Are you looking for a simple, yet effective way to protect your admin page? If so, you can use the WPS Hide Login plugin to change the location of the login page.
The most popular method to break into a website is brute force (continually entering login information until it is right).
However, you can’t brute force your way into a website if you do not know where to input the login information. Thus, this method is quite effective.
Today, I will demonstrate how to protect your admin page with the WPS Hide Login plugin.
Why Does This Work?
So, you are probably wondering why is changing the location of the WP login an effective strategy.
By default, the WordPress admin login is located with the same subdirectory(the last part of the URL). Thus, regardless of how well your website’s security is, anyone can type in your website and add the “/login” at the end of the URL.
Now, with proper security protection like choosing a strong password, reCaptcha, limited attempts before the lockout, and more, you can rest easy that a brute force won’t get through.
However, what happens if the hacker was able to obtain the correct login through other means?
Well, they would get into your website, but if you were to hide admin login in WordPress, that information won’t do them any good, or at the very least it will stall them.
Only Protects Against Amateurs
Hiding your WordPress blog login area sounds great on paper, but I do need to make something very clear.
This will only stop amateurs.
Someone who is experienced in WordPress and actively tries to break into websites will undoubtedly be able to locate the login page on your website. I will not explain how since that undermines the plugin, but it is possible.
Thus, even if you do add this feature, you should still incorporate other security elements to protect your website.
Installing WPS Hide Login
The WPS Hide Login plugin allows you to change the location of your WP login without rewriting any files. Instead, the plugin simply intercepts the page requests and sends you to the location of your choosing.
If you are running other plugins that also utilize this login like BuddyPress, Jetpack, etc., you don’t need to worry, this plugin is compatible. However, note that some plugins are hardcoded to wp-login.php. In those instances, the plugins will not work correctly or interfere with this one.
Let’s start by clicking on Plugins and selecting the Add New option on the left-hand admin panel.
Search for WPS Hide Login in the available search box. This will pull up additional plugins that you may find helpful.
Scroll down until you find the WPS Hide Login plugin and click on the “Install Now” button and activate the plugin for use.
Hiding Your Login Area
The plugin is really simple to use and doesn’t require you to do anything fancy. In fact, all you really need to do is change one thing in the settings.
Click on Settings and select the WPS Hide Login option.
While you do only need to change one thing, there is an entire page for this area. Most of the sections are auto-filled and include your website’s URL, admin email, timezone, language, date format, and more.
And that is because this is just the General settings of WordPress.
All of these should already be set up for your website and should not require you to change anything. Thus, you can scroll down to the WPS Hide Login section.
There are two options here, Login URL and Redirection URL.
The Login URL is what you must type into your web browser to find the login area.
So for example, you could change the default “login” to “taco” which would mean you would visit:[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]www.yourwebsite.com/taco[/ht_message]
That would now pull up the login screen of WordPress.
Note: You must remember this URL. If you forget it, you will have to do a lot of work to find it. I highly recommend writing down the URL for safekeeping and bookmarking the page in your browser.
Change the Login URL of your website.
The Redirection URL is where users will go if they type in the default login URL.
By default, this will send anyone to a 404 error screen when they type in the default login URL. This can be left alone or you can go the extra mile and create a page for this specific redirect, but that is completely up to you.
Change the Redirection URL to whatever you want.
View It Live
Again, I want to stress writing down the URL to your login area. If you lose it, it is not a simple thing to find. Once you have done this, click on the “Save Changes” button.
Go to the login URL you just created to see it in action. If you visit the default login URL, you will be redirected to what you chose.
Congratulations on setting up the WPS Hide Login plugin to protect your login area. You can change the login URL at any time, just make sure to remember what it is.
What If I Forget my Login URL?
You have two options.
The first and by far the easiest way is to log into your cPanel, the login information is provided to you by your web host, and delete the WPS Hide Login plugin. This will revert your login URL to the default page.
You can then reinstall the plugin if you desire.
The second option is to go to your MySQL database and look for the value of whl_page. If you do not have much experience using the MySQL database, you are better off by removing the plugin file.
Add More Defense to Your Site
While this is a useful technique to prevent amateurs from trying to brute force their way into your website, you can better protect it by other means.
One way to do this is to limit the number of login attempts. This makes it so instead of having an infinite number of chances to guess a password, you only get a handful of them before a lockout occurs.
And wouldn’t you know it, there is a WPS Limit Login plugin from the same makers that get the job done. It’s just as simple to use as the one detailed above, and they can work in conjunction with each other.
You may also want to consider more robust security plugins that offer features like this among other things.
Take Security Seriously
Unfortunately, new website owners don’t take security as seriously as they should.
This stems from the misconception that their website has nothing on it to steal. And while that may be true when starting out, it doesn’t stop a hacker from getting in and leaving a backdoor.
They can use that backdoor to come back when you do have something to steal. You could also just be dealing with someone who just wants to take your website offline for some reason.
Some hackers will simply add fake pages to your site to steal information from unsuspecting visitors.
In any case, strong security needs to be established from the get-go.
Do you think WordPress should allow developers to change their login URL by default? What other security measures are you considering to use?