JANUARY PROMOTION: Only $17 get Bonsai WordPress theme
LEARN MOREHave you ever heard of brute force attacks? Do you know how to prevent them? If one of your answers is no, congratulations for being in the right place! In my newest and also the last article of the series Understanding WordPress, you will find out the answers! WordPress is an amazing place to start a website, that is an utter truth. However, your website can be put in danger if you cannot protect it in a proper way! Now comes the question: What is the proper way? Actually, there are many, and one of those is securing your WordPress login page by hiding it from the public. This practice will decrease the chances that hackers guess your credentials and apply brute force attacks on your website. But first, let’s have you understanding the definition of brute force attacks.
Simply put, a brute force attack involves a hacker making efforts to guess your passwords or passphrases and hoping to guess them right. If they manage to succeed, your website will be invaded! That is why hiding your WordPress login page by creating a new login page URL is vital. This will add another layer of security to your website. What is more, you will not need any plugin to carry out the task!
How to do it? Let’s find out through this step-by-step guide!
This is a very fundamental step that I dare you to forget! Because you will make some changes to your .htaccess file which can break your website any moment, backing up is very necessary. If backing up the whole site sounds like something you would not do, then at least back up the .htaccess file and the theme folder you are using. However, I personally hold the idea that you should be extremely careful with this! If I were you, I would try the code in a testing environment. At the end of the day, seeing my test site go down is much less heartbreaking than witnessing my main site suffering the same thing.
Regarding how to carry out backing up, I believe you can get some ideas in some previous posts of mine, for example: WordPress Guide: How to Secure Your WordPress Website.
Ok then! Now we go into the meat of this article. To be short, there are two options for you to choose regarding hiding your WordPress login page. In the first one, you will edit your theme’s functions.php as well as .htaccess files, while in the second one, you only need to edit the .htaccess files.
This measure requires you to create a child theme first! Well, not actually “require”, but you should, in order to make sure whatever changes you make to your theme will not be lost when the theme gets updated! As it is all clear and done, the next step is to add this code:
https://gist.github.com/jennimckinnon/3f742fe69febda33a2f5afad7fc36de0
to the top of your .htaccess file for single installs of WordPress and after this line the case of Multisite installs:
https://gist.github.com/jennimckinnon/edf6b1d667ab49d0ecf265179d34054a
After that, you can substitute “myprivatelogin” with the very slug you wish to use instead of wp-login.php. Do that, and the new login URL you have just made should be www.you-site.com/myprivatelogin. Upon finishing this step, it is time for you to save the file and see if your website still works well. In case it does not, just give it another try!
At this point, we have just completed stage one. To make WordPress use this new URL of your website, open your theme’s functions.php file which is located under /wp-content/themes/your-theme/, then add the following code anywhere you would like to (but I’d say the bottom is the perfect choice)
https://gist.github.com/jennimckinnon/5a1131d5b8e31cf65b26fcda588369ec
Ah, at this very point, another thing that matters is not to forget to change “myprivatelogin” on line five with the slug you chose for your .htaccess file.
Tada! Congratulations on your good job! Now, let’s hit the save button and give it a check.
The second option in this Understanding WordPress article bears some resemblance with the first, so I expect you not to run into any difficulty should you have understood the first one. Let’s get right at the point to find out what it is! This is the code you need to add:
https://gist.github.com/jennimckinnon/e3cf9cacd310657035c903d22ef531a8
Where to add it? Well, the most ideal place would still be at the very top of your .htaccess file when it comes to single installs of WordPress. In the case of Multisite installs, it should be right after these lines:
https://gist.github.com/jennimckinnon/edf6b1d667ab49d0ecf265179d34054a
Furthermore, I need you to make sure to change “mylogin” that can be seen on line two to your own slug. If you are wondering what change it can make, well, in case you leave it to stand, your login page could be found at www.your-site.com/mylogin. In the other case, the URL structure will remain the same apart from the appearance of your slug replacing “mylogin”. Asking yourself why you should change your slug? Well, since everyone can see this post, I am quite sure your potential hackers can see this trick too! Therefore, changing the slug into something else will leave those hackers with no chance of having your login URL. Believe me, this is for the best!
Similarly, do not hesitate to change 123 that can be seen on line two and line seven into a different series of numbers or letters. This series plays the role of a secret key that hackers are not supposed to know. Thus, be wise enough not to change it into something too obvious to the public (i.e. your website’s titles!). Note that there should only be letters and numbers in this so-called secret key.
We’re almost done! The last step is to save your .htaccess file. Do not forget to check that your website is still safe and sound. I hope that you will not receive a 500 internal server error screen, but if you do, you must have made a mistake somewhere, even a tiny one.
If that is the case, restore the file and here we go again!
Having an alternative to the boring and less safe wp-login.php definitely deserves a thumb-up, right?! Once your new login URL is not so popular like before anymore, it will less be prone to hacking! And what does that mean? A higher level of security for your beloved website of course! Another benefit of this practice that I have not mentioned is the fact that it keeps your website more lightweight than when using a plugin. Understanding WordPress to this level, I believe you know the exact advantage of a lightweight website, yes?
So what do you think? Me, I think you should give it an attempt and come back tell us how satisfied you are in the comment section later!