By default, the WordPress login page is found on the “admin” page. That’s with every standard WordPress website worldwide. Every hacker and hackbot knows that … they can easily make attempts to log in through your login page that way.
It’s important to hide the default login page
Why you should hide the login page:
- Even if you have a great password that makes logging in “impossible” you will suffer if attempts are made to log in through that well-known login page. This is because mainly scripts use that page to fire thousands of attempts at it. They call it brute force attacks.
Brute force attacks make your website slower! These are requests that are processed by your website, and behind it by the server, at the expense of loading speed for real visitors.
- Not everyone needs to know that your website is made with WordPress right?
(I know, in the source code you can see it too but not everyone looks there)
- It says something about your website, for example I quickly know if a website is well secured or not when I visit the default login page. And hackers know that too.
And if I find admin as a username there too… sigh! – But that’s something for another article ;)So the key is to make the login page inaccessible to the world!
[press-server]There are websites where the login page gets 5,000 “visitors” every day, spread over 24 hours… the IP addresses change constantly so the server will not block all the attacks. Even if it comes at the cost of server capacity. Hiding the login page is an important step against unwanted “visitors” (bots & scripts)[close-press-server].
iThemes Security has the ability to hide your login page
Ironically, that feature is also kind of hidden! In fact, you won’t encounter it during the default installation.
You can find this setting at Advanced > Hide backend.
There you can move the login page to a page with a unique name.
Remember that new page name well! That way you can always login to your website.
Also keep in mind that the regular login page is inaccessible from now on (until you are logged in), if you keep looking for it anyway the security plug-in may temporarily block your account.
Therefore, please also give the new admin address to administrators who regularly login to your website.