Administration of WordPress allows login by default using username and password. As login, you can choose either an email address or the administrator’s username. From a security perspective, can an email address pose a security risk? Why? The overwhelming majority of website owners have their email addresses in contacts directly on the website. And in the overwhelming majority of cases, this email address also serves as the login to WordPress. For a potential attacker, this makes it one of the known access credentials. Just guessing the password is enough. Fortunately, it is possible to disable the use of the email address to log in to the system. In this guide, I would like to show you the simplest way to disable logging in to WordPress using an email address, using a short snippet and the WP Code plugin.
Installing the WP Code Plugin
To insert codes into your website, you can choose between two options. You insert the code directly into the file where it belongs, or you use a plugin that will insert parts of the code into the website during runtime. The second option is better for one simple reason. It is safer and your code won’t be erased with each update that overwrites the file with your code.
Follow these steps to install the WP Code plugin:
- Click on “Plugins” in the left menu
- In the submenu, select “Add New”
- In the upper right corner, notice the search field
- Type in the keyword WP Code
- Once WordPress finds the plugin, install and activate it.
If you are interested in a complete article where I describe working with this plugin, take a look here: How to Insert Custom Codes into WordPress.
How to Disable WordPress Login via Email Address
You already have the WP Code plugin installed, which added the “Code Snippets” item to your left menu. Click on it and choose “+ Add Snippet” from the menu. On the next screen, click on “Add Your Custom Code (New Snippet)“. First, enter a custom name for your snippet and then select the code language. The snippet is written in PHP.
Insert the following piece of PHP code into the code editor:
remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );
Once you do that, save the snippet and don’t forget to activate it as well.
Securing WordPress Login Conclusion
The snippet is active and you can now test it by logging out of the system and trying to log in again using an email address and password. As long as the snippet is active, WordPress will not allow you to log in using an email address and will always enforce the use of the administrator’s username. The administrator’s username can be anything you choose during WordPress installation. Therefore, if you did not choose the common username “admin,” a potential attacker still needs to guess both the password and the login to successfully access the system.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Byl pro Vás tento článek užitečný?
Klikni na počet hvězd pro hlasování.
Průměrné hodnocení. 0 / 5. Počet hlasování: 0
Zatím nehodnoceno! Buďte první
Je mi líto, že pro Vás nebyl článek užitečný.
Jak mohu vylepšit článek?
Řekněte mi, jak jej mohu zlepšit.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.