Your WordPress admin login page (/wp-admin or wp-login.php) is the primary gateway to your website’s backend. Because this URL is the same by default for every WordPress site, it is a frequent target for automated bots and brute-force attacks.
While Elementor Hosting takes significant measures to protect your site, keeping your data safe is a joint responsibility. Protecting your admin URL is a critical step in hardening your site’s security.
To protect your admin URL on Elementor Hosting, you should change the default login path using a plugin like WPS Hide Login, enable two-factor authentication (2FA), and utilize built-in security features such as geoblocking and brute-force protection within the My Elementor dashboard to prevent unauthorized backend access.
How do I change the default WordPress login URL?
Changing the default /wp-admin or wp-login.php path hides the entrance to your site from automated bots.
To change your default WordPress login URL, you’ll need to install a third-party plugin – WPS Hide Login.
- To learn how to find and install WPS Hide Login, see Install and activate WordPress plugins.
Important Considerations:
- Once changed, the default /wp-admin will no longer work. You should immediately bookmark your new custom URL to avoid losing access.
- The Edit with Elementor button in the My Elementor dashboard will be disabled after this change.
- The default
/wp-adminpath will return a 404 error to unauthorized users.
How do I implement two-factor authentication?
Two-factor authentication (2FA) creates a second layer of defense that requires a physical device to complete a login.
- Enhanced Security: Prevents access even if your password is stolen.
- Identity Verification: Uses time-sensitive codes generated by mobile apps.
- Compatibility: Works seamlessly with plugins like Wordfence or Google Authenticator.
To implement 2FA, you’ll need to install a third-party plugin such as Wordfence or Google Authenticator.
To learn how to find and install WPS Hide Login, see Install and activate WordPress plugins. using security plugins like Wordfence or Google Authenticator.
How does Elementor Host protect against brute-force attacks?
Elementor Host includes native security protocols that automatically mitigate repeated login failures.
- Automatic Lockouts: Users are restricted after five failed login attempts.
- Temporary Bans: IP addresses are locked out for a duration of 1 hour.
- Manual Overrides: Administrators can clear lockouts via the My Elementor dashboard.
How do I unlock a site after too many login attempts?
- If you get locked out of your due to five login attempts, you can reset the lockout using your My Elementor dashboard. For details, see Unlocking site after failed login attempts.
How do I limit traffic by country using geoblocking?
Geoblocking prevents traffic from specific regions from ever reaching your login page or backend.
- To restrict access to your site, see Block certain visitors from accessing your site.
What are the security best practices for administrators?
Maintaining a secure site is a continuous process involving proactive credential and software management.
- Unique Usernames: Never use “admin” as a username, as it is the primary target for scripts.
- Complexity Requirements: Use high-entropy passwords containing symbols, numbers, and mixed-case letters.
- Regular Maintenance: Update the WordPress core, Elementor plugins, and active themes weekly to patch vulnerabilities.
