Please Stop Hiding wp-admin

Once upon a time the security of a WordPress site could be improved by simply moving the login page.

Those were simpler days. The REST API wasn’t part of WordPress core and WordPress itself was a much smaller part of the internet and, as a result, a much smaller target for attackers than it is now.

I even wrote one of the better implementations to hide the WordPress login page as part of, first, Better WP Security and later iThemes Security. It made sense at the time when I could see the brute force login attempts drop off considerably on my sites when I employed the feature.

Today things are not so simple. Today such a feature is more likely to bring your site down than keep it up. Why?

First, there are many more ways to login to WordPress. There is still the WordPress Dashboard, which we were hiding, and XMLRPC, which many sites used to disable, but there is also the REST API, GraphQL and so many other interfaces to WordPress that allow authentication. Moving one of them does nothing for the others and moving all of them will almost surely break any site that relies on the functionality.

Second, login security is better than it used to be. We can implement 2-factor authentication and block attackers as soon as they try getting in. We even have managed hosts like WP Engine who can do all of this for us and block an attacker before they even get to our site. Hiding your login page can’t hold a candle to these newer techniques.

Next, moving wp-admin can break your site. One of the strengths of WordPress today is its integration with other software and services. Much of this integration can be broken by modifying core WordPress features such as the location of the WordPress login. Even when I was working on Better WP Security this was one of the biggest causes for support calls as I was constantly instructing people to disable the feature to enable the integration they needed.

Finally, most WordPress attacks don’t succeed because someone guesses your user password. Most attacks succeed because you have kept a vulnerable plugin or theme on your site. There is little point in wasting computer power on trying to brute force a site when there are so many countermeasures for such an attack. Instead, bots simply look directly for known insecure plugins and attempt to exploit your site through them when they’re found. It’s a far more effective strategy for hackers than trying logins until they get one right.

There’s a concept in computer security called “security by obscurity.” In essence this is simply hiding an access point or other information with the hopes that an attacker won’t notice. This isn’t real security anymore than is moving the door from the front of your house to the side of it to stop a burglar.

So, stop hiding wp-admin and start updating your site while using a solid host. Not only will your security be much improved but you’ll have far fewer problems than you otherwise would when these types of gimmick features go bad.

4 Comments

  1. “It’s a far more effective strategy for hackers than trying logins until they get one right.”

    Except that trying logins is still by far the most used approach (98% of all bad actor hits) on all my sites. So I still frequently use WPS Hide Login as well as disabling REST for non-authenticated users (and always completely disabling XMLRPC because it accounts for the other 2%). This combination works a treat.

    • These are two completely different things.

      Brute-force attacks are still popular, so yes – you should protect your site against them.

      But you can easily perform a brute-force attack even, when the address of WP-login.php is masked. Justo use xmlrpc or rest api.

      And that’s what the article is about.

      So if you’re using WPS Hide Login, you should really change your approach to security…

      PS. And no – brute-force attacks are not 98% of all attacks.

  2. To be honest and precise – it never was a solution. XMLRPC is available for a long long time now and it can easily be used for brute-force attacks even, when the URL of wp-login is changed. And it was very often used like that, because it’s much quicker than login form.

    On the other hand – changing the address of wp-login makes it a lot easier to DDoS your site. Wp-login is rendered in about 0,5s on most servers. The 404 page (or any other custom page) is based on your theme and it takes much more time to render… So bad brute-force scripts can easily send to many requests to your site, so it can’t cope with them…

    So no – hiding WP-login was never a good security practice. Especially that security by obscurity is always a little bit silly idea.

    PS. Yes – of course many bloggers were saying that it’s a perfect solution and there are many plugins to do it. But come on – there are many plugins for other stupid thing also 😉

Leave a Reply