Sometimes the most simple of method to keep people from trying to hack your website is to hide the entry points. It’s very similar to thinking of how to keep people out of a building. If you have a back door with a lock – that’s good – but people might be able to pick the lock or jimmy the door with enough effort and determination. But what if people didn’t even know where the door was? They wouldn’t even be able to get the point of trying to pick the lock or compromise the door itself.
What do we mean when we talk about entry points for a website? The login pages for the back-end management system or CMS, mostly. Many hackers will try to force their way into your website by going in through the typical login pages.
For example, with WordPress, all login pages for every website, by default, are at yourdomain.com/wp-admin. Hackers and know that. If they know you are running a WordPress site, they can type in /wp-admin after your domain name and find your login page. And from there they can try to brute force (repeated login attempts) their way into your site.
Other content management systems, at least ones that are widely used, will have the same issue of having many sites out there with easily found login pages.
Luckily, it’s easy to change the login URL for WordPress sites. The same can be said for mostly any content management system. So just do it. Hide the back door. Only you, as the website administrator or owner, should know where the back door is.
Our Observations with WordPress Login Obfuscation
We have noticed that it really doesn’t take very long for any new WordPress site, after going live, to start receiving brute force login attempts on the admin login page, as seen in the security logs.
The good thing is that after we change the admin login URL to something other than /wp-admin, the brute force attempts drop off completely. If search engine robots are also then kept from crawling and indexing your login pages, it will be very hard for hackers to find that entry point again.
If brute force login attempts do start to pop up in the security logs again after time, that means that the login URL is out in the wild again, and should be changed again. It can be a repeating cycle but we’ve had good success with changed login URL staying hidden for a long time if not indefinitely.
If you need help securing your WordPress site, or any site for that matter, contact us.