WordPress websites are usually vulnerable to various types of attacks including brute-force attacks, SQL injections, and unauthorized logins. Many people ask whether changing the WordPress login URL (i.e. the default /wp-admin/ or wp-login.php) can genuinely enhance the security of WordPress blogs and websites. The primary reason why WordPress administrators would wish to change the URL of the WordPress login page is to hide your identity as a WordPress user and thus protect the WordPress from brute force and Zero-Day Vulnerability Attacks.
The Hide My WP plugin makes use of the fact that software can only target your website if it knows your website structure. It functions by removing all evidence that your website is powered by WordPress, thus making it difficult for hackers to infiltrate your website. Hide My WP allows a website user to completely change the public structure of important core files and pages, theme files, and plugin files. There are two different ways to hide your login page. The easy way is to use a plugin, and the more difficult, but effective way is to use .htaccess.
Some also say that malicious hackers use automated scanners to identify the target and do not specifically target your WordPress site. Thus, from this perspective, hiding the fact that you are using your WordPress website does not really help. Moreover, even if your WordPress site is targeted, there are many security tools available for free that hackers can make use of to identify the backend of your website. Most Hide Backend features simply provide security through obscurity, which is not the perfect security strategy. While hiding your backend wp-admin URL can surely help mitigate some of the volume of attacks on your login, this approach will not stop all of them. If you are of a similar opinion, you can use other security measures such as WordPress two-factor authentication and refusing compromised passwords.
All in all, if you use strong WordPress user credentials, don’t use passwords used on other sites, and change them regularly, you should not be stressed about someone knowing where your WordPress login page is. For instance, by renaming your WordPress default administrator, you already have an advantage over malicious hackers, because the automated tools that are typically used only try to brute force accounts with typical usernames such as admin, administrator, root, and so on. You can also use the Password Policies for WordPress plugin to enforce strong WordPress password policies.
Furthermore, automated tools that enumerate WordPress usernames use low ranges by default. Therefore, if you change the WordPress Administrator account ID, the chances of an attacker guessing your WordPress administrator username or password are quite remote, or at the least, the attack will take quite long, thereby giving you and the provider enough time to identify the attack.
In short, if you can take an additional security measure, then why not! The more security precautions you take on your WordPress site the merrier. However, even if you change or hide your wp-admin and login URL, it never means that you can use weak credentials, or there is no need for HTTPS authentication. Security professionals will advise security by obscurity is not security at all.
Leave a Reply