WordPress is a great system but one of its weaknesses is that every potential hacker knows where the front door is. The link never changes and WordPress doesn’t give you the option to change it. So just add /wp-login/ onto the end of every WordPress-powered website and there’s the login page.
Once a hacker knows where your login page is, they can then brute-force their way in, until they get the correct username and password combo.
But what if they didn’t know where the login page is? What if wp-login didn’t work?
Enter the WordPress plugin WPS Hide Login.
Hiding the WordPress Login Page With a Plugin
The quick and dirty way to hide your login page is to use a plugin. And for this purpose, WPS Hide Login is the gold standard.
It lets you specify a new custom login URL and blocks all traffic to the default wp-admin and wp-login pages.
It’s the quick and dirty way because setup pretty much takes two seconds. All you need to do is specify your new login URL by going to Settings —> WPS Hide Login and the plugin takes care of the rest.
If you’re using a caching plugin, you’ll also need to add your new login page to the list of pages excluded from caching. But other than that, you’re all set.
So is WPS Hide Login all you need to protect your login page?
Well…maybe not. See, it will block the majority of automatic brute-force attacks. But if a singularly focused hacker wanted to brute force your login page, the support threads at wordpress.org have uncovered a few backdoors by which someone could still find the original login page. Those are:
- Using an encoded URL (only in Firefox)
- Trying to access …/wp-admin/customize.php
Now, most brute-force attackers are going after low-hanging fruit. So it’s unlikely to ever become a serious issue. But unlikely is not never. So to go one step further, you can manually restrict access to your login page using .htaccess.
Using .htaccess To Hide the WordPress Login Page
To add additional security, you can hide your WordPress login page using your site’s .htaccess file. The two common ways to hide your login page with .htaccess are:
- Using .htpasswd to require a password to access wp-admin.
- Restricting access to wp-login by IP address.
Both methods come straight from the WordPress codex entry on brute-force attacks, so you can rest easy knowing that they’re WordPress approved!
How to Hide WordPress Login With .htpasswd
With this method, anyone trying to access your wp-admin panel will get smacked with this prompt:
No username/password, no login page!
It’s super easy to set up. Just follow these three steps:
Step 1: Go to Htpasswd Generator and enter your desired username and password. Then, click Create .htpasswd file. The tool will automatically encode your password and give you the text to add to your .htpasswd file:
Step 2: Add that text to a file named “.htpasswd” and upload it to the root directory of your WordPress site. You can use something like Notepad to create the file. Just make sure to save it using the All Files option:
Step 3: Add the following code to the top of your existing .htaccess file (also located in the root directory of your site):
# Stop Apache from serving .ht* files
<Files ~ "^.ht">
Deny from all
# Protect wp-login
AuthName "Private access"
require user yourusername
Just make sure to replace “yourusername” with the actual username you used in your .htpasswd file.