How To Hide WordPress Login Page From Hackers
Most important way & practice to protect your site from hacker attacks and brute force, hide the WordPress login page to break these attacks.
See one important way and practice to protect your site from hacker attacks and brute force: Hide the WordPress login page to break these site attacks.
There are many strategies for dealing with this problem; deploying multiple systems is the best. In this article, I’ll explain how I implement one of the most straightforward strategies: hide the WordPress login page.
I have one particular WordPress site that is up for a few years. It is a standard WordPress installation running a typical slew of plugins. To get to the login page, you must go to /wp-admin or /wp-login.php.
This site doesn’t see a ton of traffic. In a typical month, it generates about 5,000 pageviews. However, the site’s login page sees malicious login attempts on a startlingly regular basis. I have Jetpack’s Protect module activated on this site, and it tracks the number of blocked malicious login attempts. Since the module was added in March last year, more than 11,600 malicious login attempts have been blocked.
If you do that math, that works out to nearly 800 malicious login attempts per month. About 25 per day, or one malicious login attempt every 58 minutes.
However, I can tell you that the login attempts don’t happen at a regular pace of one per hour. Weeks can go by without a single malicious login attempt to login. Then, a few hundred– even up to a couple thousand–login attempts will log in a short time. Clearly, this site periodically comes under a brute force attack attempting to log into the WordPress dashboard.
If you run any WordPress websites, set them up as standard installations. You’re probably experiencing the same thing–whether or not.
Why You Should Hide Your Site Login Page
One disclaimer I should get out of the way before getting started. If your site allows user login, malicious login attempts are unavoidable. This strategy won’t work for you. You need your login page to be easy to find so your users can easily find it. Instead, you need to do other things to protect against malicious login attempts.
However, suppose your site is not a membership site. So, login attempts are limited to just a dozen or fewer admins, authors, editors, and contributors. In that case, hiding your login page is one way of cutting down on the number of malicious login attempts. A bot that can’t find your login page can’t attempt to log in.
To be clear, I’m not advocating that you rely solely on security through obscurity. You should still use other security measures such as limiting login attempts, captcha or ReCaptcha verification, requiring strong user passwords and unique usernames and installing and properly configuring a good security plugin.
However, obscurity is a valid security layer as part of a comprehensive security strategy. If you want to cut down on the number of malicious login attempts aimed at your site, making your login page hard to find is one way to do that.
So let’s get down to it.
Hide WordPress Login Page From Hackers
Step 1: Install WordPress in its Directory
We’ve covered When and How to Install WordPress in a Subdirectory before. It isn’t an overly complex task, and you can run WordPress from a subdirectory whether you’re dealing with a brand new WordPress installation or an existing WordPress website.
As always, if you’re moving an existing WordPress installation, before you do anything else, create a complete backup of your site and store it somewhere you won’t accidentally delete or modify it.
Many examples and tutorials will use a subdirectory named something like http://example.com/wordpress or http://example.com/wp. I don’t like using something predictable when installing WordPress in a subdirectory. Instead, I use something that no one will ever be able to guess, like http://example.com/dwiiw. No one will ever guess that I installed WordPress in that directory, but I’ll be able to remember it because it’s an acronym for: the directory where I installed WordPress.
Use the directory name of your choosing, but use something unique that you can easily remember and that will be hard or impossible for anyone else to guess.
Step 2: Hide the Login Page URL and Redirect wp-login.php
As I’m sure you know, the default WordPress behavior loads the login page when you access wp-login.php. Type in wp-admin instead, and you’ll be automatically redirected to wp-login.php.
If you’ve installed WordPress in a subdirectory, you’ve taken the first step towards hiding your login page by adding a directory between your domain name and wp-login.php. Hopefully, you’ve named it something unique, but the truth is that right now, someone can still find your login page quite easily.
Unless you’ve taken steps to prevent standard WordPress behavior, even with WordPress installed in a subdirectory, if someone tries to go to http://example.com/wp-login.php, they will be redirected to the correct login page URL that looks something like http://example.com/dwiiw/wp-login.php.
As things stand, have you made your login page any harder to find? No, not yet, but you will momentarily.
The next step is to lock down access to wp-login.php, redirect it to a 404 page or any page other than your login page, and replace it with a custom URL that will be hard to guess.
Once again, I recommend coming up with something that you can easily remember, but that will be impossible for anyone else to guess randomly. You can use the acronym trick I used to come up with the directory name dwiiw, or any other method, but come up with something unique like:
In this case, gli is a stand-in for getting logged in, and it accomplishes the goal of being simultaneously easy to remember and hard to guess.
WPS Hide Login
The tagline says it all: Change wp-login.php to anything you want. This plugin does just one thing. It makes using a custom URL easier than the standard login URL. Once this plugin is installed and activated, /wp-admin and /wp-login.php are inaccessible, replaced with a custom URL of your choosing.
With more than 50,000 active installations and a stellar 4.7 out of 5-star rating. WPS Hide Login is a bet if you want the lightest plugin possible to create a custom login URL to hide the WordPress login page.
All the Visualmodo WordPress themes are compatible with this plugin.