How to Hide Your WordPress Login Page From Hackers and Brute Force
Running a WordPress website can feel like managing a magnet for malicious login attempts. Brute force attempts to log into WordPress are so common there’s a page in the Codex dedicated to the topic.
There are many strategies for dealing with this problem, and the best strategy is to deploy multiple strategies. In this article, I’ll explain how I implement one of the simplest strategies: hiding your WordPress login page.
I have one particular WordPress site that was installed a few years ago. It is a standard WordPress installation running a typical slew of plugins. To get to the login page all you have to do is go to /wp-admin or /wp-login.php.
This site doesn’t see a ton of traffic. In a typical month, it generates about 5,000 pageviews. However, the site’s login page sees malicious login attempts on a startlingly regular basis. I have Jetpack’s Protect module activated on this site, and it tracks the number of blocked malicious login attempts. Since the module was added in March of last year, more than 11,600 malicious login attempts have been blocked.
If you do that math, that works out to nearly 800 malicious login attempts per month, about 25 per day, or one malicious login attempt every 58 minutes.
However, I can tell you that the login attempts don’t happen at a regular pace of one per hour. Weeks can go by without a single malicious login attempt being logged. Then, suddenly, a few hundred– even up to a couple thousand–login attempts will be logged in a short period of time. It’s clear that this site periodically comes under a brute force attack attempting to log into the WordPress dashboard.
If you run any WordPress websites that are set up as standard installations, you’re probably experiencing the same thing–whether you know it or not.
Why You Should Hide Your Site Login Page
One disclaimer I should get out of the way before getting started. If your site allows user login, malicious login attempts are unavoidable. This strategy won’t work for you. You need your login page to be easy to find so that your users can find it easily. Instead, you need to do other things to protect against malicious login attempts.
However, if your site is not a membership site and login attempts are limited to just a dozen or fewer admins, authors, editors, and contributors, then hiding your login page is one way of cutting down on the number of malicious login attempts. A bot that can’t find your login page can’t attempt to log in.
To be clear, I’m not advocating that you rely solely on security through obscurity. You should definitely still use other security measures such as limiting login attempts, captcha or ReCaptcha verification, requiring strong user passwords and unique usernames, and installing and properly configuring a good security plugin.
However, obscurity is a valid security layer when used as part of a comprehensive security strategy, and if you want to cut down on the number of malicious login attempts that are aimed at your site, making your login page hard to find is one way to do that.
So let’s get down to it.
Step 1: Install WordPress in its Own Directory
We’ve covered When and How to Install WordPress in a Subdirectory before. It isn’t an overly complex task, and you can run WordPress from a subdirectory whether you’re dealing with a brand new WordPress installation or an existing WordPress website.
As always, if you’re moving an existing WordPress installation before you do anything else create a complete backup of your site and store it someplace where you won’t accidentally delete or modify it.
Many examples and tutorials will use a subdirectory named something like http://example.com/wordpress or http://example.com/wp. Personally, I don’t like using something predictable when installing WordPress in a subdirectory. Instead, I use something that no one will ever be able to guess like http://example.com/dwiiw. No one will ever guess that I installed WordPress in that directory, but I’ll be able to remember it because it’s an acronym for: directory where I installed WordPress.
Use the directory name of your choosing, but use something unique that you can easily remember and that will be hard or impossible for anyone else to guess.
Step 2: Hide the Login Page URL and Redirect wp-login.php
As I’m sure you know, default WordPress behavior loads the login page when you access wp-login.php. Type in wp-admin instead, and you’ll be automatically redirected to wp-login.php.
If you’ve installed WordPress in a subdirectory you’ve taken the first step towards hiding your login page by adding a directory between your domain name and wp-login.php. Hopefully, you’ve named it something unique, but the truth is that right now someone can still find your login page quite easily.
Unless you’ve taken steps to prevent standard WordPress behavior, even with WordPress installed in a subdirectory, if someone tries to go to http://example.com/wp-login.php they’re going to be redirected to the correct login page URL that looks something like http://example.com/dwiiw/wp-login.php.
As things stand, have you really made your login page any harder to find? No, not yet, but you will momentarily.
The next step is to lock down access to wp-login.php and redirect it to a 404 page or really any page other than your login page, and to replace it with a completely custom login URL that will be hard to guess.
Once again, I recommend coming up with something that you can easily remember, but that will be all but impossible for anyone else to randomly guess. You can use the acronym trick I used to come up with the directory name dwiiw, or any other method, but come up with something unique like:
In this case, gli is a stand-in for get logged in, and it accomplishes the goal of being simultaneously easy to remember and hard to guess.
Use a plugin to actually lock down access to wp-login.php and set up a custom login URL. There are several WordPress plugins you can use for this purpose. Here are four possible options to get you started.
The tagline says is all: Change wp-login.php to anything you want.
This plugin does just one thing. It makes it easy to use a custom URL rather than the standard login URL. Once this plugin is installed and activated, /wp-admin and /wp-login.php are inaccessible, replaced with a custom URL of your choosing.
With more than 50,000 active installations and a stellar 4.7 out of 5 star rating, WPS Hide Login is a sure bet if you want the lightest plugin possible to create a custom login URL.
The basic premise behind this plugin is that it hides the fact that your site is running WordPress.
Making the suggestion that you should do that is sure to bring certain parts of the InfoSec community out screaming “Security through obscurity is not security!” Still, as I already mentioned, I believe obscurity is a valid layer in a comprehensive security strategy–a belief I am not alone in holding.
One aspect to hiding the fact that your site is a WordPress site is to create custom login URLs while completely disabling the default URLs. This plugin does that and more. This plugin boasts over 1,000 active installs, which isn’t overwhelming, but is a large enough sample size to begin to see some trends in the user reviews. The overall rating is solid, making WP Hide & Security Enhancer worthy of consideration.
Cerber is a pretty popular plugin for limiting login attempts. It’s active on over 10,000 sites and has an exceptional 4.9 out of 5 stars rating.
As you’ve surely guessed, in addition to limiting login attempts this plugin can be used to hide the standard login URL in favor of a customized URL. This plugin does what it does exceptionally well, and it may be the safest best on this list.
With more than 700,000 active installs and a 4.7 out of 5 star rating, iThemes Security is among the most popular plugins in the WordPress Plugin Directory.
This plugin does a lot more than just create a custom login URL. You can use iThemes Security to perform a wide range of hardening tasks. I won’t get into all that iThemes Security does, but among its features is the ability to create a custom login URL and to redirect wp-login.php to a 404 page or any other page you like.
If you’ve complete both steps you now have:
- WordPress installed in a subdirectory that looks something like http://example.com/dwiiw.
- In addition, you’ve created a custom login URL and locked down access to wp-login.php.
As a result, you now have a completely custom login URL that you should have no problem remembering and that no one else is going to guess. While this simple tactic doesn’t guarantee that you will see zero malicious login attempts, it will make your login page all but invisible to the vast majority of drive-by malicious login attempts.
It’s true, obscurity on its own does not provide adequate security. However, when used as part of a larger comprehensive security strategy, obscurity can be helpful. This is even more true when your site is running on the best and most popular CMS on the planet.