A while back, we published a post explaining how you could implement an authentication protocol that would help to prevent brute force attacks against your WordPress website. A robust authentication system does a great job of blocking access, but it does not necessarily prevent hackers from trying to get into your site. To do that, you can change your login URL.
Out-of-the-box, your login URL is relatively easy to find. It is simply a combination of your domain name and the default file name assigned by to your site by WordPress. It always follows the format below:
It should be obvious how easy it is for hackers to launch brute force attacks. They simply enter a list of domain names into their own computers which then add the WordPress file name to the end before looking up URLs. If they get a hit, their software can then set about attempting to force entry. But you can cut hackers off at the pass by changing your login URL to effectively hide it from them.
Changing the URL Manually
Experienced WordPress users who are comfortable doing things manually can use several different methods to modify the login URL. The two most common involve editing the wp-config.php and functions.php files.
Editing the wp-config.php file is pretty simple. Just open the file in the WordPress editor and add the following two lines:
define('WP_HOME','http://your new login URL');
define('WP_SITEURL','http: your new login URL);
If you choose to edit the functions.php file instead, open it in the WordPress editor and scroll down until you find the line that says ‘<?php’. Add the following code directly under that line:
update_option( 'siteurl', 'http://your new login URL' );
update_option( 'home', 'http://your new login URL' );
Be aware that neither of these options actually moves your database. You will have to manually move the root directory of your installation into the new folder corresponding with your new login URL. You will also have to access your database through phpMyAdmin and change the site URL in the ‘option_name’ field of your WordPress database.
As with just about everything else in WordPress, there are plugins available if you are not comfortable with changing your login URL manually. Just go to the WordPress plugin site and use the search function to find them.
Reasons to Change Your URL
Should you go through the trouble of changing your login URL if you’ve never been victimized by a brute force attack? Perhaps. You already know that changing the URL will essentially hide your login page from hackers who use automated means by which to hack WordPress sites. But there are other reasons for doing so:
- Hiding the fact that you are using WordPress
- Making it harder for hackers to steal sensitive information
- Preventing former employees who once had access from trying to get back in.
There are good reasons behind choosing to change the WordPress login URL. Fortunately, it can be done either manually or with the use of a plugin.