Almost everyone knows how to reach the login barrier to the WordPress admin area by default. Since more than 34 percent of all websites run on WordPress, it is easy for hackers to find and attack the login areas of these websites. This is precisely why such attacks, such as brute force attacks, are among the most common attacks on WordPress websites. Hiding the WP admin area seems to be a simple protective measure. Today, I'll show you how useful this technique is and how you can implement it with plugins such as WPS Hide Login.
Brute force attacks are probably the most common type of attack on WordPress websites. The security provider Wordfence alone measured almost 1 billion such attacks in a few months of 2017 - not including the number of unreported cases. To reduce the security risk posed by brute force attacks, it makes sense to restrict login attempts after too many unsuccessful attempts. In addition, many WordPress webmasters use another method: they move the WP admin area so that it can no longer be found under the suffix wp-admin.
Many security plugins also offer a corresponding function. If you can, you can also use the .htaccess file. However, hiding the WP admin area alone is not a really good security measure. However, it can be a useful addition.
Hide WP-Admin: What's the point?
Behind the idea of hiding the WP admin area is the principle of security through obscurity - the idea that the security of a system is stronger as long as its functionality remains secret. In other words, if the attacker doesn't know where your front door is, they can sneak around your house, but they can't break in.
Security through obscurity - a toothless tiger in practice
This approach is the subject of controversial debate among experts - and not without reason. In this case, the fact that information is secure does not mean that it can no longer be accessed at all. It is there - but hidden. However, with the right tools, hackers can still find your login page if they want to.
And this is where the real problem with security through obscurity comes into play: the approach is often used to conceal problems that should be completely eliminated instead. If your admin name is admin and your password is password123!, the hacker will be in your backend in no time once he has found your hidden login page.
In short, a hidden admin area does not prevent attackers from carrying out an attack, but only extends the time it takes to carry out the attack. Unfortunately, it is impossible to completely conceal the fact that your projects are WordPress websites. Hiding the WP admin should therefore by no means be your only security measure. After all, it won't stop someone who is specifically targeting you.
The concept of security through obscurity is therefore ideally one of many layers of your security concept. Limit Login Attempts (LLA), a strong password including two-factor authentication and - if you end up using one - a properly configured security plugin are a sensible mix. Hiding the admin area is just the icing on the cake.
In some cases, however, hiding the WP admin makes sense
However, there are actually some situations in which it can make sense to hide the WP admin:
- Hiding the WP admin has a strong influence on the perceived security of a WordPress website. Especially if you are working on behalf of a customer, a hidden WP admin makes sense in order to maximize your customer's sense of security.
- If hackers launch a brute force attack on your website, your web server may "overheat" simply due to the high number of requests. If you move the admin area, you will at least take the wind out of the sails of primitive brute force attacks right from the start.
- You can positively surprise some customers by hiding the admin area, for example by moving it to /CompanyName. In this way, you can create a small but subtle branding effect.
As you can see, these measures are more of a cosmetic nature. But even a higher level of perceived security can sometimes help. That's why I'll show you below how you can secure your WP admin with and without plugins.
Hide WP admin with plugins
Large security plugins also allow you to hide the admin area and the exact nature of your website, among many other functions. As I said, I take a critical view of this: installing a bulky plugin just to change a URL won't solve all your problems in one fell swoop. Only after a thorough examination of the topic can you decide which security measures make sense for your project.
However, you basically have two options when it comes to plugins:
- slim plugins that were only developed to hide the login area
- Plugins that include the hiding of the login area, but can do much more
Comprehensive security plugins are more bulky due to their extended functionality. They are therefore only useful if you know what you want to achieve with them: for example, blocking specific IPs, using the web application firewall (WAF) or benefiting from the plugin's reporting.
Installing a large plugin just to hide the admin area, on the other hand, is overkill. Your loading speed suffers and, on balance, you have hardly any added value. And it's no substitute for dealing with security features.
Hiding the admin area with a plugin is therefore only advisable if you can use it without any major loss of performance or functionality - as a nice to have, so to speak. I wouldn't recommend installing a large plugin like iThemes Security or Wordfence just for this purpose.
Instead, here are two slimmer alternatives to hide your admin area:
WPS Hide Login
The free WPS Hide Login plugin does exactly one thing: it changes the two URLs /wp-admin and /wp-login.php to addresses you specify. This adds a hurdle for hackers and makes your website a little more secure. With over a million active installations and an average rating of 4.9 stars (with over 2,000 reviews!), the plugin has proven itself in practice.
WP Hide & Security Enhancer
This free plugin hides the fact that your website runs on WordPress. Whether this makes sense in principle remains to be seen (with a tool like BuiltWith, this can be quickly brought to light again), but at the same time changes the URLs /wp-admin and /wp-login.php to any other URL. Over 80,000 webmasters are currently using the plugin, with an average rating of 4.3 stars.
Don't be afraid of bad code: Securing with .htaccess
If you want to hide the fact that your website is a WordPress installation, you can do this via plugins such as WPS Hide Login. Or you can work directly on the .htaccess file. It is one of the most important files for WordPress installations that run on Apache servers. The .htaccess defines, for example, which files and directories on your website are visible and who has access to what.
.htaccess and Raidboxes
Raidboxes websites do not run on Apache servers, so the .htaccess has no influence on the web server. If you have your WordPress hosting with Raidboxes, you can use our Login Protection.
With small changes to this file, you can give your website an extra layer of security. Specifically, you can add individual code snippets that restrict access to wp-config.php or block certain IPs, for example. I recommend that you make a backup of this file before making any changes - if something goes wrong, you can then quickly and easily revert to the original state. And with .htaccess, even a small error in the code can be enough to paralyze your website.
Variant 1: Only allow certain IPs
In principle, any directory can be protected with an .htaccess - in this case, you want to protect the admin area specifically. Therefore, you upload a new .htaccess in the wp-admin directory. If you instead specify in the main WordPress directory that only certain IPs have access, you exclude everyone else from your entire website instead of just the admin area.
In the .htaccess of the admin directory, you now have the option of blocking specific IPs from accessing this directory. If you use a static IP yourself, it is advisable to exclude all IPs except your own. This way, only you have access to the admin area.
You can do the same to exclude IPs from the wp-login.php website. Unauthorized IPs can, for example, be redirected to a 404 page (or another page of your choice) and no longer reach the login screen. This can be achieved by inserting the corresponding code.
- The WordPress Codex describes how you can protect individual directories of your WordPress installation
- The colleagues from WP-Beginner show in detail how to protect the WP admin via .htaccess
- The plugin manufacturer wpmudev shows in a comprehensive guide how you can use .htaccess to protect your websites
Variant 2: Configure password protection (or two-factor authentication)
Another frequently used option to protect the admin area with .htaccess is to create an additional HTTP authentication. The server then requires the corresponding access data in order to access your WordPress login page at all.
This means a little more effort for you when logging in, but many attackers throw in the towel at this point. Brute force attacks are blocked before they have even started. However, even this protection is not completely foolproof, as many attacks are carried out via the XMLrpc interface. Hackers can launch DDoS and brute force attacks via this interface, which is implemented as standard. The attacks are similar to those on the wp-admin site, but here hundreds of combinations of logins and passwords can be requested simultaneously. It must therefore be said at this point that the more sensible protection is not an additional login, but two-factor authentication
However, to incorporate additional password protection, you need another file in addition to .htaccess, the so-called .htpasswd. It contains the access data you need for authentication. You can use appropriate online tools to create it. They encrypt your desired password (for example Günterdergroße86) according to the MD5 format (Günterdergroße86 then looks like this: $apr1$R71r9bVr$6S99bG1Z9R9yYHXcOCG6m/). MD5 is one of the five password formats that the Apache server can work with. In the end, you only have to remember the unencrypted password - the server takes care of the rest automatically.
The .htpasswd created in this way is placed on the same level as the .htaccess, usually the top directory level of the WordPress directory.
In .htaccess, you now define that HTTP authentication should take place when accessing wp-login.php and create a link to .htpasswd via a code snippet. This allows the server to access the previously defined access data in the other file. How to do this is explained here, for example.
The .htaccess then specifies that authorization is required for access to /wp-login.php and where the server can find the corresponding access data (namely in the .htpasswd). In addition, you prohibit access to .htaccess, .htpasswd and wp-config.php to ensure that nobody but you can reconfigure your installation.
Does it all seem rather complicated? It is. What's more, this additional password protection may affect the compatibility of plugins. That's why I would always recommend two-factor authentication. This can be set up quickly using a plugin and also offers even more protection against unauthorized access. This is because the authentication codes are transmitted via an external system.
"*" indicates required fields
Conclusion: Hiding the WP admin can be a lot of work - and is more of a cosmetic benefit
Ideally, you should protect your WP admin area in the most streamlined way possible. You should only install a large security plugin if you also configure and use its other functions sensibly. So if you only want to hide the WP admin, we recommend using a plugin like WPS Hide Login. Anything else would be overkill.
As a security measure in itself, hiding the WP admin is negligible anyway. In principle, no plugin can replace a strong password and knowledge of the most important WordPress security vulnerabilities. And every new plugin carries the risk of introducing security vulnerabilities into the code. It is therefore important to carefully consider which and how many you install.
There is no such thing as one hundred percent protection for any website. In our opinion, hiding the wp-admin area does not really increase security. However, it can contribute enormously to the perceived security. Especially if you are working on behalf of a customer, you should not underestimate the power of customer perception. However, it is by no means sufficient as the only or central security measure. However, if the modified URL is designed as one of many layers of your security system, it can be a useful addition to your security concept.