With more than 75 million WordPress websites out there (25% of the entire web), it’s no surprise this is the first name that comes to mind when we think of templates, themes, and CMS.
That’s a testament to everything WordPress has achieved since 2003, but it also presents a genuine security threat. Hackers know one in four websites is probably running WordPress. That’s not the end of the world in itself, but hackers also know the login address for the vast majority of those WordPress sites will be the same.
The common weakness with WordPress sites
If you own a WordPress site it will come with two default login URLs:
Which means, unless you change those URLs, everyone who discovers your site has unrestricted access to your login page. WordPress doesn’t come with a default limit on the number of login attempts you or anyone else can make either.
Now, at this point I want to point out that WordPress is a pretty damn secure system, but there have been breaches before and it’s likely there will be more to come in the future. If that does happen, the first in line will be those that do nothing to protect their websites. You don’t want to be included on that list and you certainly don’t want your clients to be in the firing line.
How risky is it using the default login URL?
I don’t want to go overboard here and make it sound like you’re going to get hacked if you stick with the default login URLs. As I say, WordPress is pretty secure and it’s learned from previous breaches that changes had to be made. The risk still remains, though, and that’s not something you want associated with your design projects.
How do hackers get into your WordPress site?
Of course, hackers could try and manually get into the backend of any WordPress site, but that’s a time-consuming hobby. More dangerous is the risk of something called brute attacks, which blast sites with a rapid-fire number of guesses at the vital credentials. To get into your WordPress site there are three:
So here’s the deal: all you have to get a username is visit a WordPress blog and pick anyone that published an article. Done. And if I know the URL for your login page that just leaves the password between me and accessing your site.
That tells you the importance of having a strong password. But that’s not enough. In 2012, ARS Technica reported on a computer that could process 350 billion password guesses every second. That was enough to crack every possible password on Windows of 8 characters or less, including uppercase, lowercase, numbers and symbols.
That was four years ago and computers are getting faster at processing these calculations all the time.
Making it harder to hack a WordPress website
The key to making it more difficult for brute attacks to compromise your websites is to combine strong passwords with custom login URLs. By simply changing the URL you’re making it at least twice as difficult to compromise your site. Custom URLs stop the vast majority of attackers even seeing your login page and getting the chance to take a guess at your password.
So how do you go about creating custom login URLs? Well, I hate to fall back on plugins for this kind of thing, but wp-login.php and wp-admin.php aren’t files you want to be playing around with. I’ve tried creating custom URLs myself, but each attempt caused more problems than they solved. So, if anyone has managed to make it work without any nasty side effects, let me know.
Choosing a plugin for custom login URLs
I’ve tried a few plugins to create custom login URLs for various different sites, but I would have to say WPS Hide Login has been my favorite. It’s regularly updated, which is important, and it’s also compatible with plugins that hook in the login form.
I also like the fact it’s a very light plugin, because I’d rather not have to use one at all for this kind of thing. I’m actually hoping WordPress makes this an option within the website settings, but no luck so far.
How to change your login URL with WPS Hide Login
Before you start using WPS Hide Login, you’ll want to make sure you’re running WordPress 4.1 or higher. Once that applies, you can download the plugin from here or choose whichever plugin you prefer.
Whichever plugin you go for you’ll want to hit the setting link after activating it, although some plugins will redirect you automatically:
With WPS, you’ll land on the General Settings page after clicking settings—the same page where you can edit the title of the site, URLs, and other key settings.
The difference now is that once you scroll to the bottom of the page, you’ll see this option has now been added:
Simply add your custom login URL, click save and your WordPress site has just been cranked up a serious notch on the security front.
As I say, WordPress is pretty secure out of the box, but breaches have happened and they probably will again. Whatever risks you choose to take with your own websites is up to you. But when it comes to your clients, you have a responsibility to hand over a secure website to them. The only downside to what we’ve covered today is the fact you have to use a plugin to make it happen. I’m never a fan of using plugins to achieve a single small task.
The only downside to what we’ve covered today is the fact you have to use a plugin to make it happen. I’m never a fan of using plugins to achieve a single small task, but I haven’t figured out a way to make the coding work myself on this one. So, if anyone has managed to make that happen I’d love to hear from you.