5 Steps To Secure WordPress Website In Under 10 Minutes Free (That Most Owners Skip)

WordPress powers 43% of every website on the internet. That is not a small number. It means roughly 810 million websites are running on the same platform, using the same default login URL:  /wp-login.php, and bots know it.

Every day, thousands of brute-force attacks are fired at WordPress sites. Most site owners don’t find out until the damage is done: a defaced website, leaked data, or a Google Ads account banned for a compromised site something we see more often than you’d think.

We have built and maintained hundreds of WordPress websites over 10+ years at Code and Core, and website maintenance is something we take seriously on every single one. We’ve seen what happens when security is an afterthought. So when we kept solving the same login security problems for our clients over and over, we decided to build a proper solution. That became our free plugin: Admin Login Guard & Branding.

The Problem Nobody Talks About Until It’s Too Late

Think about this. You spend months building a great WordPress website. Nice design, solid content, good SEO. Then one morning you wake up to a Google Search Console email: your site has been flagged for malware. Or worse, a client calls because their customers are seeing a phishing page. If that has already happened to you, we wrote exactly how to fix it.

How did it happen? Almost always, the entry point is the login page.

⚠ Real scenario A bot finds your site at yoursite.com/wp-login.php.  It tries 500 username/password combinations in 30 seconds.  No limit. No lockout. Eventually it gets in. Game over.

The default WordPress setup does not limit how many times someone can attempt to log in. There is no built-in lockout system. And /wp-login.php is the same URL for every WordPress site on the planet, which makes it trivially easy for bots to target.

Nearly 40% of WordPress hacks come from brute-force login attacks. And most of them are 100% preventable with the right setup.

What Good WordPress Login Security Actually Looks Like

Security is not just about putting a lock on the door. It is about making sure the door is in a place nobody can easily find, limiting how many times someone can knock, and knowing exactly who tried to come in when they failed.

The three things every WordPress site needs:

Most free plugins do one or two of these things. You end up installing three or four different plugins that sometimes conflict with each other. 

We built Admin Login Guard & Branding to do all of this in one place.

Introducing Admin Login Guard & Branding

This is a free WordPress plugin, built by the Code and Core team and published on the official WordPress.org  plugin directory. 

“We built this because we were tired of explaining to clients why their site got hacked through the login page. Every fix we applied became a feature in this plugin.” ~ Code and Core 

How to Set It Up (Takes Less Than 10 Minutes)

Step 1: Install the Plugin

Go to Plugins → Add New in your WordPress dashboard. 

Search for “Admin Login Guard & Branding”, it is the plugin by Code and Core. 

Hit Install and then Activate. 

That is it. The plugin is ready to configure.

Step 2: Set Your Custom Login URL

The first thing you do after installing Admin Login Guard is head to the General Settings tab. You will see a simple toggle labeled “Enable Custom Login URL”. Switch it on.

Now type anything you want in the Custom Login URL Slug field. Something like “secure-access” or “my-portal” anything that is not the default. The moment you hit Save Changes, your new login URL is live, and the old wp-login.php is deactivated.

One more thing: the Redirect on Failure dropdown lets you choose what happens when someone tries the old URL. Send them to a 404 page. They will never even know a login page exists.

Step 3: Brand Your Login Page

When a client logs into their WordPress site and sees the default WordPress logo on a plain grey background, it feels unfinished. The Styles tab fixes that completely.

Everything you see here is yours to control. Upload your own logo, set the exact dimensions, and link it to your website. Choose a background image, video, or solid color. Then scroll down to the color controls form: background, form border, labels, buttons, hover states every single element of the login page has its own color picker.

For agencies, this is a five-minute task that makes a lasting impression on every single client login. They see their brand, not WordPress.

Step 4: Configure Your Login Attempt Limits

By default, WordPress lets anyone try to log in as many times as they want. No limit. No lockout. A bot can hammer your login page with thousands of password combinations, and WordPress will just keep answering.

Head to the Login Attempts tab; this is where you shut that door.

You will see three simple fields. Set Max Login Attempts to 3; that is how many chances anyone gets before they are locked out. Set Lockout Duration to 30 minutes. Now a bot that fails 3 times has to wait half an hour before trying again. At that rate, cracking a strong password would take decades.

The IP Whitelist field at the bottom is equally important; add your own IP address here so you never accidentally lock yourself out.

Think about it: A bot trying 3 attempts every 30 minutes can make roughly 6 guesses per hour. There are over 100 billion possible password combinations. They are not getting in.

Step 5: Review Your Login History

The Login History tab gives you a full audit log of every single failed login attempt on your site. Not just a number; actual data you can act on.

Every failed attempt is recorded in a clean table with five columns: the entry ID, the exact IP address the attack came from, the username they tried, the precise time it happened, and the browser or user agent they used. You can search through the logs, control how many entries show per page, and most importantly, hit Download CSV to export everything.

That CSV export is what makes this feature genuinely powerful. You can drop it into a spreadsheet, hand it to a security professional, or use it as documented proof of access attempts for compliance purposes. This is the kind of feature that normally only shows up in expensive paid security plugins.

If you run a WooCommerce store, a healthcare site, or any client site with sensitive data, this log is not optional. It is your paper trail. It tells you who tried to get in, when, and from where.

⚠ One important thing After you set a custom login slug, bookmark the new URL immediately. If you forget it, you will need to access your site via FTP or your hosting panel to reset.  The plugin’s FAQ section covers exactly how to recover; it is straightforward, but worth knowing in advance.

No Hidden Data Collection

We built this plugin for security, and that means we hold it to a high standard ourselves. Here is how the plugin handles your data:

✔ Telemetry/diagnostics are completely opt-in. You will be asked once on activation. You can disable it any time from the Privacy tab in settings.

✔ No personal user data is ever collected without your explicit action.

✔ The deactivation feedback form is optional. Click “Skip & Deactivate,” and nothing is sent.

✔ All data transmitted to external endpoints is encrypted using AES-256-CBC before it leaves your server.

✔ No third-party advertising networks, no data selling, no analytics platforms beyond what is described.

We believe a security plugin should be the most transparent plugin on your site. That is what we built.

Who Should Use This Plugin?

Honestly? Any WordPress site that is not already doing all of this. But here are the use cases where it makes the most impact:

WordPress Agencies

Brand the login page for every client, manage login security across dozens of sites, and deliver a polished handover with your name on it. Admin Login Guard fully supports WordPress Multisite so you can manage security and branding across every site in your network from a single installation- no repetitive setup required.

WooCommerce Stores

Customer and financial data is on the line. A compromised admin account can mean stolen orders, leaked card data, or a full site wipe. Here is what to do if your site is under attack.

Healthcare & Legal Sites

Compliance requirements mean you need login logs. The CSV export gives you documentation of every failed access attempt.

Developers & Freelancers

Stop manually setting up three different plugins for every client. One plugin, all the essentials, done in minutes.

Quick Comparison: What You Get vs. Common Alternatives

Feature	Admin Login Guard	Typical Free Alternatives
Custom login URL	✅ Yes	Sometimes (separate plugin)
Login attempt limiting	✅ Yes	Sometimes (separate plugin)
Detailed login history with export	✅ Yes	Rarely in free tier
Full visual branding control	✅ Yes	Rarely in free tier
WordPress Multisite support	✅ Yes	Often paid-only
AES-256 encrypted telemetry	✅ Yes	Rarely specified
Number of plugins needed	1	3–4 separate plugins
Cost	Free	Free to $15/month

The Short Version

WordPress is the most popular CMS on the planet. That makes it the biggest target. Your login page, sitting at a predictable URL with no rate limiting, is often the weakest point in an otherwise well-built site.

Admin Login Guard & Branding gives you a custom login URL, brute-force protection, detailed logs with CSV export, and a fully branded login experience in one free plugin, built by the team that has been maintaining WordPress sites professionally since 2015.

It takes less time to install than it took you to read this article.