Change WordPress login URL: There are 60 million WordPress websites on the internet. It’s no wonder that WordPress is the most popular CMS. Being popular draws both good and bad attention. And speaking of bad attention, WordPress websites tend to experience 90000 hack attempts per minute every day. Hence, hack attempts on your websites are imminent regardless of whether the site is big or small.
Hackers resort to various techniques to hack a WordPress website and brute force attack is one such technique. In this type of attacks, the hackers repeatedly send HTTP requests to wp-login.php until access is gained or the server crashes. They overload the hosting server’s memory by making several repeated HTTP requests. Even if the attacker is not successful in gaining access to the website, it often pushes the server to its limit which can result in a potential crash.
A successful brute force attack gives hackers access to the WordPress dashboard admin. The admin area is the administrative centre of a WordPress powered website. Anyone who has full access to the admin will have full control over the site. Hence, protecting your admin area is important from external hack attempts.
There are many things you can do to protect your WordPress admin login page from enforcing unique username to using a strong password, to implementing 2FA two-factor authentication. One of the most recommended solutions for preventing attacks on the login page is to change default WordPress login URL to a new customized admin URL. How does that exactly help? Let’s find out!
- Change WordPress Login URL: Advantages
- Change WordPress login URL: Disadvantages
Change WordPress Login URL: Advantages
1. Protection Against Brute Force Attacks
Brute force attacks are one of the most common types of hack attempts made on WordPress websites. It involves guessing the combination of login credential until the correct combination is found. To pull off a successful brute force attack, the hackers need to successfully know three things: username, password, and the login page URL.
Username and Password
It’s easy to see why it’s good practice to use strong passwords and unique usernames. If your username is easy to guess then the hacker only needs to focus on cracking the password. But a unique username makes the job of the hacker a lot more difficult. (Tip: Here’s an exhaustive list of a commonly used username that you need to avoid.) Likewise, using strong passwords can defend against brute force attacks. The characteristics of strong passwords are as follows: the password has to be really long and should be made of a combination of uppercase, lowercase, and special characters. Many security professionals recommend using passphrases that are 15 characters long. The catch is, login pages don’t normally allow usage of passphrases.
One of the things to avoid when generating a new password is to prevent usage of common words or publicly known details. Common words are some of the first guesses that are tried during brute force attacks. And if you happen to be targeted specifically, the hackers will go to great extents to find out your username and password from the details available on your website.
Login Page URL
The structure of WordPress files is common knowledge. This means even an outside user has some knowledge about the internal workings of your site. Case in point, all WordPress websites come with a default login page which looks something like this: “www.example.com/login.php”. This makes the job of a hacker easier because they know how to find your login page and can easily launch an automated attack. Hence, if you change WordPress login URL, it’ll be difficult to find your login page. Most brute force attacks are carried out by programmed automated bots. After being unable to find your site login page, they’ll move on to a different target.
2. Hides WordPress Vulnerabilities
WordPress powers over 60 million websites which makes it the most popular WordPress platform to build your website on. Despite its popularity (and also because of its popularity), WordPress is not completely safe. Hackers target WordPress more than any other CMS.
Given the popularity and open-source nature of WordPress, news about a vulnerability spreads like a wildfire. And malicious hackers taking advantage of this vulnerability launches attacks on hundreds of thousands of WordPress website. Your login page serves as an identity card that tells hackers, that you’ve built your site on WordPress. If you change the default admin URL, you essentially distance yourself from known WordPress core problems.
3. Rebrands the Login Page
If you own a membership website, you have to agree that the login page that offers members access to your site is a bit underwhelming, considering they pay good money to access it. From a business and customer satisfaction perspective, rebranding the login page would be a good idea. You can change the default login screen to make it somewhat more aesthetically pleasing.
These are the reasons why almost all WordPress plugins advocate changing the default login URL. It is a good security measure.
Despite its perceived advantage after you Change WordPress login URL, your site is not necessarily safe. To illustrate this point, let’s take a look at some of the disadvantages associated with this particular security measure.
Change WordPress login URL: Disadvantages
1. Does Not Reduce Server Load on Site Server
When your WordPress login page is under attack, the page is being loaded over and over again. This drains your server resources. When you change WordPress login URL (where you essentially rename wplogin.php), your default login page is not found and the website throws a 404 error. This is generally perceived as a lightweight reply. Meaning a lightweight response that does not consume server resources. However, the truth is that even if a page is not found, WordPress still executes most of its codes on the page.
That’s just how WordPress works. Hence it does end up draining your resources. Therefore, contrary to what some people may believe when you customize WordPress login page URL does not reduce the load on your site’s server.
2. New URL is Not Very Hard to Find
The idea is that when you change WordPress admin URL, it prevents a hacker from accessing your login page. There are several WordPress plugins like WPS Hide Login that help you do that. It offers an auto-generated login page URL. Chances are, every website using the same tool is using the same URL. There are chances that the hacker knows the URL format suggested by this tool. This means even after you hide login of your site, the hacker can find it. Hence, even after you change WordPress login URL, it does not necessarily protect your WordPress site in any way.
3. Other Possible Repercussion
Another issue that crops up from moving the default login URL to a custom URL is when users are not notified properly. Sudden changes to your login URL without prior information can prove to be very inconvenient. With several users locked out, things can lead to chaos. It may even cost you a few days’ works. You are responsible for sharing information regarding the new URL of WordPress login page. If you still decide to go ahead and change WordPress login URL, send an email notifying users about the new custom login URL. On the flip side of the same scenario, sending email notifications can prove to be a disaster if the hacker already happens to have a credible WordPress user account on your site. In this case, changing your WordPress login URL becomes futile.
We hope this post helped you make a decision on whether you want to change WordPress site URL of your website or not. Having a custom WordPress login URL can definitely add to your security.
If you decide to change your WordPress login page URL, we have a guide ready.
How to Change WordPress Login Page URL?
We are using WPS Hide Login plugin to change the login page URL. At the time of the writing this, the plugin has over 30,000 active installs and over 700 five star reviews.
Step 1: Install and activate WPS Hide Login plugin on your WordPress website.
Step 2: After having activated the plugin, go to the WordPress dashboard. Scroll down. From the WordPress Settings, select WPS Hide Login.
Step 3: Type your new login URL in the ‘Login URL’ option. And then ‘Save Changes.’
That’s it. Now your WordPress login URL is different.
That said, changing the WordPress login page is one of the many ways to achieve WordPress secure login and protect your WordPress website.
Other security tips or measures that you can take includes using SSL certificate, implementing two-factor authentication and HTTP authentication, changing database prefix, disabling editing of WordPress theme and plugins, preventing users from installing and updating themes and plugins, enforcing the use of FTP, changing security keys, hiding the ‘wp-config.php’ file, banning IP address, disabling XML-RPC, disabling PHP execution and directory browsing, setting up right file permissions, using firewall, etc. But before implementing any of these methods, you must back up your site. If something goes wrong, you can simply restore a backup and get your site up and running in no time. Stay tuned for more WordPress guides on our blog.