Although WordPress is very secure , it is third-party plugins and themes that can end up compromising this security and leaving an installation vulnerable.

Let’s talk about how to change wp-admin access URL in WordPress to reduce login form attack attempts.

These types of attacks on WordPress make it clear that these automated attempts to forcefully gain access to the WordPress dashboard login form must be stopped through “brute force” attacks with or without a dictionary and almost always scripted .

It is very evident that access to this CMS is done through wp-admin or wp-login.php , which puts this service on the tray for automatic scripts or users with a lot of free time and it is only a matter of time and low or low measures. non-existent on the servers where the WordPress websites are hosted for these attacks to bear fruit.

Why change the login URL in WordPress

Why change the login URL in WordPress

One of the causes of the consumption of resources on the server by Hosting accounts that host WordPress installations, are the requests for “admin-ajax.php” that are made to the access form in wp-admin and that reveal that most of these attempts are “automated dictionary attacks” to “brute force” access credentials , and that depending on mitigation measures and hardening applied in mod_sec on the server, these attacks may or may not succeed.

If you are hosted by a Hosting provider that cares about the security of the servers and the Hosting accounts of its clients, then you should not worry too much since these protection measures are supposed to be implicit in the server where you are staying. and in the event of this type of attack attempts, they will surely remain in “borage water” and will not prosper.

How to change the login URL in WordPress

There are several ways to modify and “obscure” the classic access url, the one that everyone who uses WordPress knows, and the bad ones too , so that it is no longer one of these two usual ones.

• https://your-domain.com/wp-admin/
• https://your-domain.com/wp-login.php/

And it becomes “something else” less deductible and therefore unknown to the rest of the world except you, your Hosting and the people who have access with credentials to your website.

You can do this, for example, with a plugin like WPS Hide Login that focuses on allowing you to modify the url of the page that shows the access form and change it to another word of your choice.

If what you want is to modify the url of the page that loads the access form of your WordPress, this plugin allows you to do it quickly and very easily.

The plugin does not modify the name of the wp-login.php file and apply changes to the permissions of that file, nor does it add rewrite rules to your installation files associated with access.

What it does is work as a “man in the middle” and intercept requests to that form and to wp-admin and make them inaccessible.

If for any reason you deactivate the plugin or remove it, your site will work again with the usual URL to access the login form.

How to change the access URL to WordPress without Plugin

If it is possible to carry out this type of obfuscation of a url without having to resort to plugins , all the better! and healthier for your WordPress since you save one plugin and one less headache with updates and other collateral issues.

One of these ways is through a directive in the .htaccess file to prevent wp-login.php from being accessible if you do not manage users in WordPress and it is not necessary to have an access form for these users (highly recommended) because services such as comments can be externalized so as not to depend on the native WordPress comment form -using Facebook comment boxes, DISQUS, etc.-, or you can choose not to require a login to comment.

You add this directive in the aforementioned file, before the # BEGIN WordPress that usually appears in the file for mod_rewrite.c with the following code:

<Files wp-login.php>
	ErrorDocument 401 default
	AuthUserFile /home/<user>/.htpasswds/.htpasswd_user
	AuthName "Acceso restringido"
	AuthType Basic
	Require valid-user
</Files>

While implementing a protection by . htaccess to the /wp-admin directory , from the Hosting Panel, where this functionality is usually available to protect access to certain directories (CPanel) would always be the recommended option :

ErrorDocument 401 default
AuthUserFile /home/<user>/.htpasswds/.htpasswd_user
AuthName "Acceso restringido"
AuthType Basic Require valid-user
<Files admin-ajax.php>
	Order allow,deny
	Allow from all
	Satisfy any
</Files>

This method doesn’t always work the first time and depends a lot on what your hosting provider allows to be called from your website’s .htaccess file and your expertise with these types of directives.

 conclusions

With the implementation of the Move Login plugin we managed to evade, due to obscurity, attempts at automatic or manual brute force attacks against the WordPress dashboard access form and improve security in this CMS.