Hiding WP-Admin: Popular, Complicated and Not Very Effective

Tobias Schüring Last updated 20.10.2020
9 Min.
wp admin hide
Last updated 20.10.2020

Almost everyone knows how to access the login barrier to the admin area at WordPress by default. Since more than 34 percent of all websites run on WordPress , it's easy for hackers to find and attack the login areas of these sites . This is exactly why corresponding hacks, such as Brute Force attacks, belong to the most frequent attacks on WordPress sites at all. A simple protective measure seems to be hiding the WP admin area. Today I'll show you how useful this technique is and how you can implement it.

Brute Force attacks are probably the most common type of attack on WordPress sites ever. The security provider Wordfence alone measured almost 1 billion such attacks in 2017 in some months of this year - not counting the number of unreported cases. In order to limit the security risk from Brute Force attacks, it makes sense in principle to restrict login attempts after too many failed attempts. In addition, many WordPress webmasters use another method: they move theWP admin area, so that it can no longer be found under the suffix wp-admin.

Many security plugins therefore offer a corresponding function. Who can also dare to the .htaccess file. But hiding the WP admin area by itself is not a really good security measure. But it can be a useful addition.

Hide WP Admin: What's the point?

Behind the idea of hiding the WP admin area is the principle of security through obscurity ("security through obscurity") - the idea that the security of a system is stronger as long as its functionality remains secret. Or, in other words, if the attacker doesn't know where your front door is, he can sneak around your house, but he can't break in.

Security through obscurity - a toothless tiger in practice

This approach is controversially discussed among experts - and not without reason. In this case, the fact that information is secure does not mean that it can no longer be accessed at all. It's there - but it's hidden. But with the right tools, hackers can still find your loginsite if they want to.

And here comes the real problem with security through obscurity often used to hide problems that should instead be eliminated altogether. If your admin name is admin and your password is password123!the hacker will be in your backend in no time if he found your hidden loginsite .

In short, a hidden admin area does not keep attackers from attacking, it only increases the amount of time that must be spent to perform the attack. Unfortunately, it is impossible to completely disguise the fact that your WordPress projects are WordPress sites . So hiding the WP admin should definitely not be your only security measure. Whoever is targeting you will not be able to escape.

The concept security through obscurity is therefore ideally one of many layers of your security concept. Limit Login Attempts (LLA), a strong password including two-factor authentication and - if you ultimately use one - a cleanly configured securityPlugin are a sensible mix. Hiding the admin area is just the icing on the cake.

In some cases, hiding the WP admin still makes sense

Now there are actually some situations where it can make perfect sense to hide the WP admin:

  • Hiding the WP admin has a strong impact on the perceived security of an WordPress site . Especially if you are working on behalf of a client, a hidden WP-Admin makes sense to maximize your client's perception of security.
  • If hackers launch a Brute Force attack on your site, your web server may "overheat" just because of the high number of requests. If you move the admin area, you will take the wind out of your sails, at least for primitive Brute Force attacks right from the start.
  • You can positively surprise some customers by hiding the admin area, e.g. if you move it under /name-of-the-company. This way you can create a small but nice branding effect.

As you can see, these measures are more of a cosmetic nature. But sometimes even a higher perceived safety can help. Therefore I will show you in the following how you can secure your WP-Admin with and without plugins.

UsePlugins for admin hiding only, does that make sense?

Great securityPlugins also offers the possibility to hide the admin area and the exact nature of your site , among many other features. As I said before, I'm critical of this: installing a bulky Plugin just to change a URL won't solve all your problems in one fell swoop. Only after a thorough examination of the topic can you decide which security measures make sense for your project.

But you basically plugins have two options in matters:

  • slim plugins, which were developed only for hiding the login area
  • Plugins which include the hiding of the login area, but can do much more

Comprehensive securityPlugins is more bulky due to its extended functionality. Therefore, they only make sense if you know what you want to achieve with them: for example, blocking specific IPs, using the Web Application Firewall (WAF) or benefiting from the reporting of Plugins . The question of how useful securityPlugins really is is also answered in this article.

Installing a big plugin just to hide the admin area is overkill. Your loading speed suffers and you have little added value at the end of the day. Nor is it a substitute for dealing with security features.

Hiding the admin area with a Plugin is therefore only advisable if you can use it without major performance or functional losses - as a kind of nice to have. To install a big Plugin like iThemes Security or Wordfence just for that, I wouldn't recommend.

Instead, here are a few sleeker alternatives to hide your admin area:

WPS Hide Login

wps hide login
For example, the WP admin can be hidden with the WPS Hide Login Plugin .

This free Plugin does exactly one thing: It changes the two URLs /wp-admin and /wp-login.php to addresses you specify. This adds a hurdle for hackers and makes your site a bit more secure. With over 400,000 active installations and an average rating of 4.9 stars (with over 1,100 reviews!), Plugin has proven itself in practice.

Protect Your Admin

protect your admin
Optionally, this also works with the Plugin Protect Your Admin.

The Plugin is, despite some additional features, one of the slimmer ones on the market and allows you to specify a custom URL for /wp-admin and /wp-login.php. Anyone trying to access either sites will land on your home page instead. 40,000 users currently have this Plugin installed, and the average ranking is 3.8 stars. A paid upgrade unlocks some additional features like a login attempt counter.

Cerber Security, Antispam & Malware Scan

cerber security antispam malware scan
Cerber Security Plugin also guards the WP admin.

Among other things, this Plugin hides /wp-login.php and displays a 404 error message instead. However, it can do much more - so it's worth taking a detailed look at the tool. The rating is currently 4.9 stars and there are around 100,000 active users. The Plugin is free of charge.

WP Hide & Security Enhancer

wp hide security enhancer
Another alternative is the slightly bulkier Plugin WP Hide Security Enhancer.
 

This free Plugin hides the fact that your website runs with WordPress . Whether or not this makes sense in principle remains to be seen (with a tool like BuiltWith, this can be quickly brought to light again), but at the same time changes the URLs /wp-admin and /wp-login.php to any other URL. Over 50,000 webmasters currently use Plugin , the average rating is 4.3 stars.

Don't be afraid of bad code: Secure with the .htaccess

If you want to hide the fact that your site is a WordPress installation, then you can do this via some of the Plugins files just listed. Or you can directly tamper with the .htaccess file. It is one of the most important files of WordPress installations running on Apache servers (note: RAIDBOXES-sites do not run on Apache servers, so the .htaccess has no influence on the web server). The .htaccess defines, for example, which files and directories of your site are visible and who has access to what.

With small changes in this file, you can give your website an extra layer of security. Specifically, you add individual code snippets that restrict access to wp-config.php or block certain IPs. I recommend that you always make a backup of this file before making any changes - if something goes wrong, you can then quickly and easily revert to the original state. And with .htaccess, even a small error in the code can be enough to cripple your site .

Variant 1: Allow only certain IPs

With a .htaccess you can protect every directory - in this case you want to protect the admin area. Therefore you upload a new .htaccess in the directory wp-admin. If you instead specify in the root directory of WordPress that directory that only certain IPs have access, you will exclude all others from your whole site directory instead of just the admin area.

In the .htaccess of the admin directory you now have the possibility to block specific IPs from accessing this directory. If you use a static IP yourself, it is recommended to exclude all IPs except your own. This way only you will have access to the admin area.

By the way, you can do the same to exclude IPs from site wp-login.php. Unauthorized IPs can, for example, be redirected to a 404-site (or another site of your choice) and no longer reach the login screen. This can be done by inserting the appropriate code.

  • The WordPress codex describes how you can protect individual directories of your WordPress installation.
  • The colleagues of WP-Beginner show you in detail how to protect the WP-Admin via .htaccess
  • The plugin maker wpmudev shows in a comprehensive guide how you can use the .htaccess to protect your sites

Variant 2: Configure password protection (or two-factor authentication)

Another and very often used possibility to protect the admin area with .htaccess is to create an additional HTTP authentication. The server then already requires appropriate access data to get to your WordPress login page.

This means a little more effort for you when logging in, but many attackers throw in the towel at this point. Brute Force Attacks are blocked before they have even begun. However, even this protection is not completely foolproof, as many attacks run through the XMLrpc interface. Hackers can run DDoS and Brute Force attacks through this interface, which is implemented by default. The attacks are similar to those on the wp-admin-site , but here hundreds of combinations of logins and passwords can be requested simultaneously. Therefore, it must be said at this point that the more sensible protection is not an additional login, but a two-factor authentication.

However, in order to implement additional password protection, you need another file in addition to the .htaccess, namely the so-called .htpasswd. It contains the access data you need for authentication. To create it, you can use appropriate online tools. They encrypt your desired password (for example Günterdergroße86) according to the MD5 format (Günterdergroße86 then looks like this: $apr1$R71r9bVr$6S99bG1Z9R9yYHXcOCG6m/). MD5 is one of the five password formats that the Apache server can work with. In the end, however, you only need to remember the unencrypted password - the server takes care of the rest automatically.

The .htpasswd created in this way is put on the same level as the .htaccess, usually the top level of the WordPress directory.

In the .htaccess you now define that HTTP authentication should take place when accessing wp-login.php and create a link to the .htpasswd via a code snippet. This way the server can access the previously specified credentials in the other file. How this works is explained here, for example.

The .htaccess then specifies that authorization is required to access /wp-login.php, and where the server will find the appropriate credentials (namely in the .htpasswd). In addition, you prohibit access to the .htaccess, the .htpasswd and wp-config.php to ensure that no one but you can reconfigure your installation.

Does it all seem rather cumbersome? It is. Moreover, this additional password protection may compromise the compatibility of Plugins . That's why I would always recommend two-factor authentication. This is quickly set up via Plugin and also provides even more protection against unauthorized intrusion. This is because the authentication codes are transmitted via an external system.

Conclusion: Hiding the WP-Admin can be a lot of work - and brings rather cosmetic benefit

Ideally, you should protect your WP admin area in the most streamlined way possible. You should only install a large security plugin if you also configure and use its other functions sensibly. So if you're only concerned with hiding the WP admin, our advice is to go as lean as possible Plugin. Anything else would be overkill.

As a security measure of its own, hiding the WP admin is negligibly effective anyway. In principle, the following also applies: No Plugin replaces a strong password and the knowledge of the most important WordPress security vulnerabilities. And every new Plugin carries the risk of bringing security vulnerabilities in the code. It is therefore important to carefully consider which and how many you install.

There is never a 100% protection for any website. In our opinion, hiding the wp-admin section does not really bring more security. But it can contribute enormously to the feeling of security. Especially if you work on behalf of a customer, you should not underestimate the power of customer perception. However, it is by no means sufficient as a single or central security measure. However, if the changed URL is designed as one of many layers of your security system, it may well complement your security concept.

As a system administrator, Tobias watches over our infrastructure and finds every possible way to optimize the performance of our servers. His tireless efforts mean he can often be found on Slack in the early hours.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.