One crucial way to safeguard your website from hacking attempts and brute force attacks is by concealing the WordPress login page. This effectively thwarts such attacks.
Managing a WordPress site can sometimes feel like a constant battle against managing a magnet. Brute force attacks, in particular, are so prevalent that a page in the Codex is dedicated to this issue.
While various strategies exist to address this, implementing a multi-layered system is optimal. This article focuses on a simple yet effective strategy: concealing the WordPress login page.
Let’s consider one of my WordPress websites that has been active for several years. It’s a standard WordPress installation utilizing typical plugins. Accessing the login page requires navigating to /wp-admin or /wp-login.php.
Despite experiencing moderate traffic of around 5,000 pageviews monthly, this website’s login page is frequently targeted by malicious login attempts. I have Jetpack’s Protect module installed, which diligently records blocked malicious login endeavors. Since its implementation in March of the previous year, it has thwarted over 11,600 such attempts.
Frequency of Login Attempts
These numbers translate to a staggering average of nearly 800 malicious login attempts per month, approximately 25 per day, or one attempt every 58 minutes.
However, these attempts are not evenly distributed. While some weeks pass without a single incident, others experience hundreds, sometimes even a couple of thousand, attempts within a short span. This clearly indicates periodic brute force attacks targeting the WordPress dashboard.
If your WordPress websites are set up using standard installations, you’re likely encountering similar situations, whether you’re aware of them or not.
The Importance of Concealing Your Site Login Page
Before proceeding, it’s crucial to acknowledge that if your website allows user logins, malicious login attempts are inevitable. This particular strategy is unsuitable in such cases as your login page needs to be easy to find so your users for legitimate users. Instead, focus on alternative protective measures against malicious logins.
However, if your site is not membership-based and logins are restricted to a small number of administrators, authors, editors, and contributors (a dozen or fewer), concealing your login page effectively reduces malicious login attempts. Bots cannot target what they cannot find.
Additional Considerations
It’s important to note that relying solely on security through obscurity is not recommended. Implement other security measures such as limiting login attempts, employing captcha or ReCaptcha verification, enforcing strong passwords and unique usernames, and installing and properly configuring a good security plugin.
Obscurity, however, serves as a valid security layer within a comprehensive security strategy. Making your login page difficult to find is one way to reduce the number of malicious login attempts targeting your site.
So, let’s dive into the steps.
Concealing Your WordPress Login Page From Hackers
Step 1: Install WordPress in its Dedicated Directory
We’ve previously discussed When and How to Install WordPress in a Subdirectory. It’s a straightforward process that can be applied to both new and existing WordPress websites.
As always, before migrating an existing WordPress installation, prioritize creating a complete backup of your site and storing it in a secure location to prevent accidental deletion or modification.
While many examples and tutorials opt for predictable subdirectory names like http://example.com/wordpress or http://example.com/wp, I advise against it. Instead, choose a unique and memorable name like http://example.com/dwiiw. While seemingly random, it serves as an acronym for “the directory where I installed WordPress.”
Ultimately, the directory name is your choice. Prioritize uniqueness, memorability, and difficulty for others to guess.
Step 2: Mask the Login Page URL and Redirect wp-login.php
As you know, WordPress defaults to loading the login page when accessing wp-login.php. Typing wp-admin instead redirects you to wp-login.php.
Installing WordPress in a subdirectory adds a layer of obscurity by placing a directory between your domain name and wp-login.php. However, without further measures, your login page remains relatively easy to find.
Unless configured otherwise, even with WordPress in a subdirectory, accessing http://example.com/wp-login.php redirects to the actual login page, such as http://example.com/dwiiw/wp-login.php.
Therefore, your login page isn’t truly hidden yet.
The next step involves restricting access to wp-login.php by redirecting it to a 404 page or any other page except your login page. Replace it with a custom URL that is difficult to guess.
Again, opt for a unique and memorable option. You can use the acronym approach as before or any other method, but ensure it’s something like:
Here, gli represents “getting logged in,” fulfilling the criteria of being both memorable and hard to guess.
WPS Hide Login
True to its tagline: Change wp-login.php to anything you want, this plugin simplifies the use of a custom login URL. Once installed and activated, it replaces the standard /wp-admin and /wp-login.php with your chosen custom URL, rendering them inaccessible.
With over 50,000 active installations and an impressive 4.7 out of 5-star rating, WPS Hide Login is a reliable choice for a lightweight plugin to create a custom login URL and conceal your WordPress login page.
Furthermore, this plugin boasts seamless compatibility with all nexus-security WordPress themes.