Along with hiding the WP Admin from the public, you are immediately removing bots from attacking your site through brute force attacks. And appear as informative and professional in how you deal with security.
Brute Force Attacks, and Why Hide WP Admin
Brute force attacks are a way of trying to log in multiple times hoping that the password will be cracked, starting with e.g. AAAA, going through all possible sequences until reaching ZZZZ. You can see how this can take millions of years even through supercomputers, but that is the last method.
The first method of brute force attacks would be to go through a list of the most common passwords a user would have, let’s say ‘password123’, and see if that goes through. If not, then try ‘qwerty123’, and so on.
However there are dark sides of the web where hackers are able to obtain people sharing passwords insecurely, and so they are leaked in a database with millions of other affected accounts.
Check if your account has been compromised here on Have I Been Pwned.com.
This is why websites with a large userbase need to be extremely secure since many people use the same passwords for other websites!
You might have a Google account, and you might also have a Facebook account. Maybe you have a group of websites you normally visit to which the same passwords are used? If so, then this is a major flag for insecurity should any one of those websites be compromised. But what if it’s your WordPress website that also uses the same password? What if hacking your simple WordPress website is able to put you in great danger for your Google and Facebook account as well?
This is why blocking out users from attempting brute force attacks is so important. It’s still uncommon for a bot to be redirected out of wp-admin. Bots know they might have to go through CAPTCHA codes or other stuff. But not to be redirected out of the login page.
What Does It Mean to ‘Hide WP Admin’?
What you would normally type to visit a WordPress website will be
example.com/wp-admin/, and from there you can enter your username and password. That’s what most WordPress websites’ admin URLs are since this is the default URL.
However, if you hide the WP Admin, you would have to access through another page you set up, like a rather obscure
example.com/rdjequ to which isn’t an actual page, but will then allow you to bypass the security. Of course, you can treat this like a password if you’d like. That would be a unique secret URL only you know or your other users, so that you can access your WordPress dashboard.
Anyway, if ever a bot would find that secret URL out, they will still have to brute force their way through. And that’s where you can now set your CAPTCHA or anything else.
This also makes you stand out as professionally securing your website, since you use a login URL that is obscure. I was impressed when I saw a couple clients send this rather than mentioning to login via
Popular Plugins to Choose to Secure WP Admin
Now that it’s a good idea to hide the WP Admin page rather than keep a last line of defense on the actual page itself, we can have a look at the plugins that can hide WP Admin.
View the top recommended plugins below:
1. iThemes Security
iThemes Security provides the Hide Admin feature through it’s ‘Obscure modules‘. It also detects bots that attempt to search for WordPress vulnerabilities, and bans them if they do so.
Loginizer is a common plugin that you may usually see pre-installed using cPanel software installers. This is a good plugin to blacklist or whitelist the IP addresses of the brute force attackers, and also add other bits like a reCAPTCHA code from Google.
WordFence — its most popular rival — is more of a real-time scanner for vulnerabilities and insights reporting of potential hackers. If you need to find out what’s trying to hack your WordPress site, then WordFence is a good tool to use. But what it’s lacking is the ‘Hide Admin’ feature which iThemes Security has.
3. WPS Hide Login
The plugin WPS Hide Login is the slimmed down version of iThemes Security’s Hide Admin feature. It does do the job simple, but you might want to include the full package of security instead which comes with iThemes Security.
Nevertheless, this plugin has a good number of reviews and seems to be regularly maintained by its developer, although I am concerned with the number of unresolved support tickets.
Best Choices for Securing WP Admin (Conclusion)
In short, it would be best to go for the iThemes Security plugin as it provides hiding the WP Admin feature, without the need for potential plugin conflicts (something which stand-alone plugins have to deal with).
A stand-alone plugin to do this job is okay, but I am concerned with the over-all compatibility with the stand-alone plugin and my other plugins. Since iThemes is a well-supported plugin and provides this Hide Admin feature, this is at the top of my list for plugins with the Hide Admin feature.
Also, iThemes Security has more reviews than WordFence at the current writing of this article, so I would place my bets on iThemes Security.
Thank you for reading! If you liked this article related to plugins you might also want to find out How to Install a Collection of your own plugins.
If you might know any plugins that Hide WP Admin, please share it in the comments and I’ll include it for you within the comparisons.