The WordPress dashboard is where everything happens — writing pages, publishing posts, installing plugins, changing themes, managing users, configuring settings. Before you can touch any of that, you need to be logged in. For most UK WordPress sites there are three practical paths: the classic wp-login.php form, Single Sign-On from the Plesk WordPress Toolkit, and password recovery if everything else fails. This guide walks through each route, flags the common issues that trap people (browsers in loops, Imunify360 blocking an IP, forgotten credentials) and explains how to keep your login secure without making daily access painful.
What the dashboard is and why login matters · Method 1 — Direct login via wp-admin · Method 2 — Plesk WordPress Toolkit SSO · Remembering your login · Forgotten password recovery · Securing the login page · Common login issues and fixes · Two-factor authentication for admin users · Frequently asked questions
The WordPress dashboard (also called the admin area) is the password-protected interface at /wp-admin/. Everything visitors cannot do — editing pages, moderating comments, adding users, updating plugins, changing settings — happens behind the login wall.
Because the dashboard can modify every part of the site, the login page is the single most attacked surface on any WordPress installation worldwide. Automated scripts probe /wp-login.php across millions of sites every day looking for weak passwords, default usernames and outdated security plugins. Strong credentials, sensible rate limiting and — for any serious site — two-factor authentication matter more on WordPress than on almost any other platform.
The classic method. Every WordPress installation exposes a login form at one of two URLs:
yourdomain.co.uk/wp-adminyourdomain.co.uk/wp-login.phpBoth lead to the same screen. Typing /wp-admin while not signed in automatically redirects to /wp-login.php.
You land on the WordPress dashboard home screen — the "at a glance" page with recent activity, draft posts and the welcome tour. The left sidebar is your navigation: Posts, Pages, Media, Comments, Appearance, Plugins, Users, Tools, Settings and any menu items added by installed plugins.
Save the login URL in your browser's bookmarks bar. One click takes you there from any tab. If you use multiple sites, group them in a folder labelled "WordPress admin".
The ones you set during WordPress installation — or the auto-generated ones the Plesk WordPress Toolkit displayed if you used Quick Install. If you have forgotten, see the forgotten password recovery section below.
Every smartxhosting.uk plan includes Single Sign-On from the Plesk WordPress Toolkit — a one-click login that skips /wp-login.php entirely.
Plesk generates a signed single-use authentication token and passes it to WordPress via a small mu-plugin the Toolkit installs automatically. WordPress accepts the token as proof of identity and creates a logged-in session, without ever checking a password.
Inside the WordPress Toolkit site card, open Setup (or the gear/wrench icon). There is an Administrator section where you can type a new password and save. This overrides the existing WordPress password immediately — no reset email, no intermediate step.
Typing a password several times a day becomes tedious. Sensible options:
On the standard login form there is a Remember Me checkbox. Tick it before clicking Log In and WordPress keeps you signed in for 14 days (vs the 2-day default). The session persists across browser restarts.
Chrome, Firefox, Edge and Safari all offer to save the username/password after your first successful login. Accept and your credentials are auto-filled next time. Browser password managers sync across your devices through your Google/Microsoft/Apple account, so the same login works on phone, tablet and laptop.
1Password, Bitwarden, KeePass, Dashlane, LastPass — any of these gives you a single vault for WordPress plus every other credential. For UK businesses running multiple sites, a password manager is close to essential — you end up with 10–30 WordPress accounts across clients and projects, none of which should share passwords.
Shared computers, public computers (libraries, internet cafes, airport lounges), computers you do not fully trust. On a shared device, anyone who opens your browser gets into your dashboard. Use a private browser window instead and log out explicitly when done.
It happens. Two ways to recover.
yourdomain.co.uk/wp-login.php and click Lost your password?The path of last resort — works even if the reset email never arrives or you have lost access to the admin mailbox.
Password is changed instantly. Log in via SSO or through the normal login page using the new password.
For the technically comfortable, the Plesk WordPress Toolkit exposes WP-CLI per site. Run:
wp user update 1 --user_pass='NewStrongPassword123!'
Sets the password for user ID 1 (typically the site owner) directly. Useful for scripted recovery in an agency setting.
[email protected] by default. Check spam filters.Option B (Plesk SSO) avoids all of these — it does not rely on email delivery at all.
Because the login form is the front door, it attracts the most attention from automated attackers. Six things that meaningfully improve login security.
Minimum 12 characters, mix of upper and lower case, numbers, symbols. A passphrase (four or five unrelated words with minor tweaks) is easier to remember than a random string and equally hard to guess. Reuse nothing — every WordPress site gets its own password.
The default admin (or administrator) is the first username every brute-force bot tries. If your current username is admin, create a new admin user with a different name, log in as that user, and delete the original (reassigning content). The Plesk WordPress Toolkit's security scanner flags this and can rename the account for you.
A plugin like Two Factor, WP 2FA or Wordfence adds a second verification step after the password — typically a 6-digit code from Google Authenticator, Microsoft Authenticator, Aegis or a hardware security key. Even if someone guesses the password, they cannot log in without the second factor. See the dedicated 2FA section below.
Either through a plugin (Limit Login Attempts Reloaded, Wordfence) or through Imunify360 at the server level (already active on smartxhosting.uk). After N failed attempts, the attacker's IP is temporarily blocked. This dramatically slows brute-force bots.
Plugins like WPS Hide Login move /wp-login.php to a custom URL of your choice (/ninja-login/, /office-door/). Bots scanning for /wp-login.php hit a 404 and move on. Not a substitute for strong passwords and 2FA but a useful extra layer.
Security vulnerabilities in old versions are public knowledge. Enable auto-updates for minor versions through the Plesk WordPress Toolkit, review major updates weekly.
Check Caps Lock, trailing spaces and that you are typing the admin email, not a personal one. If you are certain the credentials are correct but they still fail, the account may have been compromised and the password changed — reset through Plesk WordPress Toolkit.
Imunify360 on smartxhosting.uk temporarily blocks an IP after repeated failed logins. The block lasts 15–30 minutes. If you need immediate access, use Plesk SSO (it does not hit /wp-login.php) or log in from a different network (mobile tether, different Wi-Fi).
Symptom: the login form submits, the page flashes, you are back at the login screen. Causes are usually:
Fix: clear cookies, retry, or use Plesk SSO to get in and fix the underlying configuration.
A blank page usually indicates a fatal PHP error — most often caused by a recently activated plugin or a broken theme. Use Plesk SSO to bypass the broken login page, then deactivate the problematic plugin or revert the theme change.
The database server is unreachable or credentials in wp-config.php are wrong. On shared hosting this is usually a transient issue — wait a minute and retry. If it persists, check the MySQL service status in Plesk (Tools & Settings > Services Management) and the database credentials.
For any site that processes money, personal data or customer accounts, 2FA should be considered mandatory for admin users. The NCSC, ICO and Cyber Essentials all list 2FA as a basic control.
Where is the WordPress login page?
At yourdomain.co.uk/wp-admin or yourdomain.co.uk/wp-login.php by default. If you have installed a rename-login plugin like WPS Hide Login, it will be at whatever custom URL you chose.
I have forgotten my password and my reset email is not arriving — what now?
Use the Plesk WordPress Toolkit to set a new password directly through the Setup panel on the site's card. No email required.
Is it safe to tick "Remember Me"?
On your own trusted device, yes — it just extends the cookie lifetime. On a shared or public computer, no — use a private browser window instead.
What should I do if I think my account has been compromised?
Change the password immediately through Plesk WordPress Toolkit. Check Users for any unfamiliar accounts and delete them. Review recent posts, pages and plugin installs. Run the Imunify360 malware scan in Plesk. Consider restoring from yesterday's backup if there is any doubt.
Can I log in to WordPress from my phone?
Yes. The dashboard is mobile-responsive. Alternatively, the official WordPress mobile app (iOS, Android) supports account connections via application passwords for on-the-go editing.
How many failed login attempts trigger an IP block?
Imunify360 defaults to 10 failures in 15 minutes. After that the offending IP is blocked for 30 minutes. The threshold is configurable on dedicated plans but not on shared hosting.
Can I use the same 2FA code for multiple WordPress sites?
No. Each WordPress site is a separate 2FA entry in your authenticator app. Scan the unique QR code for each site into the app.
What is the difference between a WordPress admin and a Plesk admin?
Two different accounts for two different systems. Plesk admin is for the hosting control panel — domains, email, files, WordPress installations. WordPress admin is for the WordPress dashboard on one specific site — pages, posts, plugins, themes, users. SSO lets a Plesk admin log in to any WordPress on their hosting without knowing the WordPress password.
Should I disable the standard login page if I only use SSO?
No — it still needs to work for editors, authors and other non-Plesk users. Instead, rename the URL with WPS Hide Login and enforce strong passwords plus 2FA so the form itself is hard to attack.
Does smartxhosting.uk support help with login problems?
Yes. Open a support ticket from the client area. For most login issues (password reset, IP unblock, email delivery problems) support can resolve within a few hours during UK business hours.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →