Changing your WordPress login URL – Does it really improve security?
Bulletproof Backups for Your WordPress Website
Fortify your business continuity with foolproof WordPress backups. No data loss, no downtime — just secure, seamless operation.
WordPress has a standard login page called wp-login.php through which a user can access the dashboard. Given the growing number of brute force attacks on WordPress sites in recent times, users are often suggested to the default login URL (i.e. wp-login.php). So instead of logging into your site using /wp-login.php, you’ll now have a new page, say mylogin.php. Almost all security plugins also advocate this to be a good security measure. But does it really help in boosting your site’s security? Or is it just another obscurity measure that doesn’t do much to keep away the evil-doers? Let us look at the main reasons as to why we are asked to change the login URL and if it really benefits users in any way.
Protect Against Brute Force Attacks
The main intent of a brute force attack is to gain admin access to your site. So the first thing they are going for look for is the login URL. The bots will try relentlessly to crack your password once they land on your login URL. One of the side effects of these repeated attempts, is that they use up a lot of your server resources. Hence sites under brute force attacks often try and hide their login page. This way they can kill two birds with one stone – Protect their passwords and also reduce the load on the servers.
Does not reduce server load
Though, this does not really work. As you might have occasionally seen, if a page is not found, a 404 page is served by the server. This should ideally be a very light weight reply. However, the way WordPress works, even if a page is not found, it will still execute most of WordPress code. This functionality lets a WordPress site support SEO friendly URLs similar to the one of this post. Hence, by changing the login page URL, we have not reduced the load on the servers in the case of a brute force attack.
Not that hard to guess
We often use security plugins to change the login URL and leave it at that. One of the popular security plugins sets the login URL to a default name such as wplogin. The same default is used for all sites. Unless we change this to something unique, hackers will easily guess the preset login URL. Most users are unaware of this fact and hence this step fails miserably as an added security measure.
Side effects
Besides being ineffective in providing additional security, changing your login URL can pose usability issues. One such case we encountered recently on a WordPress forum is that of a user whose login URL was changed using the iThemes Security plugin. Whoever was responsible for this move didn’t share the new login URL with others. Hence the rest of the users were locked out of the site, not knowing what to do. The only way to fix this would be to access the WordPress dashboard. Hence it can also turn out to be dangerous to change the login url.
Having strong passwords and changing your default admin username are the real steps to strengthen security and protect your site against brute force attacks. Changing the login URL isn’t of much relevance even in this case.
In summary, changing your login URL doesn’t make much of a difference to your security. It only creates a false sense of security for the users. We don’t recommend using this as a security measure on your site.
Tags:
Share it:
You may also like
Fix: WordPress 403 Forbidden
Stuck with a “403 Forbidden” error while trying to access your WordPress site? It’s a little scary and quite cumbersome but you can troubleshoot WordPress errors like this. It’s a…
7 Easy Ways To Fix WordPress Database Error Disk Full
You’re all set to install a new plugin or publish an important post on your WordPress site, only to be stopped by an error saying your disk storage is full. …
Fix: WordPress 413 Request Entity Too Large
Fixing errors in WordPress site is like hitting a digital roadblock. It can be frustrating and disruptive. But, you’re also left wondering why this is happening to you. The “413…
How do you update and backup your website?
Creating Backup and Updating website can be time consuming and error-prone. BlogVault will save you hours everyday while providing you complete peace of mind.
Updating Everything Manually?
But it’s too time consuming, complicated and stops you from achieving your full potential. You don’t want to put your business at risk with inefficient management.
Backup Your WordPress Site
Install the plugin on your website, let it sync and you’re done. Get automated, scheduled backups for your critical site data, and make sure your website never experiences downtime again.