Securing Your WordPress Login Page

There are several techniques that can protect a WordPress site from a brute force attack, including (but not limited to):

• Security and performance solutions like Cloud Flare at the DNS level
• Firewalls at the server level
• Security tweaks and good housekeeping at the website level

This post will teach you a simple two-step technique that obscures the WordPress log in URL. This makes it more difficult for an intruder attempting a brute force attack.

Step #1: Change the URL Path of your WordPress Login Form

WordPress by default sets the /wp-admin path as the location of the “Dashboard” of the admin area if the user is logged in, or as a redirection to the login screen if the user is not logged in. The login form is located at /wp-login.php and can be accessed by going to http://yourdomain.com/wp-login.php.

In order to perform a brute force attack on a WordPress website, the hacker uses WordPress’ default settings, including the location of the login form.

Since the form’s action URL is the same as the URL for the form itself (see above screenshot), the hacker has only a single URL to attack. This can be done repeatedly and rapidly.

If the website is already protected against multiple failed login attempts (a common security method used by reputable hosts), then the attacker may try a more subtle approach, repeatedly attacking the form at whatever pace is available. Then, if the hacker is committed to getting into the website, he or she has all the time in the world.

However, the location of the form can be changed to something unique and not linked to from anywhere on the site. This will at least slow down the hacker’s progress.

It is important to note however, that Google may index URLs based on their visitation from a Chrome browser. They may also index web pages that aren’t linked anywhere but have Google Analytics installed on them. This is good for your search engine rankings, but could also make your “hidden” URL visible in a list of search results. Still, it’s worth a shot to slow hackers down.

You can change your WordPress login URL with a security plugin called Hide My WP Ghost. This plugin helps you change the location of your login form to whatever URL you prefer.

Step #2: Create a PHP function that Will Stop Rendering of the Markup

This step is more complex. The wp-login.php path will render CSS files, JS files, images, HTML, and all sorts of markup every time that a hacker tries to hit the wp-login page and the browser returns the 404 (“page not found”) response. All of that rendering can slow your site to a creep or halt it entirely.

To fix this, add a piece of code to your functions.php file that will stop the rendering of the markup. This will save resources and make the load more manageable for the server.

Here is the code:

// the function
function as_early_exit() {
	// using /wp-login.php as an example, 
        // you may need to use the url assigned by your plugin
	if ($_SERVER['REQUEST_URI'] == ‘/wp-login.php’)  {
		exit();
	}
}
add_action('init', ‘as_early_exit');

That’s it! By taking these two steps you force hackers to try and figure out your new WordPress login form’s URL. If and when he or she does (which will be difficult), you’ll be ready to change it again.

We know that there isn’t a foolproof way to deal with committed hackers, especially when they’re using brute force attacks. But the techniques described here can slow them down and encourage them to look for lower-hanging fruit elsewhere.