If you have done some research into securing your WordPress website, you might have seen some articles or guides on changing wp-login.php to something obscure so that hackers can’t find it to brute force their way in. It makes sense: if they can’t find it, they can’t crack it, right? Unfortunately, doing this really doesn’t offer much in the way of protection, and can actually cause more problems than it’s worth.
The idea isn’t a bad one. Much like hiding your valuables in a safe place, hiding your login away from malicious actors is intrinsically a good idea. The problem is that in the case of hacker protection, it’s only really offering surface-level security when you need to really fortify at the core. Many hackers use things like web crawlers and bots to search for login pages, so your login form being obfuscated won’t help you in this specific instance, as it can still be found. Many security firms call this tactic “security through obscurity”, and while it may make things slightly more inconvenient, it still won’t solve the problem.
Changing wp-login can also cause a myriad of issues on your site, including breaking themes, interfering with plugins, 500 errors, and displaying a white page. Not to mention that it’s hard for users to remember the URL to log in, and it’s confusing for a lot of people. One of the biggest issues is that when a hacker does inevitably reach your login page, they are still able to continuously spam the form with attempts. This causes incredible stress on the server and can lead to excessive load times, or just disabling your site altogether.
All in all, a much better strategy is to implement measures to protect your site at the core while retaining ease of use and functionality of all parts of your site. Consider adding things like Two-Factor Authentication, where administrators need to use a different device or email address to approve the login. Make sure to use secure passwords so that guessing them is no easy feat. Make sure the admin username is not in use on your site so that any potential infiltrators can’t use low hanging fruit. Maybe most importantly, consider IP blocking. Surf Your Name can get you set up with IP blocking software that will lock people out after a certain number of invalid attempts so that if a hacker does try to brute force their way into your site, they will get a very limited amount of tries, and then they’re gone.
Last but not least, most website hacks actually happen through vulnerabilities in themes, plugins, or even the WordPress core. This is why it’s extremely important to have a maintenance plan so that you can continue getting updates and be secured immediately when any of these issues are made known. A maintenance plan in conjunction with the above security measures will have your site in the best shape it can be!
Here at Surf Your Name, we prioritize security measures and work hard to make sure all of our client’s websites are secure and issue-free. Are you looking for a free security audit of your website? Please give us a call today and let’s get started!