WordPress is the most popular content management system (CMS) in the world, powering over 43% of all websites according to W3Techs. With this widespread usage comes increased attention from hackers looking to exploit vulnerabilities and gain unauthorized access.
One of the most common targets is the WordPress login page, located by default at yourdomain.com/wp-admin/ or yourdomain.com/wp-login.php. Brute force attacks, which use bots to repeatedly attempt to guess login credentials, are rampant.
Consider these statistics:
- Wordfence blocked over 4.3 billion brute force attacks in 2022, a 1.9 billion increase from 2021
- The average WordPress site experiences 31 brute force attack attempts per day (WPWhiteSecurity)
- "Admin" is the most commonly guessed username, used in 70% of attacks (Sucuri)
Clearly, the default WordPress login presents a glaring security hole that needlessly puts your site at risk. Thankfully, there is a simple solution that can thwart the vast majority of these automated attacks – hiding your login page.
How Hiding the WordPress Login Improves Security
By changing your WordPress login URL from the default wp-login.php or wp-admin to something custom and hard to guess, you can stop most brute force bots in their tracks. They simply won‘t be able to find your login page, preventing them from even attempting to crack your credentials.
Security firm Sucuri found that simply changing the login URL reduced brute force attacks by an average of 66%. While not a complete solution, this significant reduction in malicious login attempts can save server resources, mitigate the risk of downtime, and lower the odds of a successful breach.
There are a number of risks associated with brute force attacks on the WordPress login:
-
Site downtime: A high volume of malicious login attempts can overload your server, slowing down or even crashing your site. 49% of organizations reported downtime due to DDoS attacks (Corero), which are frequently used in tandem with brute force attacks.
-
Reputational damage: Extended downtime or a successful breach can harm your brand‘s reputation and erode customer trust. 30% of consumers say they will not do business with a hacked company (RSA).
-
Loss of rankings: Google and other search engines may de-index hacked pages or penalize sites for extended downtime. 60% of SEO experts say a security breach is highly damaging to search rankings (Ahrefs).
-
Legal issues: Depending on your industry and location, a data breach could violate privacy laws like GDPR, CCPA, or HIPAA, resulting in hefty fines and legal action. GDPR violations alone can cost up to €20 million or 4% of global revenue (IT Governance).
-
Financial losses: Between lost sales, remediation costs, legal expenses and reputation damage, IBM estimates the average cost of a data breach at $4.24 million.
While no single security measure is 100% foolproof, hiding the WordPress login page is an easy and effective way to reduce your risk and avoid these costly consequences. So how exactly do you implement it on your site?
Using a Plugin to Hide the WordPress Login Page
The simplest way to change your WordPress login URL is by using a plugin. This requires no technical knowledge and can be set up in just a few minutes. Here are a few of the most popular options:
| Plugin | Active Installs | Rating | Features |
|---|---|---|---|
| WPS Hide Login | 900,000+ | 4.7/5 | Custom login URLs, auto-redirection, multisite support |
| Change wp-admin login | 300,000+ | 4.5/5 | Custom login URLs, branding, multisite, SMTP support |
| Hide My WP | 80,000+ | 4.8/5 | Custom login URLs, firewall, brute force protection |
While each plugin has its own unique settings and features, the basic setup process is similar:
- Install and activate the plugin from the WordPress plugin repository.
- Navigate to the plugin settings page, usually located under Settings in the WordPress admin sidebar.
- Enter your desired custom login URL in the designated field. This can be anything you want, but should be hard to guess. Some ideas:
- Obscure phrases like /time-for-tea-and-biscuits/
- Random alphanumeric strings like /4xk3_1hv9_lo41n/
- Fake URLs like /wp-content/totally-not-a-login/
- A decoy login that redirects to the real one
- Save your changes and test that your new custom URL works. The default wp-admin and wp-login.php URLs should now redirect to a 404 error page.
Here is an example of the WPS Hide Login configuration page:
[wps-hide-login-settings.jpg]It‘s important to note that you should never use a publicly advertised custom login URL. Some site owners announce their login hiding on social media or even write blog posts about it, but this defeats the purpose. Keep your custom login private.
Also, make sure to save your custom login URL in a password manager or somewhere secure. If you forget it, you could get locked out of your site, requiring database access to reset.
Advanced Methods for Hiding the WordPress Login
For more technically inclined users, there are a few other methods for hiding the WordPress login that don‘t rely on a plugin:
-
.htaccess: Server-level redirects can be added to your .htaccess file to send wp-login.php and wp-admin requests to a custom URL or 404 page. This is efficient and doesn‘t rely on WordPress, but a single typo could break your site.
-
functions.php: WordPress developers can programmatically change the login URL by adding a filter to functions.php or creating a custom plugin. This requires PHP knowledge but allows full customization.
-
Password protection: The wp-admin directory can be password protected at the server level, requiring an additional password before even seeing the login form. This is very secure but makes logging in a multi-step process.
-
Decoy login: For an added layer of deception, some sites set up a fake "hidden" login page that hackers might think is the real one, but actually bans their IP and redirects them away from the site when used. Meanwhile, the real login is much harder to find.
Here is an example of an .htaccess redirect for a custom login URL:
RewriteEngine On
RewriteBase /
RewriteRule ^login$ /wp-login.php [L]While these advanced methods offer more control and don‘t require a plugin, they come with increased risk of accidentally breaking your site or locking yourself out, so use caution.
WordPress Login Security Best Practices
Hiding the login page is an important piece of the security puzzle, but it‘s not a complete strategy on its own. Here are some other login hardening best practices to implement:
-
Strong passwords: The longer, more complex, and more unique, the better. Passphrases with 14+ characters are ideal. Use a password manager.
-
2-Factor Authentication: Require a second credential beyond a password, like a TOTP code or hardware security key. WordFence and many others offer free 2FA plugins.
-
Login attempt limiting: Lock out IPs after a certain number of failed login attempts. Plugins like Login Lockdown or services like Cloudflare can help.
-
Automatic logouts: Idle user sessions pose a security risk. Consider automatically logging out inactive users after a set time period or when the browser closes.
-
Log monitoring: Keep an eye on user logins for any suspicious activity so you can respond quickly to potential breaches. Many security plugins include this feature.
Of course, login security is just one aspect of WordPress site hardening. Other important steps include regular updates, security plugins, malware scanning, spam protection, and robust backups.
Potential Drawbacks of Hiding the WordPress Login
While the security benefits are significant, there are a few potential downsides to hiding the WordPress login page to be aware of:
-
Confusion for users: If not communicated clearly, changing the login URL may confuse users and lead to failed login attempts or even getting locked out. Make sure admins know the custom URL.
-
Compatibility issues: Some plugins, services, and customizations may expect the default login URLs. Hiding the login could potentially break this functionality unless specifically supported.
-
Inconvenience: It‘s an extra step to remember and use a custom URL vs the default. Using a browser bookmark and password manager can help mitigate this.
-
False sense of security: Hiding the login doesn‘t make you immune to all attacks. It‘s still critical to implement other security best practices and not let your guard down.
Depending on your specific setup and risk factors, these potential drawbacks may be outweighed by the security benefits. Like any technical decision, it‘s important to understand the tradeoffs.
Conclusion
As the most popular CMS on the web, WordPress is a constant target for malicious hackers and bots. Brute force attacks on the default wp-login.php are prevalent, with billions of attempts blocked by security plugins each year.
While not a silver bullet, hiding the WordPress login page by changing the URL is a simple yet effective way to prevent the vast majority of these automated attacks. This can be done easily using a plugin like WPS Hide Login, or via more advanced methods like .htaccess redirects for developers.
When combined with other login hardening best practices like strong passwords, 2FA, attempt limiting, and log monitoring, hiding the WordPress login can significantly improve your site‘s security posture and reduce the risk of damaging breaches.
Though there are minor potential drawbacks like user confusion or compatibility issues, overall the benefits of hiding the WordPress login page are clear for security-conscious site owners.
Ultimately, the security of your WordPress site is only as strong as its weakest link. Don‘t let an easily guessable login URL be that weak point. Hide your login, stay vigilant, and keep your site and users‘ data safe.
){kind=link}