Several WordPress blogs and security professionals recommend WordPress administrators to change the WordPress login URL. There are also a good number of WordPress security plugins available that allow you to change the WordPress login URL automatically via a click of a button.
Does changing the WordPress Login URL (default being /wp-admin/ or wp-login.php) really improve the security of your WordPress blogs and websites? Or is this another WordPress security myth? This article looks into this recommended security solution to see if it really improves the security of your WordPress blogs and websites.
Why Change the WordPress Login URL?
The main reasons why WordPress administrators would want to change the URL of the WordPress login page are:
- Hide the fact that you are using WordPress
- If visitors know you are using WordPress, they can easily find out your Login page, thus making your site an easier target
- Protect your WordPress from brute force attacks
- Malicious hackers waste your WordPress resources and bandwidth when you use the default login URL because it is frequently attacked
- Protect WordPress from Zero Day Vulnerability Attacks
To be frank, all of the above are not security issues per se, or better do not pose any security risks on your WordPress as explained below.
Hide Your WordPress
In a previous blog post we have seen that by hiding WordPress will not improve the security of your WordPress site, or by hiding the fact that you are using WordPress does not make your WordPress site less of a target, or more secure. Malicious hackers use automated scanners to identify the target and do not specifically target your WordPress site, hence hiding the fact that you are using your WordPress website does not really help.
And even if your WordPress installation is targeted, there are many security tools available for free that attackers can use to identify the backend of your website.
Malicious Hackers Can Easily Find Your WordPress Login Page
If you use strong WordPress credentials, as in both username and password you should not worry about someone knowing where your WordPress login page is. For example, by renaming your WordPress default administrator you are already one step ahead of malicious hackers, because the automated tools that are typically used only try to brute force accounts with typical usernames such as admin, administrator, root etc. You should also use the Password Policies for WordPress plugin to enforce strong WordPress password policies.
Also automated tools that enumerate WordPress usernames use low ranges by default, hence by changing the WordPress Administrator account ID the chances of someone guessing your WordPress administrator username are quite remote, or the attack will take quite long hence giving you and the provider enough time to identify the attack.
Protect WordPress from Brute Force Attacks
There are just a few things you can do to protect your WordPress from brute force attacks and they are quite simple and straight forward. The most easy and effective solution is to implement another layer of authentication (HTTP Authentication) to access the WordPress login page.
Malicious Hackers will Waste Server Resources Attacking the WordPress Login Page
Since the WordPress login page URL is known malicious hackers will waste a lot of your bandwidth and server resources launching brute force attacks, even if you changed the default admin username and your login page is running on HTTPS. But similar to the suggestion above, you can simply add a second level of authentication by modifying the htaccess files or via the CPanel.
Protect WordPress from Zero Day Vulnerability Attacks
Although vulnerabilities in WordPress core code are quite rare, there are still the chances of someone discovering a zero day vulnerability that bypasses the WordPress login page. In this case similar to the above cases, enable HTTP authentication.
Should You Move the WordPress Login Page to a Different URL?
If you can you should. Why not? As such it is only security through obscurity, however the more security precautions you take on your WordPress site the merrier. Still don’t let such a solution give you a false sense of security; even though you changed the login page it does not mean you can use weak credentials, or there is no need for HTTP authentication, or WordPress SSL.
Malicious hacker will continue using automated tools such as fuzzers to guess the new WordPress login page URL. Hence why it is of utmost importance to also keep an activity log of all the changes that happen on your WordPress site.