Should you hide the WordPress Login Page?
Several of our customers have asked, is it necessary to hide the default WordPress login page? No, it’s absolutely not necessary to hide the default WordPress login page and we’ll explain why. Early security plugins included this as a feature along with features like changing the database prefix, and really in the security industry we call this security through obscurity. It’s hiding data away from hackers, but not actually putting up a wall or a barrier between them and the data. And so it doesn’t provide any real protection it just tries to make it slightly more difficult for attackers to attack WordPress websites but doesn’t provide any real tangible security.
The problem with hiding the default WordPress login page is it breaks things … potentially breaks WordPress when you install this or activate this feature. It’s known to cause a lot of instability or can be a little bit risky. It can break certain customized themes and so on. The other thing is that it confuses users and there’s not really any tangible gain and so we don’t advise doing it.
Most WordPress security plugins like Wordfence purposefully do not include this as a feature because of the risk and the fact that it’s completely ineffective. Most WordPress sites are actually hacked through compromised plugins, or themes, or through exploits targeting WordPress core. And so brute force attacks while they’re many, many brute force attacks targeting WordPress sites on the web, they’re actually relatively ineffective.
WordFence Security Plugin For WordPress
But you can defeat brute force attacks very easily using a wide range of techniques. One of the things you can do is install Wordfence and just leave it. Wordfence by default protects against brute force attacks, so if an attacker exceeds a certain number of guesses they’re locked out. They don’t get any more tries and so that’s one way to protect against brute force attacks. Another way is if you install Wordfence premium that includes their blacklist, and what Wordfence does is they monitor attacks across all of the sites that they protect and as soon as they see someone misbehaving, they add that IP address to the blacklist and they don’t get to attack any more websites. So… it’s highly likely someone who’s going to attack your site with a brute force attack has already been blocked by the WordFence blacklist and they’re not even going to have the opportunity to make one attempt at guessing your username and password. So, the blacklist is an extremely effective way to protect against brute force attacks.
Another way to protect against these kinds of attacks is with two-factor authentication which is also included in Wordfence premium or with the Google Authenticator APP. You can also use strong passwords, and of course Wordfence premium includes the ability to audit your password, including your user passwords, to see if anyone has a weak password and then it gives you a way to mitigate that to actually ensure that those passwords get changed into strong passwords by the users or the account owner.
Another thing that you can do is use non-default usernames.
For example, change your admin username to something non-obvious and that makes it harder for attackers to guess your username and your password. But really the most effective thing you can do is just install Wordfence with basic brute force protection and if … they’ll have a couple of guesses and then they’ll get locked out. And if you have premium installed the blacklist has probably already locked anyone who’s going to try and attack your site out, because they’ve already attacked a bunch of other sites or one or two other sites, and we’ve seen them do that, and we’ve added their IP to the blacklist. So, Wordfence premium does an amazing job of protecting against brute force attacks.
But again brute force attacks are not the most common way that WordPress sites are compromised. It’s through exploits that target plugins, themes, and core and the way you protect against that is you install a firewall. Now, Wordfence, the free version comes with the best firewall in the business. It protects against a bunch of different complex attacks including SQL injection and so on. We have a very sophisticated SQL injection engine in the firewall. It can protect against zero day attacks, attacks that we don’t even know about, it will detect those attacks and block them. And so you really want to focus your energy on the area of your site that is most likely to get compromised, so go ahead and use those techniques that I’ve mentioned and lock down your login system.
Don’t bother changing the location of your login system, it’s just going to confuse your users. Use those techniques to give you real security when it comes to your login system and then focus most of your energy on making sure that your firewall is correctly configured because that’s the most likely way that your site might get hacked. What will happen is a vulnerability will appear in a plugin or a theme that you use and the author might not know about it, or you might not have updated to the fixed version yet, and you could get hacked. But if you have a good firewall in place you’ll get protected against that, and so that’s the area that you really want to focus your energy on.
Wordfence.com/learn has a really great article on how to harden your WordPress site, so if you want to learn more about hardening your WordPress site we recommend you go through that. And there’s a bunch of other resources in their learning center which are incredibly helpful if you want to learn more about WordPress security and the WordFence Plugin.
Thanks very much to our customers who wrote in and asked if they should hide WordPress Login Page. Don’t forget to subscribe to our newsletter and we’ll see you next time.