One of the most common attacks against WordPress sites is also one of the simplest: attackers hammer wp-login.php as fast as possible with semi-random usernames and passwords until they find one that works. This brute force attack is rarely successful, especially if you have a username other than “admin” and use a strong password. But the attack itself can wreak havoc on your site. Because WordPress processes every login attempt separately, the attack bypasses caching and runs many PHP processes to service the attack. This places your users’ requests at the end of the line.
As simple as the brute force attack against wp-login.php is, the solution is just as simple: install a plugin that moves wp-login.php to a different, hard-to-guess URL. We use the Move Login plugin to do that.
NOTE: If you have a membership site with a login page that’s separate from your WordPress login page, this option won’t work.
Installing the Move Login plugin
In its simplest form, the plugin requires no further configuration after installation. Once installed, it renames the login URL from /wp-login.php to /login.1
Configuring your URLs
For further security, you may wish to rename the default /login to something less obvious. Whether you choose something completely random or related to your blog, a personalized login page will always be more secure than the default.
To change the default, navigate to Settings → Move Login, where you’ll see the following options:
In this example, I’ve changed “login” to “LetMeInMarvin” (begging our robot friend, Marvin, to grant me access!). However, I’ve left the default settings for the other “Links” fields.
Customizing your access settings
At the bottom of the screen are two further settings. These determine what happens when a user tries to access the old login page and the administration area. We recommend the default option for the first setting. When someone tries to access the old login page, they should be presented with an immediate and fatal error page. This will stop attackers in their tracks while minimizing load on your server.
The second setting requires a little more attention. By default, WordPress redirects users who try to access your dashboard to the login page. On installation, Move Login mimic’s this behavior and redirect users to the new login page as well. This is slightly more convenient, but slightly less secure; just as your admins can load /wp-admin on your site to be redirected to the new (secret) login page, so can attackers! The second option, “display an error message,” presents the same immediate and fatal error page mentioned above. This second option is slightly more secure than the first, and as such, we recommend that you use it.
Security is multi-faceted. Installing this plugin alone won’t protect you from every type of attack, but Move Login solves a small problem simply and completely to prevent a rather large nuisance!
What other steps do you take to protect your site?
Download our free printable security audit to see how secure your site really is!
Peter is responsible for designing and building the infrastructure that holds all of our hosting, providing client support across all of our products, and participating in partner meetings as well as general management tasks.