Website Security That Never Ends
Do you remember singing “The Song That Never Ends” as a child or singing it with your children? It’s a simple song that goes on and on and never ends. Website and WordPress security are much the same. The need for continual security on your WordPress sites goes on and on my friend. One of the ways that some developers and businesses look to implement additional security is by changing the WordPress login URL. Changing this URL can be a good idea from a security focus as it can add in extra security protection against bots and spammers.
Changing the login URL can make it more difficult for unauthorized users, such as bots and spammers, to find the login page and therefore reduce the risk of brute-force attacks and login attempts. If you’re going to implement a URL change like this on your site, there are a few best practices to follow.
Use A Plugin
When designing a website, using a WordPress plugins like “WPS Hide Login,” “Loginizer,” or “Protect Your Admin” can help you change the login URL easily and securely. These plugins also provide additional security features like IP blocking, login attempt monitoring, and CAPTCHA integration.
While it is possible to manually make the change via the .htaccess file, doing so is not the best solution. Manually making that change can lead to several errors and site conflicts. Adding in new plugins and themes can be problematic with this approach at times.
Remember the New URL
After changing the WordPress login URL, be sure to remember or write down where the new login is. If you utilize a program like 1password.com to store sensitive information, add a link to the new WordPress login URL there. Once the URL is changed, it can be difficult to find the new URL if you don’t remember it. You may need to either contact your developer or hosting company to help find that URL.
If the URL is updated with a plugin, it is possible to disable that plugin to get the correct URL figured out and then re-enable that plugin. If you manually update files to change the URL, it will be that much more difficult for you to find it if it is forgotten.
Keep Plugins Updated
As with any and all plugins, be sure to keep any plugins used to change the login URL updated. Regularly updating the plugins to the most recent and stable version of the plugin will help to ensure that it is compatible with WordPress and has any known bugs or issues fixed. Adding in the security benefits of changing the login URL WordPress is undercut if the plugin used to do so isn’t kept updated and secure.
All plugins on your WordPress website should be regularly monitored. At Full Scope Creative, we recommend Running updates no less than once a week. On our Security Essentials hosting plan, we run all plugin updates 3 times per week to keep sites as secure as possible.
Implement Other Security Measures
Changing the URL of the login link on a WordPress site is only one of the multitude of things that should be done for security. Implementing other standard security measures such as utilizing strong passwords, two-factor authentication, routine backups, secure hosting, and more are just a few of the things that should be done on a website.
There are several great security plugins that can be added to WordPress as well. All In One Security and WordFence provide great (and free) plugin options that can do bot and brute force attack prevention and more. If you have a website that might store or interact with personal information at all, an Astra security license and plugin would be ideal to help with malware scans and firewall protection as well.
Is it worth doing?
While we do always offer the option to change the URL login for clients, it isn’t a practice we regularly use. There are potential issues, primarily forgetting the link or plugins failing, that can lead to issues with this approach. Instead we focus our efforts on other security measures mentioned earlier. When hosting sites, security is always our number one priority and effort and we have other measures in place that more than provide the security that hiding a login URL would. That said, if you are hosting your website on your own, it isn’t a horrible option to explore. If you do go the route of hiding the login URL, just be sure to follow the steps outlined in this article, and don’t let your website security measures stop there. Just like the song, website security goes on and on my friends, this web developer started singing it not knowing what it was, and you’ll continue singing it forever just because…