WordPress is a popular target because it used by tens of millions of people. It’s no secret that the default login page can be found by going to wp-admin, or wp-login.php. This article shows you how to manually obscure your site’s login page without a plugin.
A brute force attack is a method hackers use to gain access to your website by guessing your login password. One way to prevent attacks, is to obscure your login page, especially if your site runs on WordPress.
There is a compelling argument to do this for performance. If you get too many http requests, like from a zombie bot army hellbent on getting into your website – your server can run out of memory. This can slow your site down considerably, and make your visitors angry.
Before you start, backup your files. Never trust a directory you can’t wipe out, and never trust a computer you can’t chuck out the window. So let’s do this!
Manually Create a New PHP Login File
By default, the wp-login.php file contains all the code that generates the login page, and handles the login sequence. We can use the code from wp-login.php in our new file.
This is a crude, yet effective way to change the name of your wp-login.php file. This will in turn change your login url. All you need is access to your site’s files, and a text editor. I am using a free text editor called Notepad++ for this example.
There are only 5 things we need to do:
- Create a new file.
- Copy the code from your wp-login.php, then paste it into your new file.
- Replace each instance of wp-login.php with the new file name. Find and replace is your friend.
- Delete the wp-login.php file.
- Login through your new URL.
1. Create a New File
Create a new file from the text editor and save it into your root folder. Name this file whatever you want your login url to be. In this case I named it new-login.php.
2. Copy and Paste the Code
Next open up the wp-login.php file, select all the code, and copy it into your new file. Make sure to save it.
3. Find and Replace the String “wp-login.php”
Now find and replace every instance of “wp-login.php” in the file – then replace it with your new file name. Notepad++ has a find and replace function I can use to hunt down every instance of “wp-login” and replace it quickly.
4. Delete the wp-login.php File
Now you can delete wp-login.php. Don’t worry, you will still have your backup in case something goes horribly wrong.
5. Test Out Your New Login URL
Now you should be able to login by navigating to your new URL. In my case, it’s localhost/test/wordpress/new-login.php. Any http requests to the /wp-login.php, or /wp-admin directories will lead visitors to a 404 not-found page.
Obscure Login Page With URL Forwarding
You can use URL redirection (also known as URL forwarding) to obscure your login page without a plugin. On an Apache server, you use the mod_rewrite module to manipulate URLs. This can get tricky, but it enables you to perform an infinite number of tasks – such as creating an alias for the wp-login.php page.
This method is less about security, and more about the way the URL appears in the address bar. Add the following code to your .htaccess file to change the name of your login URL:
RewriteRule ^mynewlogin$ http://www.yoursite.com/wp-login.php [NC,L]
You can now reach the admin url from http://www.yoursite.com/mynewlogin. Keep in mind that this will not keep people from being able to access the wp-login.php page. It simply allows people to login from a different url.
Why You Should Use a Plugin to Obscure Your Site’s Login Page
When should you use a plugin to obscure your site’s login page? Almost always. There are some darn good reasons why you are better off just using a plugin to obscure your login URL. While manually creating a new login path won’t give you issues with future updates, it’s best practice to NOT hack the core.
You may run into compatibility issues with plugins that contain code with wp-login.php. Even if it is fun, some unpredictable things can happen. Messing around too much with the core can seriously foul things up. Besides, there are lots of trustworthy plugins that can get the job done for you, for free.
As far as using .htaccess, there are a dizzying array of ways that you can use it to obscure your login. Again, this convenience is at the price of complexity. Additionally, misuse of rewrite rules can eat up memory on your server, effectively slowing down your site. Redirects can also cause problems with AJAX, which WordPress makes heavy use of.
The best way to change your login page would be to use PHP. In WordPress, if you are going to use PHP, best practice dictates that you use a plugin. There are some very well-written plugins you can get for free, or you can write your own.
WPS Hide Login
Remember earlier (last paragraph) when I said that there are plenty of free plugins? This is one of them. WPS Hide Login lets you change the login form with one click. You can set it for a single site or for your network. It’s very lightweight, it doesn’t use redirects. and it doesn’t change core files. This is much cleaner than a redirect, or hacking the core. It simply adds a form field into your dashboard settings. You can download this plugin from the official WordPress plugin repository.
Additional Security Measures
It isn’t wise to use obscurity as your only security measure. If you are obscuring your login page, you will also want to make sure that you have everything else locked down. This includes:
- Using strong passwords. There’s no excuse not to. WordPress automates this for you with a password generator.
- 2-Step authentication. You can create a user database with users or groups that are allowed to access certain pages. See Authentication and Authorization on Apache.org.
- Limit access control. Limit the amount of access to resources on your site.
There are many ways to obscure your login page with WordPress to add an additional layer of security. You can easily hack your WordPress files, or use a plugin to obscure your login page. However, many argue that security through obscurity doesn’t make your site more secure, and that there are better ways to secure your login.
What do you think? Do you have any top obscurity or security tips to share?
Article thumbnail image by robuart / shutterstock.com