Hiding WP-Admin: Popular, Complicated and Not Very Effective

Tobias Schüring Last updated on 20.10.2020
9 Min.
hide wp admin
Last updated on 20.10.2020

Almost everyone knows how to reach the login barrier to the admin area by WordPress default. Since more than 34 percent of all websites it WordPress is easy for hackers to find and attack their sites login areas. This is exactly why hacks such as Brute Force attacks belong to the most common attacks on WordPress sites at all. Hiding the WP admin area seems to be a simple protective measure. Today I will show you how useful this technique is and how you can implement it.

Brute Force Attacks are probably the most common type of attack on WordPress sites at all. In 2017, the security provider alone Wordfencemeasured almost 1 billion such attacks in a few months of this year - not counting the number of unreported attacks. In order to limit the security risk of Brute Force attacks, it makes sense to restrict login attempts after too many failed attempts. Furthermore, many WordPress webmasters use another method: they postpone the WP admin area, so that it is no longer found under the suffix wp-admin.

Many security plugins therefore offer a corresponding function. Who can also dare to access the .htaccess file. But hiding the WP admin area is not a really good security measure in itself. But it can be a useful addition.

Hide WP Admin: What's the point of all this?

Behind the idea to hide the WP admin area is the principle security through obscurity ("security through obscurity/uncertainty") - the idea that the security of a system is stronger as long as its operation remains secret. Or in other words: If the attacker does not know where your front door is, he can sneak around your house, but he cannot break in.

Security through obscurity - in practice a toothless tiger

This approach is controversially discussed among experts - and not without reason. In this case, the fact that information is secure does not mean that it can no longer be accessed at all. It is available - but hidden. But with the right tools, hackers can still find your loginsite if they want to.

And here comes the real problem with security through obscurity into the game: Often the approach is used to hide problems that should instead be completely eliminated. Is your admin name admin and your password Password 123!the hacker is in your backend in no time at all if he has found your hidden loginsite .

In short, a hidden admin area does not stop attackers from attacking, but only prolongs the amount of work time needed to carry out the attack. Unfortunately, it is impossible to completely hide the fact that your WordPress -projects around WordPress sites ...is trading. Hiding the WP-Admin should not be your only security measure. Whoever is targeting you will not be able to flee.

The concept security through obscurity is therefore ideally one of many layers of your security concept. Limit Login Attempts (LLA), a strong password with two-factor authentication and - if you finally use one - a well-configured securityPlugin is a sensible mix. Hiding the admin area is just the icing on the cake.

In some cases hiding the WP-Admin makes sense nevertheless

But there are actually some situations in which it can make sense to hide the WP-Admin:

  • Hiding the WP-Admin has a strong influence on the perceived security of a WordPress site . Especially if you are working on behalf of a customer, a hidden WP admin makes sense to maximize the security perception of your customer.
  • If hackers launch a Brute Force attack on your site, your web server may "overheat" just because of the high number of requests. If you move the admin area, you will take the wind out of your sails, at least for primitive Brute Force attacks right from the start.
  • You can surprise some customers positively by hiding the admin area, e.g. if you move it under /name of company. Thus you can create a small but fine branding effect.

As you can see, these measures are more of a cosmetic nature. But sometimes even a higher perceived safety can help. Therefore I will show you in the following how you can secure your WP-Admin with and without plugins.

Plugins just to hide the admin, does that make sense?

Great security plugins features include the ability to hide the admin area and the exact nature of your site among many other features. As I said before, I take a critical viewInstalling a bulky Pluginone just to change a URL does not solve all your problems at once. Only after a thorough examination of the topic can you decide which security measures make sense for your project.

But you basically plugins have two options in matters:

  • slim plugins, which were developed only for hiding the login area
  • Plugins which include the hiding of the login area, but can do much more

Comprehensive security plugins are more bulky due to their extended functionality. Therefore, they only make sense in principle if you know what you want to achieve with them: for example, blocking very specific IPs, using the Web Application Firewall (WAF) or being excluded from the reporting of plugins profit. The question of how sensible security plugins are real, we also answer in this article.

Installing a big plugin just to hide the admin area is overkill. Your loading speed suffers and you have little added value at the end of the day. Nor is it a substitute for dealing with security features.

Hiding the admin area with one Pluginis only advisable if you can use it without major performance or functionality losses - as a nice to have. Extra for this a big one Pluginlike iThemes Security or Wordfenceto install, I would not recommend.

Here instead are some slimmer alternatives to hide your admin area:

WPS Hide Login

wps hide login
The WP-Admin can be hidden with the WPS Hide LoginPlugin, for example.

This free one Plugindoes exactly a Thing: It changes the two URLs /wp-admin and /wp-login.php to addresses you specify. This adds a hurdle for hackers and makes yours site a little more secure. With over 400,000 active installations and an average rating of 4.9 stars (with over 1,100 ratings!), this Pluginhas been proven in practice.

Protect Your Admin

protect your admin
Optionally this also works with the PluginProtect Your Admin.

The Plugin is, despite some additional features, one of the leaner ones on the market and allows you to specify a custom URL for /wp-admin and /wp-login.php. If you try to sites call them both, you will end up on your home page instead. 40,000 users have this Plugin currently installed, the average ranking is 3.8 stars. A paid upgrade activates some additional features like a login attempt counter.

Cerber Security, Antispam & Malware Scan

cerber security antispam malware scan
The Cerber Security also Pluginguards the WP-Admin.

This Plugin hides /wp-login.php among others and displays a 404 error message instead. But it can do a lot more - that's why it's worth a thorough examination of the tool. The rating is currently 4.9 stars and there are about 100,000 active users. The Plugin is free.

WP Hide & Security Enhancer

wp hide security enhancer
Another alternative is the somewhat bulkier PluginWP Hide Security Enhancer.

This free one plugin hides the fact that your website is WordPress running. Whether this makes sense in principle, remains to be seen (with a tool like BuiltWith can be brought to light quickly), but at the same time changes the URLs /wp-admin and /wp-login.php to any other URL. Over 50,000 webmasters Plugincurrently use this, the average rating is 4.3 stars.

No fear of the evil code: Securing with the .htaccess

If you want to hide the fact that your site is WordPress installation, then you can do this via some of the ones just listed plugins. Or you can go directly to the .htaccess file. It is one of the most important files of WordPress installations that run on Apache servers (Attention: RAIDBOXES- do notsites run on Apache servers, so the .htaccess has no influence on the web server) In the .htaccess is defined, for example, which files and directories are site visible to you and who has access to what.

With small changes in this file you can give your website an extra layer of security. Specifically, you add individual code snippets that restrict access to wp-config.php or block certain IPs. I recommend that before any changes are made, you make sure you have a Backup of this file - should something go wrong, you can then quickly and easily return to the original state. And with .htaccess, even a small bug in the code can be enough to paralyze yourssite .

Variant 1: Allow only certain IPs

With a .htaccess you can protect every directory - in this case you want to protect the admin area. Therefore you upload a new .htaccess in the directory wp-admin. If you instead specify in the root directory of WordPress that directory that only certain IPs have access, you will exclude all others from your whole site directory instead of just the admin area.

In the .htaccess of the admin directory you now have the possibility to block specific IPs from accessing this directory. If you are using a static IP yourself, it is recommended to exclude all IPs except your own. So only you have access to the admin area.

By the way, you can do the same to exclude IPs from the site wp-login.php. Unauthorized IPs can be redirected to a 404site (or another one of site your choice) and won't be able to access the login screen. This can be done by inserting the appropriate code.

  • At WordPress Codex is described how you can protect individual directories of your WordPress installation
  • The colleagues of WP-Beginner Show in detail how to protect the WP-Admin via the .htaccess
  • The plugin producer wpmudev shows in a comprehensive guidehow you can use the .htaccess to protect your sites

Variant 2: Configure password protection (or two-factor authentication)

Another and very often used possibility to protect the admin area with .htaccess is to create an additional HTTP authentication. The server then already requires appropriate access data to get to your WordPress login page.

This means a little more effort for you to log in, but many attackers will throw in the towel at this point. Brute Force attacks are thus blocked before they have even begun. However, even this protection is not completely foolproof, since many attacks are carried out via the XMLrpc interface run. This interface, implemented by default, allows hackers to perform DDoS and Brute Force attacks run. The attacks are similar to those on the wp-admin-site , but here hundreds of combinations of logins and passwords can be requested simultaneously. Therefore it must be said at this point that the more sensible protection is not an additional login, but a two-factor authentication

But to add an additional password protection you need another file besides the .htaccess, the so called .htpasswd. It contains the access data you need for authentication. To create them, you can appropriate online tools use. They encrypt your desired password (for example Günterdergrosse86) according to the MD5 format (Günterdergrosse86 looks like this: $apr1$R71r9bVr$6S99bG1Z9R9yYHXcOCG6m/). MD5 is one of the five password formats the Apache server can work with. But in the end you only have to remember the unencrypted password - the server will do the rest automatically.

The .htpasswd created in this way is put on the same level as the .htaccess, usually the top level of the WordPress directory.

In the .htaccess you now define that the HTTP authentication should take place when accessing wp-login.php and create a link to the .htpasswd via a code snippet. This allows the server to access the previously defined access data in the other file. How this is done, for example here .

The .htaccess then specifies that authorization is required to access /wp-login.php and where the server can find the corresponding access data (namely in the .htpasswd). In addition, you're blocking access to the .htaccess, .htpasswd and wp-config.php files to ensure that no one but you can reconfigure your installation.

Does everything seem rather complicated? It is. Furthermore, it can happen that this additional password protection will Compatibility of plugins impaired. That's why I would always recommend a two-factor authentication. This is quickly set Pluginup via a and also offers even more protection against unauthorized intrusion. Because the authentication codes are transmitted via an external system.

Conclusion: Hiding the WP-Admin can be a lot of work - and brings more cosmetic benefits

Ideally, you should protect your WP admin area in the slimmest possible way. You should only install a large security plugin if you configure and use its other functions sensibly. If you only want to hide the WP-Admin, we recommend a slim versionPlugin. Everything else would be overkill.

As a separate security measure, hiding the WP-Admin is negligible anyway. In principle, the following also applies: No pugin replaces a strong password and the knowledge of the most important security WordPress holes. And every new plugin carries the risk of introducing security flaws in the code. It is therefore important to carefully consider which and how many you install.

There is never a 100% protection for any website. In our opinion, hiding the wp-admin section does not really bring more security. But it can contribute enormously to the feeling of security. Especially if you work on behalf of a customer, you should not underestimate the power of customer perception. However, it is by no means sufficient as a single or central security measure. However, if the changed URL is designed as one of many layers of your security system, it may well complement your security concept.

Related articles

Comments on this article

Write a comment

Your email address will not be published. Required fields are marked with * .