Prevent "drive by" hackers from trying their luck
I recently discussed how to make your WordPress site harder to break into. But while those are solid options, they at at the basic level. Now it’s time to do something which ratchets up the security more than just a notch.
Change your website’s login page link.
WordPress is a great system but one of its weaknesses is that every potential hacker knows where the front door is. The link never changes and WordPress doesn’t give you the option to change it. So just add /wp-login/ onto the end of every Wordpress-powered website and there’s the login page.
Once a hacker knows where your login page is, they can then brute-force their way in, until they get the correct username and password combo.
But what if they didn’t know where the login page is? What if wp-login didn’t work?
Enter the WordPress plugin WPS Hide Login.
Changing The Location Of Your Front Door
There are a few plugins which do this job, and you can also custom-code it into your site’s backend yourself if you have the know-how. But WPS Hide Login is the one I have always used and it has never let me down.
The first thing to stress is that it doesn’t make any changes to the code of your website or change any files. So you don’t have to worry about letting a rogue plugin into your site. WPS Hide Login merely intercepts any attempts to go to the wp-login page and then redirects it to a page of your choosing.
So instead of your login page being yoursite.com/wp-login.php, you can instead, for example, make it yoursite.com/mysecreturl.php. There will be no way for anyone to figure out the new login page URL (unless you tell them).
But that cuts both ways. If you forget the URL, you will be locked out of your website. In that case, you would need to remove the plugin using a FTP program and everything will then reset to the default settings.
Installing The Plugin
I think most people with a WordPress website knows how to install a plugin. So I won’t dwell too much on that part. Suffice to say you can search for it through your WordPress backend and install it directly…..
Or download it from the webpage and upload it through the WordPress backend.
Configuring The Settings
When the plugin has been installed and activated, click on the settings link. You will then get this very small section.
As you can see, there are two things you need to decide on. The new login URL and the URL people should be redirected to if they attempt to go to your wp-login page.
So choose your own unique login URL. Like a password, make it not so obvious (no names of spouses, children, pets, etc). Then choose the redirection page. If you have a 404 error page (and you should), I recommend you leave it as it is. If not, maybe redirect people to the website’s homepage?
Now save everything.
Time To Test It!
My login page used to be markoneill.org/wp-login.php. But if you now go there, you are taken to my 404 error page. Say hi to Charlie!
Nothing is going to stop a really determined hacker with lots of knowledge and resources. The good thing about a plugin like this though is that it deters and stops a lot of what I call “drive-by hacks” – opportunistic idiots who think they can just give your site’s login page a quick try and chance their luck.
Like the front door to your house, having a lock is better than not having one.