Hackers are getting smarter and smarter with the methods they use to try and hack through your WordPress admin page’s.
The most common way is to use a script and try and login from the wp-login page.
It’s no secret that all login pages for WordPress users look like this:
http://yourdomain.com/wp-login.php, so hackers know exactly which URL to use to run the script.
Consider this: What would happen if someone hacked your site and deleted all your content or injected a malicious program to ruin your databases?
The solution to this security issue is to change the default login address to a custom login link so only you know what it is.
Caution. Always create a full backup of your WordPress files & Databases before making changes.
Create a Custom Login URL Using Code
One way to change your login address is to add some code to your .htaccess file
If you wanted to change your login link from http://yourdomain.com/wp-login.php
Add this code to your
.htaccess file just above the WordPress rewrite rule
RewriteRule ^login$ http://yourdomain.com/wp-login.php [NC, L]
Login URL Example: Your login url will now be http://yourdomain.com/login
You can customize your url to anything you want by changing
login in code above in your
Place the code on line 1 of your .htaccess file before the rewrite rules start.
[php]RewriteRule ^secret$ http://yourdomain.com/wp-login.php [NC, L][/php]
This solution doesn’t hide the default login url. It only adds an easier to remember url which redirects to the default being wp-admin. The next section of this posts deals with creating the secret url and disabling the default.
Change Login URL Using a Plugin
Without the need for coding you can easily install a free plugin that fixes this weakness and the chances are the hacker will move on to another user who doesn’t.
You can setup this plugin so anyone that needs to login to your admin page can do so only if you give them the secret URL.
Once you’ve installed the plugin, go to Settings > Permalinks and enter a secret name for your custom login page address URL and save the changes.
Caution: I have tested this plugin on a new installation of WordPress and it worked fine. However, most free plugins are unsupported which means they sometimes conflict with other plugins depending on what you have installed. If you have any issues, login to cPanel or FTP and delete the plugin or contact your web hosting provider.
If a hacker does work out your password using a script, they won’t be able to use it unless they also know the secret link to your admin panel.
If you have any conflicts with custom login and URL’s plugin try this one.
This plugin creates a Rewrite Rule that will allow users to log in from the custom URL – yoursite.com/login as well as /wp-login.php.
The only problem is /wp-login.php will still be available for login so while the plugin creates a custom login url it doesn’t stop hackers from accessing the default login url, /wp-login.php
Better Solution: If you create full backup of your WordPress site and store it in a secure location like your local PC, dropbox or Amazon, you’ll always be able to restore your content if a hacker does break in and ruin your website.
Another Security plugin for WordPress which you may want to take a look at is named Better WP Security. This WordPress plugin offers security settings for WordPress login, registration and admin pages as well as many other anti hacking features to protect your site.
This security measure is one of many which makes it harder and harder for hackers to break into your site and will help protect your site from hackers.
I’ll be writing more about how to protect your WordPress installation using different security solutions in the near future.