WordPress has a standard login page called wp-login.php through which a user can access the dashboard. Given the growing number of brute force attacks on WordPress sites in recent times, users are often suggested to the default login URL (i.e. wp-login.php). So instead of logging into your site using /wp-login.php, you’ll now have a new page, say mylogin.php. Almost all security plugins also advocate this to be a good security measure. But does it really help in boosting your site’s security? Or is it just another obscurity measure that doesn’t do much to keep away the evil-doers? Let us look at the main reasons as to why we are asked to change the login URL and if it really benefits users in any way.
Protect Against Brute Force Attacks
The main intent of a brute force attack is to gain admin access to your site. So the first thing they are going for look for is the login URL. The bots will try relentlessly to crack your password once they land on your login URL. One of the side effects of these repeated attempts, is that they use up a lot of your server resources. Hence sites under brute force attacks often try and hide their login page. This way they can kill two birds with one stone – Protect their passwords and also reduce the load on the servers.
Does not reduce server load
Though, this does not really work. As you might have occasionally seen, if a page is not found, a 404 page is served by the server. This should ideally be a very light weight reply. However, the way WordPress works, even if a page is not found, it will still execute most of WordPress code. This functionality lets a WordPress site support SEO friendly URLs similar to the one of this post. Hence, by changing the login page URL, we have not reduced the load on the servers in the case of a brute force attack.
Not that hard to guess
We often use security plugins to change the login URL and leave it at that. One of the popular security plugins sets the login URL to a default name such as wplogin. The same default is used for all sites. Unless we change this to something unique, hackers will easily guess the preset login URL. Most users are unaware of this fact and hence this step fails miserably as an added security measure.
Besides being ineffective in providing additional security, changing your login URL can pose usability issues. One such case we encountered recently on a WordPress forum is that of a user whose login URL was changed using the iThemes Security plugin. Whoever was responsible for this move didn’t share the new login URL with others. Hence the rest of the users were locked out of the site, not knowing what to do. The only way to fix this would be to access the WordPress dashboard. Hence it can also turn out to be dangerous to change the login url.
Having strong passwords and changing your default admin username are the real steps to strengthen security and protect your site against brute force attacks. Changing the login URL isn’t of much relevance even in this case.
In summary, changing your login URL doesn’t make much of a difference to your security. It only creates a false sense of security for the users. We don’t recommend using this as a security measure on your site.