Hackers are getting smarter and smarter with the methods they use to try and hack through your WordPress admin page’s.
The most common way is to use a script and try and login from the wp-login page.
It’s no secret that all login pages for WordPress users look like this:
http://yourdomain.com/wp-login.php, so hackers know exactly which URL to use to run the script.
Consider this: What would happen if someone hacked your site and deleted all your content or injected a malicious program to ruin your databases?
Read more about how 4800 hacked websites where lost with No chance of recovery
The solution to this security issue is to change the default login address to a custom login link so only you know what it is.
Another method is to limit login attempts.
Caution. Always create a full backup of your WordPress files & Databases before making changes.
Create a Custom Login URL Using Code
One way to change your login address is to add some code to your .htaccess file
If you wanted to change your login link from http://yourdomain.com/wp-login.php
Add this code to your .htaccess file just above the WordPress rewrite rule
RewriteRule ^login$ http://yourdomain.com/wp-login.php [NC, L]
Login URL Example: Your login url will now be http://yourdomain.com/login
You can customize your url to anything you want by changing login in code above in your .htaccess file.
Place the code on line 1 of your .htaccess file before the rewrite rules start.
This solution doesn’t hide the default login url. It only adds an easier to remember url which redirects to the default being wp-admin. The next section of this posts deals with creating the secret url and disabling the default.
Change Login URL Using a Plugin
Without the need for coding you can easily install a free plugin that fixes this weakness and the chances are the hacker will move on to another user who doesn’t.
You can setup this plugin so anyone that needs to login to your admin page can do so only if you give them the secret URL.
Once you’ve installed the plugin, go to Settings > Permalinks and enter a secret name for your custom login page address URL and save the changes.
Caution: I have tested this plugin on a new installation of WordPress and it worked fine. However, most free plugins are unsupported which means they sometimes conflict with other plugins depending on what you have installed. If you have any issues, login to cPanel or FTP and delete the plugin or contact your web hosting provider.
If a hacker does work out your password using a script, they won’t be able to use it unless they also know the secret link to your admin panel.
Another plugin which create’s a custom login url is named Ozh’ Simpler Login URL
If you have any conflicts with custom login and URL’s plugin try this one.
This plugin creates a Rewrite Rule that will allow users to log in from the custom URL – yoursite.com/login as well as /wp-login.php.
The only problem is /wp-login.php will still be available for login so while the plugin creates a custom login url it doesn’t stop hackers from accessing the default login url, /wp-login.php
Better Solution: If you create full backup of your WordPress site and store it in a secure location like your local PC, dropbox or Amazon, you’ll always be able to restore your content if a hacker does break in and ruin your website.
Another Security plugin for WordPress which you may want to take a look at is named Better WP Security. This WordPress plugin offers security settings for WordPress login, registration and admin pages as well as many other anti hacking features to protect your site.
This security measure is one of many which makes it harder and harder for hackers to break into your site and will help protect your site from hackers.
I’ll be writing more about how to protect your WordPress installation using different security solutions in the near future.
Hi is that will effect also the the email that sent if you create a new user through WordPress?
i am asking that as this something i am trying to achieve long time and i seems you may know the answer.
Brad Dalton says
Not sure Levi. Its an old post that proobably needs updating.
Adding RewriteRule before checking if mod_rewrite is loaded is nonsense.
Itˇs in reality a nice and useful piece of information. Iˇm glad that you just shared this useful info with us. Please keep us informed like this. Thank you for sharing.