Login Security

Login Security

Login Security is a core feature of SentinelSecurity, providing a multi-layered defense system to prevent unauthorized access to your WordPress admin panel.

Why Login Security Matters

WordPress powers approximately 43% of all websites, making the login page (/wp-login.php) one of the most common attack targets. Typical threats include:

• Brute Force Attacks: Bots trying thousands of password combinations
• Dictionary Attacks: Automated attempts using lists of commonly used passwords
• Credential Stuffing: Reusing leaked credentials from other breached services
• Account Enumeration: Identifying valid usernames to optimize further attacks

SentinelSecurity's Login Security addresses these threats with 5 defense layers.

Multi-Layered Defense Overview

Each defense layer operates independently. Combining multiple layers significantly increases your security posture.

Layer	Feature	Role
Layer 1	IP Restriction	Only allow login page access from permitted IPs
Layer 2	Custom Login URL	Hide the login page by changing its URL
Layer 3	Basic Authentication	Block access with HTTP authentication even if the URL is known
Layer 4	reCAPTCHA	Distinguish bots from humans automatically
Layer 5	Email Verification (OTP)	Two-step verification with password + one-time code

Configuration

1. Go to SentinelSecurity → Login Security in your WordPress admin dashboard
2. Toggle each feature on or off using the switch
3. Configure the parameters
4. Click Save

For detailed configuration instructions, refer to the following documentation:

• IP Restriction — Setting up allowed IPs and CIDR notation
• Custom Login URL — How to change and hide the login page URL
• Basic Authentication — Protect the login page with HTTP authentication
• reCAPTCHA Integration — Setting up Google reCAPTCHA v2/v3
• Email Verification (OTP) — Configuring and managing one-time passwords

Safety When Plugin Is Deactivated

SentinelSecurity automatically transitions to safe mode when the plugin is deactivated:

• Custom login URL is disabled and the default /wp-login.php becomes accessible
• IP restrictions are lifted
• All settings are backed up and automatically restored when the plugin is reactivated

This means that even if you forget your custom login URL, you can deactivate the plugin via FTP or your hosting file manager and access the default login page.

Login History

All login attempts are recorded in detail:

• Username, IP address (IPv6 supported), User-Agent
• Success/failure status
• Timestamp

Login history helps detect suspicious access patterns such as:

• Multiple failed login attempts in a short period
• Simultaneous logins from different IP addresses
• Login attempts with non-existent usernames

Email Notifications

You can receive email notifications for the following login-related events:

Notification Type	Description	Default
Login Alert	Notifies when an admin successfully logs in	Enabled
Brute Force Alert	Notifies when a lockout occurs	Enabled

Receiving these notifications allows you to detect unauthorized access attempts early and take additional measures as needed.