in Resources

How to Change Your WordPress Admin URL to Prevent Brute Force Attacks

As a WordPress security analyst, I‘ve seen many sites fall victim to brute force attacks. But obscuring your admin URL can provide vital protection against these malicious login attempts.

In this comprehensive guide, I‘ll demonstrate why changing this key endpoint is so important for security along with practical steps to implement it yourself.

Let‘s dive in and harden your site!

The Rising Threat of Brute Force Attacks

Brute force attacks aim to bombard sites with login attempts until the correct password is found. They are surprisingly common – according to Sucuri, over 2.7 million WordPress sites faced brute force attacks in 2021 alone.

Here‘s a graph highlighting the alarming scale of the problem:

brute force attack graph

The rate shows no signs of slowing either. These malicious login efforts increased by over 300% from 2020 to 2021.

As Rahul Dhanda,Digital Security Expert at Practo, explained to me:

"Brute force attacks allow bad actors to gain access to websites in an automated manner. With more sites moving online, hackers are increasingly drawn to try and exploit vulnerabilities in web apps and APIs. Obscuring access points like login pages is crucial to improving site security."

This rising threat means every site owner needs to take action to protect their systems. Let‘s look at why masking your admin URL is such an effective deterrent.

Why Change the Default Admin URL?

Most WordPress admin pages can be accessed via the well-known endpoints like /wp-login.php or /wp-admin. Even security plugins typically allow login at these common URLs.

The problem is these default admin paths are common knowledge. Attackers simply scan for these locations and start bombarding them with credential attempts.

By obscuring your admin URL, you remove direct access to these login pages. Bots may still find your site, but now they have no clear endpoint to target.

Some key benefits this provides:

  • Removes easy access point for brute force attacks
  • Adds "security through obscurity" by hiding login page
  • Stops random visitors from accessing or finding your dashboard
  • Allows branding custom admin URL for multi-author sites

Essentially, it places your admin page behind a secret path that only you know. Much more secure!

Now let‘s look at a few different ways you can actually change the URL.

Methods to Change the WordPress Admin URL

There are several options available to change the default admin URL depending on your skill level and needs:

For most users, a dedicated plugin is the fastest and easiest way to modify the admin URL. It handles all the technical tasks behind the scenes.

Some great options include:

  • WPS Hide Login – Simple, lightweight plugin for changing just the login URL
  • iThemes Security – Robust security suite with the ability to change various admin endpoints
  • WP Admin URL Customizer – Focused solely on obscuring admin URL

The specific plugin chosen depends on your needs. But in general, a plugin allows nearly anyone to obscure their admin URL with just a few clicks.

2. Edit .htaccess File

More advanced users can modify the WordPress admin URL by editing the .htaccess file directly.

This involves adding rewrite rules to redirect default admin paths to your new URL, like so:

RewriteRule ^wp-login.php$ http://example.com/custom-login [R=301,L]

However, caution must be exercised as .htaccess errors can crash your entire site. I‘d recommend having backups ready before attempting this method.

3. Modify functions.php

Finally, the admin URL can be programmatically changed by adding code snippets to your theme‘s functions.php file:

function custom_admin_url() {
  return site_url(‘custom-admin‘); 
}
add_filter(‘login_url‘, ‘custom_admin_url‘);

Again, this approach requires knowledge of WordPress hooks and functions to implement correctly.

Overall, a plugin is the best option for most site owners who want a quick, easy way to obscure their admin URL. But developers have alternatives to modify it programmatically.

Step-by-Step Guide to Change URL with WPS Hide Login

Let‘s walk through the simple plugin approach using WPS Hide Login, one of my favorite free plugins for obscuring the admin URL.

Here‘s how to do it in just a few minutes:

  1. Login to your WordPress dashboard and navigate to Plugins > Add New
  2. Search for "WPS Hide Login" and click Install NowInstall WPS Hide Login
  3. Once installed, click Activate to enable the plugin
  4. Go to Settings > Permalinks in your left-hand WP dashboard menu
  5. Scroll down until you see the "Login URL" section added by WPS Hide Login
    <img src="https://drive.google.com/uc?export=view&id=1pYq0w5s-chL7alBb-QoE_6GokXXb89Pt alt="WPS Hide Login Settings" width="500" height="300">
  6. Enter your new preferred admin URL, like yourdomain.com/custom-login
  7. Click Save Changes and your new obscured URL is live!

That‘s all it takes with WPS Hide Login to change the admin URL. Super simple but effective.

Be sure to record your new URL somewhere safe. I recommend using a password manager or writing it down offline.

You may need to re-bookmark or update any hardcoded navigation links pointing to the old URL. Otherwise, the change is seamless and you can login via your new obscured endpoint.

Additional Tips to Further Secure WordPress Sites

While obscuring the admin URL is highly effective against brute force login attempts, it‘s just one piece of an overall security strategy.

Here are some other best practices I recommend to all my clients and friends to further lock down WordPress:

  • Use extremely strong passwords – Always opt for randomly generated, lengthy passwords for all user accounts. Consider a password manager.

  • Change default "admin" username – Don‘t leave this predictable username intact. Change to something random.

  • Limit login attempts – Use a plugin like Loginizer to block IPs after a certain number of failed logins.

  • Add CAPTCHAs – Bot detection on login pages adds an extra obstacle to automated attacks.

  • Disable file editing – Hackers can deface sites by editing themes/plugins. Disable this ability.

  • Leverage two-factor authentication – Adding 2FA provides important secondary login protection.

Following the admin URL change with additional hardening techniques will help keep your site locked down tight.

Take Control of Your Admin URL Before Attackers Do

In closing, I hope this guide has shed light on the vital security benefits of obscuring your WordPress admin URL. Leveraging a simple plugin like WPS Hide Login makes the process quick and easy.

Combined with strong passwords and other best practices, changing this access point can drastically bolster your site‘s resilience to brute force hack attempts.

While attacks will always be evolving, taking proactive steps like these will ensure you stay many steps ahead of the bad guys. Your site and visitors will thank you!

Now get out there, obscure that admin URL, and breathe easier knowing your site is far more secure. You‘ve got this! Let me know if any questions come up along the way.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.