WP Login Security 2

The WP Login Security 2 plugin adds an extra layer of security to your login process.

Plugin Page: http://wordpress.org/extend/plugins/wp-login-security-2/

Why WP Login Security 2 Is Important

WP Login Security 2 intelligently adds another layer of security to the login process.

The plugin keeps track of the IP addresses used by administrators. If an administrator tries to login from an unknown IP address an activation link is emailed to the registered email address of the administrator. Until the activation link is clicked the administration panel is blocked.

Even if someone steals your WordPress user name and password they will be unable to login unless they also have access to your email.

How You Complete This Security Checkpoint

Add and Activate the plugin.

  • The default settings are fine.
    WP Login Security 2 Settings

  • When you login from a new IP address you will see this message.
    login from an unknown ip
  • An email with the activation link will be sent to your email address:

To: [email protected]

Subject: [My Website] WP Login Security Alert


Someone has logged in with the below information from an IP we haven’t seen before.


User: admin

IP: xxx.xxx.xxx.xxx

URL: http://www.mywebsite.com/wp-admin/


To authorize this IP address, please click the following link: http://www.mywebsite.com/wp-login.php?action=registerip&wpls_ipkey=d41d8cd98fasdfas98837498ecf8427e


  •  To whitelist the new IP address click on the link and login again.
    login to validate ip address

  • From now on when you log in from this IP address you will allowed in straight away.


In case you experience difficulties logging in you can always disable this plugin by renaming (or removing) the plugin folder wp-content/plugins/wp-login-security-2.

Further Resources

There are three other two factor authentication plugins you might want to consider.

Note! We have not tested these plugins.

Second factor

Plugin Page: http://wordpress.org/extend/plugins/second-factor/

Second factor adds another layer to the login process making it more secure.

The first factor is your user name and password. This plugin will email a one time code to the users email address. This code has to be entered before the login is complete.

Even if someone gets your user name and password they will be unable to login unless they also have access to your email.

Google Authenticator

Plugin Page: http://wordpress.org/extend/plugins/google-authenticator/

The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

You may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on your Gmail or Google Apps account.

The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.

Duo Two-Factor Authentication

Plugin Page: http://wordpress.org/extend/plugins/duo-wordpress/

This plugin enables Duo Security’s two-factor authentication for WordPress logins.

Duo provides simple two-factor authentication as a service via:

  • Phone callback

  • SMS-delivered one-time passcodes

  • Duo mobile app to generate one-time passcodes

  • Duo mobile app for smartphone push authentication

  • Duo hardware token to generate one-time passcodes

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: AntiVirus
Previous article: Semisecure Login Reimagined[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week


  1. Michael says:

    When I install this plugin, I get the following alert at the top of my WP panel:
    Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /home/michaelf/public_html/wp-admin/includes/template.php:1642)

  2. Despite implementing all of the steps you detail, this morning I had a new admin account (unauthorized) that had been created for my blog. The plugin above did not alert me. I have deleted the new account and changed my passwords, but like that evil 64 thing it will be probably be back.

    • Hi Mike,

      I am sorry to hear that your site was compromised.

      It is important to understand that your sites will never be 100% secure. However if you implement the security measures we recommend you will be in a good position to detect the compromise quickly and restore your site.

      If you are using Sucuri I strongly recommend that you let them clean up the site for you. They are very skilled in this, and if they clean up your site you are pretty sure everything has been cleaned. Also they might be able to pinpoint how the compromise happened.

      If you are not currently using Sucuri and your site has been compromised we strongly recommend that you sign up with them and have them clean your site. The price for a one year subscription is easily saved in time when they take care of the clean up for you. And they will most likely do a better job too.

      You can find our article on Sucuri here.

      In WordFence you can enable the option “Alert me when someone with administrator access signs in” which will send you an email if something like this happens again.

  3. The link at the beginning of the post takes to WP Login Security page and not to WP Login Security 2

  4. WP Login Security 2 will not work on my thesis theme wordpress blog – can you offer an equal alternative for securing out log in?

    • What happens when you use the plugin?

      • creekmore says:

        Sorry, that I did not see this sooner…

        The plugin had to be removed (I tried it 3 different time) before I could log in, it would send the email, I would click on the link then try to log in but it would only repeat the process as if my IP had changed since the email (it had not), and repeat. I had to go delete the plugin on my server before I could login.

        This would be a great plugin if it worked correctly.

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax