factor authentication when paired with the Google Authenticator mobile app.

4. Limit Login Attempts (WordPress)

Want to stop someone from running through countless passwords on your login page? Install a plugin to limit login attempts and kick people out for a predetermined amount of time after two or three failed attempts. Note many attacks often use multiple IP addresses to mimic various locations or users, so this layer of security alone, while a good idea, only makes the job much harder.

5. Change Login URL & Block Repeat Offenders (WordPress)

Our favorite security plugin for WordPress by Cerber Security not only limits login attempts, but uses a host of other features to really improve the security of your login page. One of the bigger flaws with WordPress remains the fact everyone knows how to access your generic login page—typically at yourwebsite.com/wp-admin or yourwebsite.com/login-php. This known fact gives hackers a head start, especially when paired with website owners who use a generic username like “admin”.

The plugin from Cerber enables you to change the login URL to anything of your choosing and typically confuses automated attempts to hack your website. The plugin also blacklists repeat offenders who continually try to access your site and offers a host of other great wrinkles. The plugin is better suited for advanced users, but nothing can really break by giving it a go.

Have questions or want a pro to install and implement security features on your private practice website? Contact us for a free consultation.