Changing your WordPress login URL – Does it really improve security?

Bulletproof Backups for Your WordPress Website

Fortify your business continuity with foolproof WordPress backups. No data loss, no downtime — just secure, seamless operation.

WordPress has a standard login page called wp-login.php through which a user can access the dashboard. Given the growing number of brute force attacks on WordPress sites in recent times, users are often suggested to the default login URL (i.e. wp-login.php). So instead of logging into your site using /wp-login.php, you’ll now have a new page, say mylogin.php. Almost all security plugins also advocate this to be a good security measure. But does it really help in boosting your site’s security? Or is it just another obscurity measure that doesn’t do much to keep away the evil-doers? Let us look at the main reasons as to why we are asked to change the login URL and if it really benefits users in any way.

Protect Against Brute Force Attacks

The main intent of a brute force attack is to gain admin access to your site. So the first thing they are going for look for is the login URL. The bots will try relentlessly to crack your password once they land on your login URL. One of the side effects of these repeated attempts, is that they use up a lot of your server resources. Hence sites under brute force attacks often try and hide their login page. This way they can kill two birds with one stone – Protect their passwords and also reduce the load on the servers.

Does not reduce server load

Though, this does not really work. As you might have occasionally seen, if a page is not found, a 404 page is served by the server. This should ideally be a very light weight reply. However, the way WordPress works, even if a page is not found, it will still execute most of WordPress code. This functionality lets a WordPress site support SEO friendly URLs similar to the one of this post. Hence, by changing the login page URL, we have not reduced the load on the servers in the case of a brute force attack.

Not that hard to guess

We often use security plugins to change the login URL and leave it at that. One of the popular security plugins sets the login URL to a default name such as wplogin. The same default is used for all sites. Unless we change this to something unique, hackers will easily guess the preset login URL. Most users are unaware of this fact and hence this step fails miserably as an added security measure.

Side effects

Besides being ineffective in providing additional security, changing your login URL can pose usability issues. One such case we encountered recently on a WordPress forum is that of a user whose login URL was changed using the iThemes Security plugin. Whoever was responsible for this move didn’t share the new login URL with others. Hence the rest of the users were locked out of the site, not knowing what to do. The only way to fix this would be to access the WordPress dashboard. Hence it can also turn out to be dangerous to change the login url.

Having strong passwords and changing your default admin username are the real steps to strengthen security and protect your site against brute force attacks. Changing the login URL isn’t of much relevance even in this case.

In summary, changing your login URL doesn’t make much of a difference to your security. It only creates a false sense of security for the users. We don’t recommend using this as a security measure on your site.

Tags:

You may also like


How to Limit Form Submissions with Droip in WordPress
How to Limit Form Submissions with Droip in WordPress

Forms are an indispensable part of any website because of their versatility, letting you collect information for various purposes! However, people with ill intentions often attempt to exploit these forms…

Manage Multiple WordPress Sites
How To Manage Multiple WordPress sites

Management tools help agencies become well-oiled machines. Each task is completed with the least amount of effort and highest rate of  accuracy.  For people managing multiple WordPress sites, the daily…

PHP 8.3 Support Added to Staging Feature
PHP 8.3 Support Added to Staging Feature

We’ve introduced PHP version 8.3 to our staging sites. Test out new features, code changes, and updates on the latest PHP version without affecting your live website. Update PHP confidently…

How do you update and backup your website?

Creating Backup and Updating website can be time consuming and error-prone. BlogVault will save you hours everyday while providing you complete peace of mind.

Updating Everything Manually?

But it’s too time consuming, complicated and stops you from achieving your full potential. You don’t want to put your business at risk with inefficient management.

Backup Your WordPress Site

Install the plugin on your website, let it sync and you’re done. Get automated, scheduled backups for your critical site data, and make sure your website never experiences downtime again.