Over the past few months we have been seeing a huge spike in the number of brute force attacks. These attacks can not only break into a site’s admin section, but can also cause such an increase in traffic that the site load times can slow to a crawl – think 1990’s dial-up internet kind of slow. To help prevent this, one thing we have been doing on the sites we build and host is hiding the wp-admin login screen.
One of the security concerns with WordPress is that everyone, legitimate users and hackers alike, know that if they go to domainname.com/wp-admin they will be at the site’s default login page. Once a hacker or brute force script is on that page, they can start guessing username and password combinations at rates of up to 350 billion per second. While programs like WordFence do a great job at stopping multiple logins from the same IP address, they won’t completely prevent the brute force attacks. The various malware scans and security options WordFence provides still make it an essential plugin, but going one step further and hiding the wp-admin link takes security to another level.
To hide the wp-admin link, we use another plugin to rename that link to whatever we want. With this plugin, instead of having domainname.com/wp-admin to login, a user would go to domianname.com/abc123 or domainname.com/secret-login. Since at Full Scope Creative we don’t use any formula or set pattern for those names, each client login is 100% unique to that site and that site only. By hiding the admin login page, it creates another layer of security that a hacker or brute force attack must get through.
You’ve likely heard me say before that there is no fool proof computer system, but WordPress is a great system with great built in security. With plugins like WordFence and hiding the admin login, we can take that security to a whole new level.