WordPress being the most popular CMS, see innumerable malicious login attempts every day. Its fairly easy for hackers to guess your Login ID and Password, especially if you use similar details for most of your logins. With simple Brute-Force tools, hackers can bring down your whole website with ease by hitting it multiple times to guess your login password.
Why give them a chance to try when you can hide…
Whether you know or not, your website is a magnet for hackers to attempt breaking into your site and it handles such malicious attempts every day. However, you need not give this chance to hackers while with a few simple steps you can hide your WP login page.
In this article, I will breakdown the two simple methods to prevent hackers and malicious bots from breaking into your site. I will try to make it as simple as possible for you to understand how you can do so.
In this article, you will learn:
Two ways to prevent malicious login attempts:
- Change your WordPress login URL
- Hide your wp-admin and wp-login page
1. Change Your WordPress Login URL
It is simple to identify whether your website is WordPress powered or not. Once a hacker sees that your site is powered by WordPress, it pretty easy for them to find your login URL. the default WordPress login page is found by entering your domain name, followed by /wp-login.php.
Most of the site owners do not change their username after they set up a blog from its default username which is [admin].
Read also, How to change WordPress Admin Username
With enough hits at your site, hackers can easily arrive at your correct password as the rest of the details are already given. To prevent hackers and malicious bots to land up on your site’s login page, it is best to change your login URL from something which is very obvious to something unpredictable.
Changing the WordPress login URL might not prevent hackers to break into your site but it will definitely avoid mischievous visitors and random bots to land up on your website login page. One way to do it is to consider installing WordPress in a subdirectory. Before moving an existing installation, make sure you create a complete backup of your site and store it somewhere where you don’t accidentally delete or modify it.
Instead of choosing predictable names like http://example.com/wordpress or http://example.com/wp, chose a name that is unique and not so obvious as http://example.com/wpid.
2. Hiding Your Site Login Page
The next logical step to encourage your security is to hide your login page from hackers and malicious bots. If your site is of the nature that it has to be easier for multiple users to find and login then it’s best that you consider this step with caution.
It is not recommended to use the strategies given below if your site is a membership site and login attempts are open to a larger array of users.
There are two basic ways to hide your site’s login page:
- Using plugins
- Using wp-login.php file (without plugins)
1) Hiding the login page using a plugin
WordPress offers an array of plugins that can be used to hide your login page URL. Some of the plugins also allow you to hide your website login page and redirect wp-login.php users to another page of your website. Visit WordPress.org Plugin directory and search for “Hide WP Login” to see a list of security plugins that you can use.
Here is a list of plugins that can be used for this purpose:
Once you download and install a plugin activate the plugin. Different plugins have different methods to hide the login.
Using the “WPS Hide Login” Plugin
WPS Hide Login is one of the best plugins to hide your WordPress login page that lets you specify a new custom login URL and blocks all traffic to the default wp-admin and wp-login pages. It’s the quick and dirty way because setup pretty much takes two seconds.
All you need to do is specify your new login URL by going to Settings —> WPS Hide Login and the plugin takes care of the rest.
Using the “Defender” Plugin
Defender works a little bit differently in terms of the interface but pretty much uses the same method. Once you activate the plugin and finish the setup, the Defender plugin allows you to access its Advanced tools options.
Follow the simple steps to hide your login URL:
- In the masking URL section of the advanced tool screen, you can enter a new URL slug where your site users will go to log in or register on your site.
- Save your changes and log out of your WordPress site.
- Now, log back in via the default login page at yourdomain.com/wp-login.php. You will see that defender blocks user who does not have access to the masked URL. Anyone that tries to visit the default WordPress login page (i.e. wp-login.php) will be greeted with an error message (“This feature is disabled”). Users who have access to the masked URL will only be able to access the login page.
Redirect Users to a different page of your website
Plugins also have a redirect traffic feature that can be used to send visitors to a different page on your website. You can do this by going back to the Advanced tool Screen of the Defender. Enable 404 Redirection in the Redirect traffic section, enter the slug of the page you want to send visitors to, and click Save Changes to update your settings.
2) Hide your Login URL without a plugin
You can easily hide your login page from hackers without using a plugin. This can be done using your installation files and text editor.
- It is best that you make a backup of your wp-login.php file. It will avoid any damages you do while editing it. Once you are done, open your wp-login.php file and copy everything to your clipboard.
- Create a new file using your text editor. Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.
- Search and replace every instance of ‘wp-login.php’ in the code with your new login filename. Save the file again.
- Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.
- Test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.
It is best that you set up multiple security barriers to your WP site so that it becomes difficult for hackers to break into your site. Understanding and implementing various WP security practices is the key to protect your site from brute-force attacks and hackers.
Make sure that you make the strategy of obscuring your URL as part of your more comprehensive security strategy. Simply hiding the URL is not always effective, so it is best to follow this guide and change your URL and setup redirect for unwanted visitors from your wp-login page. If you are not an expert at coding and don’t actually know what you are doing then it is best to avoid messing with codes and use a plugin instead.