WordPress is more popular than ever. It now powers 43% of all sites on the Internet. The flip side of this coin: its celebrity also makes it one of the most targeted CMS by hackers…
It only takes a few minutes for a malicious person to scan a site, using off-the-shelf tools. These scan pages for common vulnerabilities (weak passwords, obsolete software versions, known flaws). The aim of the maneuver: to get hold of your site, steal data or even place Seo links! So it’s important to do everything you can to make their task more difficult, and why not get through the hacking? An increasingly topical subject…
Modifying the URL of your login page is a good first line of defense against these intrusion attempts. Admittedly, this won’t be enough to protect your site from motivated, seasoned hackers, but it will deflect automated attempts. At the very least, you’ll recover some bandwidth. That’s always a plus! It’s not THE ultimate security measure, but it’s simple to implement.
In this article, we’ll show you how to protect your login page quickly and easily!
Why protect my WordPress site’s admin url?
It’s relatively easy to see if your site is powered by WordPress. If a hacker knows that your site uses WordPress, then he’ll also know how to find the WordPress login URL. By default, this address is found by entering your domain name, followed by /wp-login.php or /wp-admin/.
Provided you haven’t changed the administrator name after installing your site ??? By default, this username can be “admin” on some hostings! All that’s left to do is find your password: child’s play for those who have mastered Brute Force attacks, for example!
What is a Brute Force attack?
You may have already heard of brute force attacks. These are the most common attacks on websites, and they’re very simple to carry out: a computer program tries different usernames and passwords over and over again, until it finds the right combination.
If your WordPress site is set up as a standard installation without any security measures in place, it’s likely that brute-force attacks will occur regularly, without you even knowing it. It should be pointed out that websites and web servers are continually “tested” by bots, without this having any further consequences, in the majority of cases.
If hackers launch a brute-force attack on your site, your web server may “overheat” due to the high number of requests, and your site may become inaccessible (you’ll probably hear from your web host).
You can protect your website (partially) against brute force attempts by masking access to your administration area.
The winning combo: strong login + password and hidden login page
Why make life easier for script kiddies (novice hackers) and other malicious robots, when you can easily throw a spanner in their works!
A simple plugin will do the trick to hide your WordPress login page. Again, this tactic isn’t 100% foolproof. It’s called “security in the dark”, but it often doesn’t take much more than that to protect against a significant number of attempts.
That said, statistically, hiding your site’s connection url won’t do much good if you use a default administrator name (admin) and a password that’s too simple. These two measures are complementary.
So be careful when choosing your password too !
Here’s an example (not to be followed!) of the 7 most common passwords in France in 2021 and the time needed to crack them:
In this article we’re going to help you use one of the easiest ways to protect your site against malicious hackers: change your login URL with the WPS Hide Login plugin.
Using the WPS Hide Login plugin: a step-by-step guide
As we said earlier, installing a plugin is the easiest way to hide the admin address by customizing your site’s URL.
The WPS Hide Login plugin is our favorite because it’s lightweight and easy to use. It’s compatible with many extensions that use the login form. This free plugin does just one thing, and it does it well: it modifies both /wp-admin and /wp-login.php URLs with the slugs you choose. The login url becomes harder to find.
Why use WPS Hide Login?
With over a million active installations and an average rating of 5 stars (1951 5-star reviews!) this plugin has more than proved its worth.
- Lightweight: uses very little memory
- Free and reliable
- Easy to use
- Responsive support
- No modification of core files
This plugin doesn’t rename or modify files in the WordPress core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress site.
WPserver
Step 1: Install and activate WPS Hide Login
- Log in to your site administration.
- Go to the “Extensions” tab and click on “Add”.
- Now type “WPS Hide Login” in the search bar.
- Click on “Install” and activate the plugin.
Step 2: WPS Hide Login settings
- Go to the “Settings” tab and click on “WPS Hide Login”.
Choose a unique and not too obvious name (avoid using the name of your site, for example 😉) without spaces or accents. You can also use hyphens (dashes 6). Avoid using words and phrases that are too simple and commonplace. Take your time to find the right url, the one you’ll remember easily and that won’t be too easy to deduce.
- Fill in the “Connection URL” field with the name you’ve chosen.
In our example, your connection URL will be changed to: https: //nomdevotresite.fr/page-perso
- “Redirect URL”: this URL corresponds to the page to which anyone attempting to connect to your WordPress site via /wp-login.php or /wp-admin will be redirected. The default setting is page 404 (page not found), but you can choose another page, such as your site’s home page.
Now all you have to do is save your settings and remember your new connection url… No problem!
Step 3: Check your settings (optional)
- Log out of your site.
- Try logging in again with /wp-login.php or /wp-admin.
- Are you back on page 404 or on the redirection page you’ve chosen? All that’s left is to test the connection, this time with your new address.
What happens if I uninstall WPS Hide Login?
Well, you don’t have to worry about that – everything will go back to the way it was before. As indicated in the plugin description, it doesn’t rename or modify files in the WordPress Core, nor does it add any rewrite rules. So, once you’ve deactivated WPS Hide Login, your site will immediately revert to classic WordPress use via /wp-login.php or /wp-admin.
What do I do if I’ve forgotten my new login address?
Don’t panic! It would be a shame to get stuck on the doorstep of your own site, having tried to discourage others from visiting.
If you haven’t saved or don’t remember your WPS Hide Login URL, you’ll need to deactivate the plugin before you can log in again. The steps below can help you access your dashboard again by renaming the plugin folder.
- Connect to your hosting’s dashboard (you can also do this via FTP)
- In the File Manager, open the wp-content folder, then theplugins folder.
- Right-click on the“wps-hide-login” folder and rename it to “wps-hide-login.old”.
- Your plugin is now deactivated, and you can once again access your WordPress admin login page.
Final tips
Although there’s no such thing as 100% protection for a website, the modified URL can be an effective security measure if used in conjunction with other security features.
You can also install a plugin to limit the number of connection attempts to your site. This option is available from many web hosts who have set limits on the number of simultaneous connections to their servers.
If this isn’t your case, you can always install a plugin that takes care of this aspect, such as WPS Limit Login (developed by the same team as WPS Hide Login) or Limit Login Attempts Reloaded, which has over 2 million active installations.
Now you know how to hide the login page on your WordPress site! You’ve added an extra layer of security to your site. We hope you’ve found this article useful, and we’d love to hear about your experiences in the comments section 🙂
