Almost everyone knows how to access the login barrier to the admin area on WordPress by default. Since more than 34 percent of all websites run on WordPress, it is easy for hackers to find and attack the login areas of these websites. This is exactly why corresponding attacks, such as brute force attacks, are among the most common attacks on WordPress websites ever. A simple protection measure seems to be the hiding of the WP admin area. Today I'll show you how useful this technique is and how you can implement it with plugins like WPS Hide Login.
Brute force attacks are probably the most common type of attack on WordPress websites. The security provider Wordfence alone measured almost 1 billion such attacks in 2017 in some months of this year - not counting the number of unreported cases. To reduce the security risk of brute force attacks, it makes sense to limit login attempts after too many failed attempts. In addition, many WordPress webmasters use another method: They move the WP admin area so that it is no longer found under the suffix wp-admin.
Many security plugins also offer a corresponding function. Who can, also dares to the .htaccess file. Hiding the WP admin area alone is not a really good security measure, but it can be a useful addition.
Behind the idea of hiding the WP admin area is the principle of security through obscurity - the idea that the security of a system is stronger as long as its functionality remains secret. Or in other words, if the attacker doesn't know where your front door is, he can sneak around your house, but he can't break in.
Security through obscurity - a toothless tiger in practice
This approach is controversial among experts - and not without reason. In this case, the fact that information is secure does not mean that it can no longer be accessed at all. It is there - but it is hidden. With the right tools, hackers can still find your login page if they want to.
And this is where the real problem with security through obscurity comes into play: Often the approach is used to hide problems that should be eliminated altogether instead. If your admin name is admin and your password is password123!, the hacker will be in your backend in no time once he has found your hidden login page.
In short, a hidden admin area does not stop attackers from attacking, but only extends the working time that needs to be spent to carry out the attack. Unfortunately, however, it is impossible to completely hide the fact that your projects are WordPress websites. So hiding the WP admin should definitely not be your only security measure. Whoever is targeting you will not be able to escape.
The concept of security through obscurity is therefore ideally one of many layers of your security concept. Limit Login Attempts (LLA), a strong password including two-factor authentication and - should you eventually use one - a cleanly configured security plugin are a sensible mix. Hiding the admin area is just the icing on the cake.
In some cases, hiding the WP admin still makes sense
Now there are actually some situations where it can make perfect sense to hide the WP admin:
- Hiding the WP-Admin has a strong impact on the perceived security of a WordPress website. Especially if you are working on behalf of a client, a hidden WP-Admin makes sense to maximize the security feeling of your client.
- If hackers launch a brute force attack on your website, your web server may "overheat" simply due to the high number of requests. If you move the admin area, you take the wind out of the sails of primitive brute force attacks right from the start.
- You can positively surprise some customers by hiding the admin area, for example, by moving it to /NameofCompany. This way you can create a small but nice branding effect.
As you can see, these measures are more of a cosmetic nature. But sometimes even a higher perceived safety can help. Therefore I will show you in the following how you can secure your WP-Admin with and without plugins.
Great security plugins also allow you to hide the admin area and the exact nature of your website, among numerous other features. As I said before, I take a critical view on this: installing a bulky plugin just to change a URL won't solve all your problems in one fell swoop. Only after a thorough examination of the topic you can decide which security measures make sense for your project at all.
In terms of plugins, however, you basically have two options:
- lean plugins designed only for hiding the login area
- plugins that include the hiding of the login area, but can do much more
Comprehensive security plugins are more bulky due to their extended functionality. Therefore, they only make sense if you know what you want to achieve with them: for example, blocking specific IPs, using the Web Application Firewall (WAF) or benefiting from the plugins' reporting.
Installing a large plugin just to hide the admin area is overkill. Your loading speed suffers and you have little added value. And it's no substitute for dealing with security features.
Hiding the admin area with plugin is only advisable if you can use it without major performance or functional losses - as a nice to have. Installing a big plugin like iThemes Security or Wordfence just for that I wouldn't recommend.
Instead, here are two sleeker alternatives to hide your admin area:
The free plugin WPS Hide Login does exactly one thing: It changes the two URLs /wp-admin and /wp-login.php to addresses you specify. This adds a hurdle for hackers and makes your website a bit more secure. With over a million active installations and an average rating of 4.9 stars (with over 2,000 reviews!), plugin has proven itself in practice.
This free plugin hides the fact that your website runs on WordPress. Whether or not this makes sense in principle remains to be seen (with a tool like BuiltWith, this can be quickly brought to light), but at the same time changes the URLs /wp-admin and /wp-login.php to any other URL. Over 80,000 webmasters currently use plugin , the average rating is 4.3 stars.
Don't be afraid of bad code: Secure with the .htaccess
If you want to hide the fact that your website is a WordPress installation, you can do that via plugins like WPS Hide Login. Or you can directly tamper with the .htaccess file. It is one of the most important files for WordPress installations running on Apache servers. The .htaccess defines for example which files and directories of your website are visible and who has access to what.
.htaccess and Raidboxes
With small changes in this file you can give your website an extra layer of security. Specifically, you add individual code snippets that restrict access to wp-config.php or block certain IPs. I recommend that you always make a backup of this file before making any changes - if something goes wrong, you can then quickly and easily revert to the original state. And with .htaccess, even a small error in the code can be enough to cripple your site.
With a .htaccess you can protect any directory - in this case you want to protect the admin area. Therefore you upload a new .htaccess in the directory wp-admin. If you instead specify in the main directory of WordPress that only certain IPs have access, you exclude all others from your entire website instead of only from the admin area.
In the .htaccess of the admin directory you now have the possibility to block specific IPs from accessing this directory. If you use a static IP yourself, it is recommended to exclude all IPs except your own. This way only you will have access to the admin area.
You can do the same to exclude IPs from the wp-login.php website. Unauthorized IPs can be redirected to a 404-site (or another site of your choice) and will not get to the login screen at all. This can be done by inserting the appropriate code.
- In the WordPress Codex is described how you can protect individual directories of your WordPress installation
- The colleagues from WP-Beginner show in detail how to protect the WP-Admin via .htaccess
- Plugin maker wpmudev shows how to use .htaccess to protect your sites in a comprehensive guide
Another and very often used possibility to protect the admin area with the .htaccess is to create an additional HTTP authentication. The server then already requires appropriate credentials to even get to your WordPress login page.
This means a little more effort for you when logging in, but many attackers throw in the towel at this point. Brute force attacks are blocked before they even start. However, even this protection is not completely foolproof, since many attacks run through the XMLrpc interface. Hackers can run DDoS and brute force attacks through this interface, which is implemented by default. The attacks are similar to those on the wp-admin site, however, hundreds of combinations of logins and passwords can be requested here simultaneously. Therefore, it must be said at this point that the more useful protection is not an additional login, but two-factor authentication
However, to add additional password protection, you need another file besides the .htaccess, called .htpasswd. It contains the access data you need for authentication. To create it, you can use appropriate online tools. They encrypt your desired password (for example Günterdergroße86) according to the MD5 format (Günterdergroße86 looks like this: $apr1$R71r9bVr$6S99bG1Z9R9yYHXcOCG6m/). MD5 is one of the five password formats that the Apache server can work with. In the end, you only need to remember the unencrypted password - the server takes care of the rest automatically.
The .htpasswd created this way is placed on the same level as the .htaccess, usually the top directory level of the WordPress directory.
In the .htaccess you now define that HTTP authentication should take place when accessing wp-login.php and create a link to .htpasswd via a code snippet. This way the server can access the previously specified credentials in the other file. How this works is explained here, for example.
The .htaccess then specifies that authorization is required to access /wp-login.php, and where the server will find the appropriate credentials (namely in the .htpasswd). In addition, you prohibit access to the .htaccess, the .htpasswd and wp-config.php to ensure that no one but you can reconfigure your installation.
Does it all seem rather cumbersome? It is. Moreover, this additional password protection may affect the compatibility of plugins. That's why I would always recommend two-factor authentication. This is quickly set up via a plugin and also provides even more protection against unauthorized intrusion. This is because the authentication codes are transmitted via an external system.
"*" indicates required fields
Ideally, you should protect your WP admin area in the most streamlined way possible. You should only install a large security plugin if you also configure and use its other functions in a sensible way. So if you are only interested in hiding the WP admin, we advise you to use a lightweight plugin like WPS Hide Login. Anything else would be overkill.
As a security measure of its own, hiding the WP admin is negligible anyway. In principle, it is also true: No plugin replaces a strong password and the knowledge of the most important WordPress security vulnerabilities. And every new plugin carries the risk of bringing security holes in the code. It is therefore important to carefully consider which and how many you install.
There is no one hundred percent protection for any website. In our opinion, hiding the wp-admin section does not bring any real increase in security. But it can contribute enormously to the perceived security. Especially if you're working on behalf of a client, you shouldn't underestimate the power of client perception. However, it is definitely not enough as the only or central security measure. Nevertheless, if the modified URL is designed as one of many layers of your security system, it can be a useful addition to your security concept.