The developers at WordPress, pride themselves on the ease with which their software can be setup to have a site running, going as far as to call it the “Famous 5-Minute Install”. This is hardly bravado as the process is truly that quick and simplistic. To be honest, in all of the installations I’ve done thus far, I don’t think I’ve ever spent more than an odd three minutes going from the “Language Select” screen to the initial barebones homepage.
The downside to this ease of installation is that there are a lot of defaults that are set to the underpinnings of your site that you will hardly notice and could go through the entire life-cycle of a website without giving so much as a first though to, let alone a second. The one we’re going to talk about today is your admin login screen:
Lets say that you have a WordPress site connected to a fictional domain: ‘mywidgetsite.com‘, with all of the defaults created by the setup process. The site address that will grant you access to that page, and ultimately your backend, would be the following:
The problem lies in the ‘wp-admin’ part of it. This is the default admin address initially setup for all WordPress sites and any person that comes across a website that loads a login screen with this address will know right away that they’re dealing with at least some version of that software. From there, a malicious individual, or even an automated program, could begin a target process of discovery for known WordPress exploit to attempt to gain control of your page. Now if you’re making a regular habit of keeping your site and all of its underlying plugins up to date, this process should ideally fail at some point. However, as an old martial arts instructor of mine used to say: “The best defense for any attack is “Absence” (i.e.: to not be there when it arrives).
With that: The first thing you should do with any new WordPress site is to see that this address is changed as soon as possible.
If you go to the backend of your WordPress site, under “Plugins – Add New” and do a search for the term “wp-admin” you will quickly find a plethora of offerings that will assist you in making this change. At the moment, my go-to of choice is “All In One WP Security & Firewall”:
This is a free plugin that is actually very robust and can go a long ways to helping you harden the overall security of your website in a plain-english manner, but for the purposes of this discussion, we’re going to stick to its “Login Lockdown” functionality.
If you install and active the plugin, Under its entry on the left, there will be a “Brute Force” section. The opening tab in that will be the section you want, “Rename Login Page”:
All you will have to do here is check the box to turn the functionality on and then fill in the textbox below with the string of characters you want to use to access your sites login window.
Following the example above, if you decided that you wanted to use the word, ‘w1dg3tm4st3r’, then your wp-login address would become: ‘mywidgetsite.com/w1dg3tm4st3r’. After this, any person or script that attempted to use the original default, ‘mywidgetsite.com/wp-admin’, would be greeted with a “404” page. Granted, this isn’t the be-all-end-all to your site security issues, nor should it be, but this alone will put you in a much stronger position than you would have been in without it. Once you’re done with this, you can then go back into the plugin itself and begin to review its other security suggestions and offerings.
I hope you found this helpful, if you know of any other similar plugins that you think do this job just as well, or better, or perhaps worse, leave a comment. Thanks for reading.
P.S.: For the record, I have not been compensated in any shape/manner/form by the authors of the mentioned plugin to discuss their plugin here. I just find it to be a solid piece of code that, for now, I am happy to suggest to you the reader and anyone else seeking similar functionality for their WordPress sites.