Locking Down Your Login Page
Approximately 28% of websites on the internet are using the WordPress platform. From small / mid-sized businesses to schools, hospitals, and even police departments, the range of WordPress sites has never been larger. I can’t help but guess when I first load a new site if it does, in fact, run on the platform. There are visual cues on the front end and indicators in the source code that make it fairly easy to determine if that is true. Rather than scrutinize every section of a website, I first tend to add /wp-login.php to the end of the domain and see if the login page is present. I expect to get some results from smaller businesses and companies but am always surprised when I see government and larger businesses show the login page instead of a 404 error page.
It’s not that I don’t think that developers aren’t using strong usernames and passwords. WordPress does a great job of generating a random string of characters for passwords that would take supercomputers ages to guess the correct combination. More often than not, too many failed login attempts will result in that users’ ip address being banned preventing them from further attempts.
So, what is the problem? The problem is that there are a lot of these so-called hackers and spammers. Most of them from overseas. They are the pests of the internet and are relentless in their attacks. While it is unlikely they will gain access by doing a brute force attack, the possibility of exploits will always exist. All it takes is a vulnerable plugin or theme to allow an intruder to potentially collect information that can help attack a site. Knowing where the login page is makes it too easy should an exploit work successfully. Even if it doesn’t, multiple attempts from multiple users cause stress and performance issues on the server which could make legitimate visitors suffer.
Moving the login page
You’ve heard the saying, “the best defense is a good offense”. In this case, don’t give an attacker the advantage of knowing where your login page is. You have the option of renaming it from wp-login.php to whatever you’d like. Unfortunately, WordPress does not directly offer the option to rename the page but there are several methods you could apply to do so. Writing rules in your .htaccess file is one way. But it can be confusing to developers and designers who aren’t familiar or comfortable with this file. There are also plugins that you can install that simplify the process. However, you want to make sure this plugin is widely accepted and updated on a somewhat frequent basis. There is one such plugin which is widely used for security and has an option to rename the login page.
Active Installations: 600,000+ | Last Updated: 2 Months Ago | As of 10/30/17
Setting up the plugin
Step by Step instructions
- Navigate to Plugins / Add New in your wordpress dashboard
- In the Search plugins… box enter “All in One WP Security & Firewall”
- Install and activate the plugin
- Scroll down to WP Security in the sidebar and choose Brute Force in the sub menu
- This will take you to the Rename Login Page tab where you can select the checkbox to enable the feature
- Enter whatever page name you would like in the blank box and hit the Save Settings button and you’re done!
The next time you want to log in you will use that url to access the backend of your website. There is a warning message on the page which I advise to read if you’re worried about messing something up. However, we’ve used this feature across many websites and hosting environments and never had an issue. If for some reason there is a problem simply rename the plugin folder all-in-one-wp-security-and-firewall in your sites’ “plugins” directory to something else through FTP or File Manager. This will restore the default wp-login.php page.
Still not convinced?
Below is a screenshot of attackers trying to gain access to just a few domains that have their default login page unaltered. I have also blurred the domains and file paths for obvious security reasons. You can see by the frequency and number of different ip addresses just how determined these people are.
Now imagine you are responsible for maintaining dozens or even hundreds of WordPress sites. Unless you are looking at the log files you would have no idea just how aggressive these attacks can be. I really hope that awareness of this problem increases in the community. It is an easy fix that anyone can apply. Of course, at Precise Online Management, our policy has to always been to rename our customers’ login page. No matter if they are hosted by us or not.