Who doesn’t love WordPress? It’s easy to install and -- thanks to a plentiful supply of free and premium plugins -- ready to grow with your business. If the world’s most popular content management system (CMS) has a downside, it might be login security. Fortunately, it’s easy to change the WordPress login URL and protect your site from hackers, bots, and brute force attacks.
In this article, we go beyond general security checks. We talk about why you need to change your WordPress login URL and what you can do to protect your site.
We all know about data breaches at big companies. They include Canva, Zynga, and First American Financial Corp, just to mention three. Hackers were able to bust through security systems and then view or steal user information, records of financial transactions, or personal data.
Are WordPress sites at risk? Oh yes.
Here’s one example. In early 2020, over 900,000 WordPress sites running vulnerable plugins and themes were attacked. Experts say the aim was to insert harmful code. Experts also say the campaign was created by one bad actor. The hack attack started small and grew to 20 million attacks in a single day.
What’s to be gained -- you might ask -- by hacking a WordPress site? Plenty.
To be sure, a tiny percentage of WordPress sites collect or store valuable business information like credit card numbers. Data is not always the aim. Hijacked website pages can be used to:
- launch spam campaigns
- redirect traffic to advertising sites
- enhance SEO with black-hat tricks
- have fun and improve hacking skills
WordPress login URL security
If you spend time reading about WordPress security, you know that out-of-date plugins and themes are a security threat.
The WordPress login URL is also a threat, though it receives less attention.
The standard login page asks for a username and password. After a successful login, the user can access the dashboard. What happens if a hacker gets access to Admin privileges? It’s like giving your car keys to a thief. The bad guys can do whatever they want - including driving your website into a digital ditch.
The login page is an easy target for hackers because of the WordPress default setting. Typically, you can find the login page of a WordPress site by entering any of these extensions into the search bar:
There are some variations -- it depends on your file structure. For example, if WordPress sits inside a subdirectory, the WordPress login URL might look like this:
Here’s the security problem.
Few website owners change the login page URL. That gives hackers a headstart in the race to crack your site. Even worse, a shocking number of people don’t change the username. They use the default Admin.
Consider the consequences of these two actions. There is a good number of sites with easy to find login pages and known usernames. The next step is to crack the password.
It’s worth remembering that hackers don’t sit at their computers with a sixpack of energy drinks and a bag of Doritos trying endless combinations of usernames and passwords. Most attacks on the login page -- called brute force attacks -- are done by bots, a piece of code that strolls the internet like a car thief at a Walmart parking lot.
Bot attacks sometimes work like this. A bot parks itself at your login page URL and enters thousands of username and password combinations. Sometimes, the bot generates ideas from a random word list. Other times it works from a list of common terms (e.g. admin123) or stolen login data.
Think your site is safe? Think again.
It’s a brave new world, and hackers are a bright bunch one step ahead of the good guys. Bottom line -- there’s a good chance your login data is on a bot list.
How to change the WordPress login page URL
Changing the URL of the login page can improve security. But let’s be clear; this measure by itself is not enough to hold back the bad guys. It’s one of several steps you should take.
The easiest URL solution is to install a free plugin called WPS Hide Login. This plugin provides two security features. First, you can set a custom URL for the login page. Second, it displays an error page for anyone -- or anything -- that tries to access the old login page URL. There is no redirect, which means bots cannot easily find your login page.
Plugin installation is simple.
- Open your WordPress dashboard and click Add New Plugin on the menu.
- Type WPS Hide Login into the search bar.
- Click the Install Now button.
- Open the Plugins page and then click Activate.
- On the Dashboard menu, click Settings and then select WPS Hide Login.
- On the Settings page, change the Login url to a custom address.
- Click the Save button.
Now your login page is hidden from bots that look for standard URLs. Anyone who tries to access the standard URL gets a 404 error.
WordPress login security
When thinking about digital security, the best approach is to create layers, like an onion. One security measure, like a shield carried by a knight during the times of King Arthur, is not enough to hold off a galloping army of bots.
You can change the WordPress login URL. That's a good start. Here are three more steps you can take to reduce the risk.
Better usernames and passwords
Yup, we love short names because they’re easy to remember. If you are serious about security, it’s time to stop using Admin and change your apple123 password.
Although it’s a bit of a hassle, this tool adds a powerful layer of security. It works like this. Somebody tries to log in to your site, but they can’t finish the job until a piece of code is sent from another device, like a smartphone. There are several plugins you can install to add this security service.
Deter bots by adding a captcha -- a puzzle or test -- that only humans can complete. Sometimes, you have to click on images that contain a given object or check a box. There are many variations, but the aim is the same -- to prevent bots from logging in.
WPBlazer and WordPress login security
If you manage multiple sites, WPBlazer can add security, streamline tasks, and save time. Here’s how.
From a single dashboard, you can access any site with one click. That’s an exciting feature but here’s the best part. There’s no need to cut corners on security with easy to remember login data. WPBlazer lets you level up your site security with complex usernames, passwords, and login page URLs.
When you decide to install a new security plugin, WPBlazer’s bulk tools save time. Install plugins across your platform from one dashboard with a simple install tool. Out of date plugins will soon become a thing of the past thanks to WPBlazer’s handy update tool. You can set plugins and themes to auto-update on some or all of your sites.
If you manage multiple sites, get WPBlazer. We simplify WordPress security.