I recently discussed how to make your WordPress site harder to hack. But while these are reliable options, they are basic. It’s time to do something that will improve safety by more than just a notch.
Change the link to your site’s login page.
WordPress is a great system, but one of its weaknesses is that every potential hacker knows where the front door is. The link never changes and WordPress doesn’t give you the option to change it. So just add / wp-login / to the bottom of every WordPress powered website and the login page will appear.
Once a hacker knows where your login page is, he can hack it until he gets the correct username and password combination.
But what if they didn’t know where the login page was? What if wp-login doesn’t work?
Enter the WordPress WPS Hide Login plugin.
Change the location of your front door
There are several plugins that do the job, and you can also embed them into the back end of your site yourself if you have the know-how. But I have always used WPS Hide Login and it has never let me down.
First of all, it should be emphasized that it does not make any changes to your website code or change files. So you don’t have to worry about rogue plugins being allowed on your site. WPS Hide Login simply intercepts any attempts to go to the wp-login page and then redirects it to the page of your choice.
So instead of the login page yoursite.com/wp-login.php you can, for example, make it yoursite.com/mysecreturl.php . No one can figure out the URL of the new login page (unless you tell them).
But it is double-edged. If you forget the URL, you will not be taken to your site. In this case, you will need to uninstall the plugin using the FTP program and everything will be reset to default settings.
I think most people with a WordPress website know how to install the plugin. So I will not dwell on this too much. Suffice it to say that you can find it through the WordPress backend and install it directly .
Or download it from the webpage and upload it via WordPress backend.
Once the plugin is installed and activated, click on the settings link. Then you get this very small section.
As you can see, you need to decide on two things. The new login url and user url should be redirected if they try to visit your wp-login page.
So choose your own unique login url. As a password, make it less obvious (no names of spouses, children, pets, etc.). Then select the redirect page. If you have a 404 error page (which you should), I recommend leaving it as it is. If not, maybe redirect people to the home page of the site?
Now save everything.
It’s time to test it!
My login page used to be markoneill.org/wp-login.php But if you go there now, you will be taken to my 404 error page. Say hello to Charlie!
Nothing will stop a truly determined hacker with a lot of knowledge and resources. The good thing about a plugin like this is that it holds back and stops many of what I call “drive-by” opportunistic idiots who think they can just give your login page a quick try and give it a try.
Like the front door to your home, having a lock is better than not having one.