One of the most common attacks against WordPress sites is also one of the simplest: hammer wp-login.php as fast as possible with semi-random usernames and passwords until you find one that works. This brute force attack is rarely successful, especially if you have a username other than “admin” and if you choose a strong password, but the attack itself can wreak havoc on your site. The attack bypasses caching (since WordPress needs to process every login attempt separately) and keeps many PHP processes running to service the attack, placing your users at the end of the line to get their requests serviced.
As simple as the brute force attack against wp-login.php is, the solution is just as simple: install a plugin that moves wp-login.php to a different, hard-to-guess URL. The plugin we use to do that is called Move Login.
In its simplest form, the plugin requires no further configuration after installation. Once installed, it renames the login URL from /wp-login.php to simply /login.1 For further security, you may wish to rename the default /login to something less obvious; whether you choose something completely random or related to your blog, a personalized login page will always be more secure than the default.
To change the default, simply navigate to Settings —> Move Login where you’ll see the following simple configuration screen:
In the example, I’ve changed “login” to “LetMeInMarvin” (begging our robot friend, Marvin, to grant me access!) and left all of the default settings for the other “Links” fields. At the bottom of the screen are two further settings: what to do when a user tries to access the old login page, and what to do when a user tries to access the administration area. We recommend the default option for the first setting: when a user tries to access the old login page, they should be presented with an immediate and fatal error page. This will stop attackers in their tracks while minimizing load on your server.
The second setting requires a little more attention. When not using the Move Login plugin, a user that tries to access the administration area gets redirected to the login page. The default behavior of Move Login is to mimic this behavior and redirect users to the new login page as well. In our opinion, this is slightly more convenient, but slightly less secure; just as your admins can load /wp-admin on your site to immediately remind themselves of the new (secret) login page, so can attackers! The second option, to “display an error message”, presents the same immediate and fatal error page as accesses to the old login page. This second option is slightly more secure than the first, and as such, we recommend that you use it.
Security is always multi-faceted, and there are plenty of other security plugins you should consider using in conjunction with Move Login. After all, Move Login solves only one small problem… even though that small problem can be a rather large nuisance! Given that Move Login solves that problem completely and simply, we’re proud to recommend it as an AG Plugin Pick!