Securing Your WordPress Login Page: You Can Never Be Too Safe

Alex Centeno

Alex Centeno

Director of Digital at AndiSites Inc.
Alex is AndiSites' Director of Digital. He writes on all things digital, including web design, development, SEO, online marketing, photography, and video.
Alex Centeno

Latest posts by Alex Centeno (see all)

Last week we helped thwart a hacker who was trying to gain access to a WordPress website using a “brute force attack”. In a brute force attack, the hacker systematically tries all kinds of commonly used passwords as quickly as possible. With enough iterations, easy passwords can be cracked, giving the intruder access. According to TechTarget.com:  “Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.” 

There are several techniques that can protect a WordPress website from a brute force attack, including (but not limited to):

  • Security and performance solutions like Cloud Flare at the DNS level
  • Firewalls at the server level
  • Security tweaks and good houskeeping at the website level

This post will teach you a simple two-step technique that obscures the login URL of WordPress, making it more difficult for an intruder attempting a brute force attack.

Step #1: Change the URL Path of your Login Form

WordPress by default sets the /wp-admin path as the location of the “Dashboard” if the user is logged in, or as a redirection to the login form if the user is not logged in. The login form is located at /wp-login.php and can be accessed by going to http://yourdomain.com/wp-login.php.

In order to perform a brute force attack on a WordPress website, the hacker uses WordPress’ default settings, including the location of the login form.

code-look-wp-loginSince the form’s action URL is the same as the URL for the form itself (see above screenshot), the hacker has only a single URL to attack, which can be done repeatedly and rapidly.

If the website is already protected against multiple failed login attempts (a common security method used by reputable hosts), then the attacker may try a more subtle approach, repeatedly attacking the form at whatever pace is available. If the hacker is committed to getting into the website, he or she has all the time in the world.

If we change the location of the form to something unique and not linked to from anywhere on the site, we can at least slow down the hacker’s progress.

It is important to note however, that Google may index URLs based on their visitation from a Chrome browser. They may also index web pages that aren’t linked anywhere but have Google Analytics installed on them. This is good for your search engine rankings, but could also make your “hidden” URL visible in a list of search results. Still, it’s worth a shot to slow hackers down.

You can change your login URL with a plugin called Rename WP-login. This plugin helps you change the location of your login form to whatever URL you prefer.

Step #2: Create a PHP function that Will Stop Rendering of the Markup

This step is more complex. The wp-login.php path will render CSS files, JS files, images, HTML, and all sorts of markup every time that a hacker tries to hit the wp-login page and the browser returns the 404 (“page not found”) response. All of that rendering can slow your site to a creep or halt it entirely.

To fix this, add a piece of code to your functions.php file that will stop the rendering of the markup, thereby saving resources and making the load more manageable for the server.

Here is the code:


// the function
function as_early_exit() {
	// using /wp-login.php as an example, 
        // you may need to use the url assigned by your plugin
	if ($_SERVER['REQUEST_URI'] == ‘/wp-login.php’)  {
		exit();
	}
}
add_action('init', ‘as_early_exit');

That’s it! By taking these two steps you force hackers to try and figure out your new login form’s URL. If and when he or she does (which will be difficult), you’ll be ready to change it again.

We know that there isn’t a foolproof way to deal with committed hackers, especially when they’re using brute force attacks. But the techniques described here can slow them down and encourage them to look for lower-hanging fruit elsewhere.