WordPress is a great CMS, but unfortunately it has some weaknesses. One of them is the potential risk of unauthorized login to your website. In this article I will provide you with some security tips & tools so that you can avoid such undesired events or at least reduce the risk to the minimum.
Before I proceed with them, I have to explain something regarding the WordPress login process for the beginners.
The file that is used for the purpose of logging in is called wp-config.php. And each newly installed copy of WordPress uses the following URL: http://your-wp-site.com/wp-login.php
When you type this in your browser you are going to see the familiar login screen where you have to type your username and password.
Why is there a risk of hacking this file?
Because the URL to activate it is widely used and hackers know how to do it – WordPress after all is a community project and it’s source is available publicly. And what is even worse is that if you use a trivial username for your administrator account like “Admin” you are making it easier for them to hack into your site.
So in order to protect your WordPress site from unauthorized login attempts you have to use a unique admin username, extremely strong password and you also have to “hide” wp-login.php or rename it. So that is what we are going to focus on in this article. Also, if possible, use a special author account and apply the same procedures to it as well. Log in to your admin account just to update WordPress or to install new plugin/theme, i.e. use it only for administrative purposes and do not stay logged in it constantly.
How you can rename or hide the wp-login.php file? Simple – by using these popular tools:
1. Rename wp-login.php
This is a personal favorite of mine. I actually use it on the majority of websites that are under my control and I always recommend this plugin. Unfortunately its author has decided not to maintain it anymore so (as she warns you) you should use it at your own risk. Currently there is nothing to worry about as this plugin works correctly. Just take a look at its ratings and reviews and you are going to be convinced. But in time there is no way to predict what will happen to its functionality.
So if you want to give Rename wp-login.php a try here is what you have to do:
- Install and activate the plugin;
- You should be redirected to its settings page. Enter the new name of wp-login.php. Choose a unique string and keep it to yourself.
- Next time when you login you have to type http://your-wp-site.com/*your-string* i.e. instead of wp-login.php
- If you want you can change this string from Settings -> Permalinks -> Rename wp-login.php at anytime you want.
- If by some reason you cannot remember the string name or you cannot login, simply remove the rename-wp-login folder from your plugins folder. Then type the original URL with wp-config in it and login. Then reinstall the plugin and set it once again. That’s it.
The charm of Rename wp-login.php is that it doesn’t actually change the name of wp-config.php and therefore it is risk-free. The plugin simply intercepts page requests. But this is quite efficient as it blocks unauthorized logins without hinting the new login URL. It also protects the wp-admin directory.
2. WordPress Simple Firewall
This is a great plugin indeed. It can protect your website in different ways:
- block malicious URL’s;
- deals with spambot comments;
- prevents brute force attacks and many more
But for the purpose of this post we are going to focus on the ability of WordPress Simple Firewall to hide your wp-login.php file. Actually this plugin does the same as the previous one – it prevents the direct access to wp-login.php and changes the default WordPress login URL. Again you have to choose a unique string that you have to enter within the plugin’s settings. Also, please make a full backup of your website files and database before you proceed with this plugin. It is better to be safe than sorry, after all. 🙂
3. iThemes Security
This plugin is actually the former Better WP Security. It is a great plugin with loads of documentation, but there is a reason why I am placing it third and final in this post. As it is stated by the creators of iThemes Security – it will make a significant changes to the database of your WordPress site as well as its files. So you can imagine why making a complete backup is absolutely imperative if you want to use this plugin. Yes, the issues with it are not happening often but the risk is there so make sure everything is backed-up and then proceed with installation.
What is absolutely great about iThemes Security is that it is a full protection suite for your website. Yes, it will do what it is meant to do! And it can also help you change the URL for your login screen as well. That is why I am mentioning it in this post. And if you need assistance with this plugin – there are official video tutorials on its usage as well as the vast documentation that I have mentioned above.
And if the free features are not enough – the paid version will definitely be of total assistance.
So this is it friends! You have 3 options to hide or rename wp-login.php and thus protect your website. Choose wisely and share your opinion in the comments. I hope that this article was useful!
See you next time!