This blog runs on WordPress, and, despite the hours I’ve invested in generating this great content, the nearly one thousand ‘visitors’ to my website each day seem to really like my sign-in page: https://SITE/wp-admin. And they like to experiment with random username and password combinations… I didn’t contribute at all to that page, and so many other blogs use the same thing…that’s a bit disappointing. But maybe I can hide or rename the login page?
Yes, there is! There are a number of plugins which support this, and let’s walk through one simple example of how to better obscure the address.
For the last time, visit https://SITE/wp-admin (for the very last time) and login to your administrator dashboard. Within admin dashboard, go to Plugins > Add new.
In the top right, run a keyword search for ‘Hide Login’ (or you might also try a search for rename wp-admin, or rename wp-login.
Choose WPS Hide Login (or whatever top-rated plugin is available when you’re solving these problems…).
Checkout the reviews, etc., and whatever due diligence you feel important. Then, Choose Install Now, then Activate.
Activate WPS Hide Login plugin after installing.The button at the top right should show ‘Active’ (rather than Install or Activate — click the option if it appears).
On the right-hand menu bar, find Settings > General, located the ‘WPS Hide Login’ settings toward the bottom.
Change this to something arbitrary (don’t use ‘login’ or ‘admin’…pick something unique), and make sure to write it down until you have it memorized and/or add it as a browser bookmark. Why not ‘say-open-sesame-123’? Or `drb37r_p`? Or picking something fun and append with the current year? (You could even update it each year…) The result will be lowercase, and ensure that any special characters will be allowed in a URL (the plugin should clean these out, so check what the new login page is after updating the settings).
If you look at the top of the page, you’ll see an INFO message say ‘Your login page is now here: XXX. Bookmark this page!’
We can see the results of this effort by navigating to https://SITE/wp-admin (logout first or open a new private/incognito browser session), which directs (per our directions in the redirection url setting option) into a very pleasant 404 page.
Security Through Obscurity?
Is this just security through obscurity, as various web standards recommend against? No, I still have a strong username/password combination as well as 2FA (via an authenticator app) so that when this new page gets discovered, all the layers of security are still in place. The obscurity is adding one more layer.
Hmm, I’m noticing a lot of ‘visitors’ are now enjoying the 404 page…