Reading time: 4 min
Just a year ago, my server load very often exceeded the limit allowed by the tariff. Moreover, the problem was not in the sites themselves, but in a banal attack by attackers on the admin panel in order to gain access for some of their own purposes.
Today I will tell you how I dealt with the problem, which I advise you to do at home, just in case.
As a result, it was decided to change the address of the login form in the admin panel, as well as close the admin panel for all strangers who do not have my IP.
It is worth noting that some hosting companies themselves automatically created a new admin address for all users. If you use the services of such hosting services, then do not read further articles and do not waste time.
How to change WordPress admin address
I previously published such an article. There seems to be a similar result here, but the effect and purpose are different.
Don't forget to make backup copies of the files you work with.
- First, copy the wp-login.php file from the root of the site (where wp-config.php is located) via ftp to your computer.
- Rename it as you please. For example vhod.php
- Open this file with the free Notepad++ program (or whatever is more convenient for you to edit) and replace all occurrences of the phrase wp-login.php with vhod.php .
You can quickly do this by pressing CTRL+F in Notepad++. Well, in the window that appears, enter:
So in a second I replaced the occurrence of the phrase I needed in the entire file. It came across 12 times.
We upload the new file to ftp.
A similar thing will need to be done in the general-template.php file, which you will find in the wp-includes folder right there on ftp. Those. change the occurrence of the phrase wp-login.php to vhod.php , but do not change the file name itself!
Now you have a .htaccess file there in the root of the site. We also copy it to our computer and open it for editing (you can use a regular Windows Notepad). We insert a piece of code that blocks everyone’s access to the wp-login.php file
Order Deny,Allow Deny from all
< Files wp - login . php >
Order Deny, Allow
Deny from all
< / Files >
It was this step that relieved the burden and also hid the authorization form. The load was relieved by inserting the presented code into .htaccess: if there was a call to http://site.ru/wp-login.php, it would give a 403 error, not a 404.
Let us briefly repeat the operating algorithm:
- Rename the wp-login.php file to an arbitrary name and replace the occurrences of the name with a new one.
- Similarly, in the general-template.php file, we replace the old name wp-login.php with the new one.
- We register in the .htaccess file a ban on access to wp-login.php for everyone
After updating WordPress, all that remains to be corrected is the general-template.php file. But because The engine is not updated very often - this is a small thing compared to the effect.
We set a restriction on logging in via IP via .htaccess
As additional measures to protect the site, I adopted a restriction on logging into the admin panel via IP. The problem was solved very simply: create an empty .htaccess file and add the following code to it
order deny,allow allow from 192.168.0.1 deny from all
order deny, allow
allow from 192.168.0.1
deny from all
We save the file and drop it into the wp-admin folder in the same place at the root of the site.
Instead of my IP from the example, put your real one. Moreover, you can add several IPs with a new line each:
order deny,allow allow from 126.142.40.16 allow from 195.234.69.6 deny from all
order deny, allow
allow from 126.142.40.16
allow from 195.234.69.6
deny from all
If the IP is dynamic, then you can put numbers only up to the first, second or third dot:
Hi all! In an article about massive brute-force attacks, which became especially active at the beginning of this summer, I described several simple hacking attacks. One of the points mentioned a plugin wSecure Authentication, which allows you to change the WordPress admin address and make the task more difficult for hackers. Today I decided to write about it in more detail, especially since Brute Force attacks continue.
How to log into WordPress admin?
Many novice bloggers (and not only), in order not to forget the address of the admin panel, install a “Meta” widget in the sidebar with a direct “Login” link. Remember once and for all - this widget is not needed on your blog if you do not use a user registration system. To get to the WordPress admin area, just follow the link your-site.ru/wp-login.php or your-site.ru/wp-admin.
I hope everyone knows this very well? In any case, hackers certainly know and use these addresses to hack the WordPress admin area. Therefore, there is no need to help them by once again showing them where the “Entrance” is. It would be better to hide the admin panel by changing the standard links.
How to hide WordPress admin area using wSecure Authentication plugin
There are several ways to solve this problem. For example, using a script, as implemented on Makhost hosting, or some complex plugins, such as Better WP Security. But I will show you the simplest method that will not cause any difficulties for anyone.
To do this, we’ll install the wSecure Authentication plugin, the only task of which is to hide the /wp-admin and /wp-login.php pages and limit access to the admin area for strangers. In return, we will create your own unique URL to log into your WordPress blog admin panel.
Go to the “Settings” menu – “wSecure Configuration”. We configure the plugin by filling out three lines:
- 1. Enable – enable the plugin and set it to “Yes”.
- 2. Key – enter the secret key. You can use English letters in different cases and numbers. For example, if you select wpMgSkz, then the WordPress admin address will look like this: /wp-admin/?wpMgSkz. Be sure to put a question mark in front of the key.
- 3. Redirect Options - specify where the user will be redirected if he enters the standard login URL.
By default, “Redirect Options” is set to redirect to the main page, but you can set “ Custom path“. To do this, select “Custom Path” in the drop-down list and enter any address or leave the one specified in the plugin. In this case, everyone will see a page like this:
You can even redirect the hacker to a specially created page and write him a few kind words there :-).
To check how the plugin works, visit the blog from a different browser or clear your cookies. And sometimes it happens that the blog’s admin panel first opens at both the new and old addresses.
This is how easy it is to change the WordPress admin URL by hiding the default URL. If, in addition to this, you choose a complex password, do not use the “admin” login, and install the IP blocking plugin when guessing the password, then this will practically protect your blog from being hacked by brute-force attacks.
What to do if it is impossible to log into the admin area?
If for some reason, after installing the wSecure Authentication plugin, you are unable to get into your blog’s admin panel, then don’t panic. Personally, I didn’t have any problems with this, but there was a similar situation.
The fact is that some hosting companies, for example, Makhost and Sprinthost, taking care of the security of their clients’ sites, themselves changed the standard addresses and provided alternative links for logging into the WordPress admin area. I already had the plugin installed, and these links redirected me to a non-existent page. What to do?
In fact, today there are a large number of reasons why you should close the authorization page of a website powered by WordPress from prying eyes. One of the most important and significant reasons will be that by closing the authorization page from anyone who wants it, you can protect your site from unauthorized access - hacking.
After all, today there are a lot of scammers on the Internet who, using special programs by brute-forcing passwords or searching for vulnerabilities, will be able to gain access to your administrator account. Of course, you won’t be able to protect yourself 100% from an expert in hacking WordPress sites, but this will help you save your nerves from amateur amateurs.
Also, some resort to the method of checking your site, automatically entering the line /wp-admin after the URL address, and if an attacker manages to do this, then he will know exactly where to “dig” and what vulnerabilities of your CMS should pay more attention to.
Fraudsters often use such programs in order, for example, to find out information about the version of the WordPress system installed on your website or any other CMS, since older assemblies contain specific errors and vulnerabilities with which an attacker can hack not only your information for logging into the site administration panel, but also for deeper and more detailed access.
For example, a fraudster will be able to fill your site with viruses or his intrusive advertising, or he may even copy confidential data about your clients, take over the database with orders, emails of registered people, find out their login and password.
We will install plugins that increase site security immediately after loading the engine onto the hosting https://s-host.com.ua. First of all, we will change and hide the login page in the admin area of the web portal by changing the standard path to it (domain/wp-admin).
Installing the plugin
In order to give the page a new address, we will use WPS Hide Login - a simple but very functional plugin. Its advantage is that there are no additional settings.
Basically, you only need to go to the “Console”/”Plugins”/”Add New” page and then use the search. Find WPS Hide Login to install and activate it.
Changing the WordPress Admin Login Page
After installing and activating the plugin, it will appear in the list of all extensions on the “Console”/”Plugins” page (note that the plugin is not displayed in the general menu).
Now click on the Settings button under the plugin:
Once on the “Settings”/”General” page, all you have to do is find the WPS Hide Login block and make adjustments.
So, the Login url contains two fields: the first is static - your domain (cannot be changed), the second is a field to fill out (the login option is offered by default).
Enter the desired admin address and save the changes:
Now, if you go to your-site/wp-admin, you will see nothing but an error notification:
You probably already know how to get into the WordPress admin area?
You can do this in at least four ways by adding the following to your site address:
- /admin, i.e. like this: http://yoursite/admin
- /wp-admin
- /login
- /wp-login.php
In general, all the first three redirect options will still lead you to the page: http://your_site/wp-login.php
It turns out that anyone can add any of the four prefixes described above to the address of your site and will see the admin login:
Of course, this does not mean at all that anyone can easily get into the admin panel, because he also needs to know the Username or your e-mail and your password.
If your administrator user has a login: – then this is not at all prudent on your part and the attacker will only have to guess or guess your password.
In addition, you saw the inscription: Username or e-mail? Yes, yes, WordPress can use e-mail as a Username. But you could indicate an E-mail address somewhere on the site that matches the E-mail of the administrator user. It turns out that the first thing an attacker can try is to enter your E-mail and then WordPress will help him again, because if the E-mail is not suitable, he will see this message:
and if the E-mail is correct, WordPress will write that the password for it is incorrect:
As a result, we have a situation in which a potential attacker, in order to hack your site (access to the admin panel), will only need to guess or guess your password.
How to protect the admin login from a potential threat? The answer is simple - try to increase the number of unknowns required to enter.
Now let's take a closer look:
- If possible, make sure that the E-mail of the administrator user is not mentioned anywhere on the site - the public E-mail should be something else.
- Your password should not be simple, when installing WordPress itself generates a complex password for you, if you do not want to use it, come up with some more or less complex password, including small and large characters, numbers and some symbols like -, ?, _ etc.
- Your username shouldn’t be simple either: admin, manager, root, administrator, user and other simple words!
- And finally, you need to enter the third most important unknown - change the admin login URL, to do this, install a simple plugin: WPS Hide Login
WPS Hide Login
A simple, free and quite popular plugin that allows you to change the admin login URL.
After installing and activating the plugin, you need to go to the admin section: Settings / General, then scroll to the very bottom of the page and see just one parameter added by this plugin:
By default, the plugin suggests using the login http://yoursite/login - but this is by no means the best option! Come up with something of your own, for example: yyy12_go)))
After changing this parameter, do not forget to click on the button Save changes– otherwise, with the plugin active, you will have a login via http://yoursite/login
Be sure to try logging out and logging back into the admin area, but using a new login address that you came up with yourself, and most importantly, don’t forget it!
After changing the admin entry point, when trying to access standard URLs, the user will receive a 404 error page.
Attention! If you suddenly forget the new admin login address, you will need to disable this plugin. This can be done without going to the admin panel if you have access to the site’s folders and files. You just need to rename or delete the plugin folder wps-hide-login, which will be in the folder plugins(the plugins folder is located in the wp-content folder).
As a result: after applying all of the above measures, we should receive admin login protection with three unknowns: E-mail / Username, a complex password and our own unique login URL - and this can significantly complicate the efforts of young hackers)
To change the login page, you need to make changes to the file .htaccess. A mistake in one letter can ruin the entire site, so make a backup of the file .htaccess and theme folders.
Backup can be done on the hosting or using a plugin. Make a full backup, or check that the last automatic backup was after the last changes to the site.
If you have visitors to your site, you can test changing the login URL on a local or technical site.
In the first method you will make changes to the file .htaccess, in the second - changes in files .htaccess And functions.php. After this, you will need to disable access to the old admin login page.../ wp-login.php.
File located in the root folder of the site, the file located in the theme folder.
How to change the login page in WordPress
Method 1: Editing the file .htaccess
Add the code at the beginning .htaccess in a single installation of WordPress and after these lines in a Multisite installation:
Add this code:
Change myloginpage11 in the line 2 to your address where you want to have a login page to the site. If you do not change anything, the login page for the site will be my-site.ru/myloginpage11.
Change 123456qwerty in lines 2 And 7 for something of your own. This is a secret key that can only contain Latin letters and numbers.
Save the file and check the site. If you receive a 500 server error, then you have made a mistake somewhere. Review your changes again or start over.
If the site works but the changes are not applied, reset your browser cache and try again.
Method 2: Edit the file .htaccess And functions.php
Paste the code at the very beginning of the file .htaccess in a single installation or after these lines in a Multisite installation:
Add this code:
Replace myloginpage22 with your address. If you leave it as is, the new site login address will be my-site.ru/myloginpage22.
Save the file and check how the site works. If you get a 500 error, try to find the error or start over.
After this, you can start using this login address in the admin panel, but if you want WordPress to start using this address everywhere as the login address for the site, you need to add a snippet to the file functions.php or add the code to a plugin, which will add the code to the current theme.
Add this code to functions.php:
Code from the WordPress technical support forum. Change myloginpage22 to your address that you added to .htaccess.
Everything is ready, you can check it. Add a widget with meta information to the sidebar and click on the site login link. If you did everything correctly, you should be taken to a new site login page.
How to hide the old login page on the website wp-login.php
The new site login page will be an additional security measure for the site, but without prohibiting access to the standard page wp-login.php it does not make sense.
How to hide a page wp-login.php read from visitors.
