If you use a web application firewall ( WAF ) like Cloudflare or Sucuri, they also have ways to block the URL path. Basically, you can set up a rule so that only your IP address can access the WordPress admin login URL. Again, this rule should not be used on e-commerce or membership sites, as they also rely on access to the backend of your site.
Cloudflare has a URL blocking feature in its Pro and higher accounts. You can set a rule for any URL or path.
Sucuri has a URL path blacklist feature. You can then whitelist your own IP address.
Take advantage of two-factor authentication
And of course, let’s not forget about two-factor authentication! No matter how strong your password is, there’s always a risk that someone will find out. Two-factor authentication involves mom database a two-step process where not only your password but also a second method is required to log in. This is usually a text message (SMS), a phone call, or a time-based one-time password (TOTP). In most cases, it’s 100% effective at preventing brute force attacks on your WordPress site. Why? Because it’s virtually impossible for an attacker to have both your password and your mobile phone. Two-factor authentication consists of two parts. The first is your account or control panel that you have with your hosting provider . If someone gets access to it, they can change your passwords, delete your sites, change your DNS records, etc. Scary stuff. At Kinsta, we partner with Authy to offer two-factor authentication for your MyKinsta dashboard. Once you install and configure one of the above plugins, your WordPress login page will usually have an extra field to enter a security code. Or, with the Duo plugin, you first log in with your credentials and then need to choose an authentication method, such as Duo Push, call, or password. This method can easily be combined with changing the default login URL, which we discussed earlier. So, not only is your WordPress login URL now known only to you, but it also requires additional authentication to log in.