I think that everyone who works with WordPress knows the WP-ADMIN since from there we can manage all the functionalities and features of the website.
To access the WordPress administration panel, we must first access the WordPress login through /wp-admin/ or /wp-login.php. In either case, this will take us straight to the WordPress login:
If we enter our domain followed by /wp-admin in the browser, that is, as if we wanted to access the wp-admin folder, it will automatically take us to wp-login.php.
As you can see in the previous screenshot, this is where we must enter our username and password to access the WordPress admin.
It is normal for any web page, regardless of whether it is a WordPress or not, to have an administration panel protected by username and password. But here we are going to focus on WordPress and its login or access, in addition to mentioning at least one plugin for each action.
Protect wp-admin and wp-login.php
The wp-admin and wp-login.php are two common targets of brute force attacks that try to guess the WordPress dashboard access password by trying login passwords.
If we have a good password, in theory, we shouldn’t have to worry about this, but… in practice, a brute force attack against the WordPress login can cause a very high consumption of resources in PHP and in the MySQL database engine, which in turn will affect all WordPress installations hosted on the server or hosting plan.
For this reason, a security plugin like Limit Login Attempts Reloaded or WP Cerber is often used to protect WordPress wp-admin and wp-login.php. We can even use server-level systems like fail2ban, much more efficient than a plugin, to perform these blocks.
Through these WordPress login protection techniques, the IP addresses of users who try to enter wp-admin or wp-login.php several times without success are blocked, because the username and password entered are wrong.
Normally, in a production website, the simple fact of blocking these requests usually lowers the consumption of PHP and MySQL resources in the hosting.
Another way to protect WordPress wp-admin access is to change the URL directly so brute force bots can’t find the WordPress login and can’t try username and password combinations. This is precisely what we are going to see in the next section.
Personally, today I recommend WP Cerber if you want to strengthen all WordPress security. In case you only want to implement blocking brute force attacks, I recommend using Limit Login Attempts Reloaded.
Change the wp-admin and wp-login.php
As we have said in the previous section, if the bots are not able to find the WordPress administration panel, they will not be able to attack directly.
When entering the wp-admin folder, a redirect to wp-login.php is made. So, to change the WordPress access URL, what you do is remove the wp-admin redirection to the new URL and change the wp-login.php slug so that if you don’t know it, you can’t access the dashboard.
There are different free and paid plugins to make this change. There are even WordPress plugins that have another purpose, but that also integrate this, since it is very basic.
I normally use the Change wp-admin login plugin to implement this. As its name indicates, its main function is to change the WordPress admin access URL, specifically wp-admin and wp-login.php.
There are many other plugins, such as Perfmatters, that allow us to change the WordPress login URL even though they are not specifically for that.
Recover wp-admin or wp-login.php password
Sometimes, we may temporarily leave our WordPress installations and when we return to them we do not remember the access as admin.
In that case, WordPress is not a SaaS, we can always reset the password in one way or another, although I already warned you that it will be impossible to know what the previous password was since it is encrypted and we cannot see it.
There are two ways to recover the password of our WordPress:
- If we know the email of our account: Use the typical “Recover password” link on the WordPress login page, which will send us an email with a link to reset the password.
- If we do NOT know the email of our account: Enter with phpMyAdmin to our WordPress database using the control panel of our hosting and modify the password of the chosen user by changing it to “type MD5” before saving, in order to save it encrypted in MD5.
If you want to learn how to enter by forcing the password to wp-admin with phpMyAdmin, I leave you the following GIF that I have created for you.
This last video is about entering by FTP and modifying the functions.php file of the active WordPress theme to create a user with a one-time tweak and login with that user in WordPress to be able to enter and modify the password of Username.
Access without password to wp-admin or wp-login.php
I have to admit that I am a fan of systems that allow me to access the administration panel of the CMS I use without a password.
Normally, I use the Installatron of the Raiola Networks hosting plans to log in to WordPress as admin without having the username and password.
If you are looking for hosting with Installatron, I recommend our hosting plans, since we offer Installatron as a self-installer and CMS manager.
But Installatron is not the only system that allows you to log in to WordPress without using the password: there is also InfiniteWP, for example.
InfiniteWP is a centralized WordPress management system that allows you to log in to WordPress without a password. In addition, we will be able to log in to several WordPress at the same time and work with different websites using an intuitive and centralized panel.
I am not going to dwell on InfiniteWP and what it can do for most web developers, since logging into WordPress without a password is not its only functionality and if I started to talk about this I would have content for a full and long post..
