Whenever I look at the raw server log files for sites I manage, I always end up feeling that ignorance is bliss. Because inevitably, in addition to finding the information I’m looking for, I see all kinds of activity that points to devious things going on.
Recently I noticed a bunch of brute force attacks going on with a WordPress site, and looking at others, I saw the same thing. So the first thing I did was install Login Security Solution on all my WordPress sites. This helped monitor the attacks and slow them down. It also showed that most attacks were against the user admin, which I always delete as a first step when setting up a new WordPress installation.
But a few of the smarter hackers were able to figure out the names of the actual admins for the site. The information on how to do that is out there on the web. So then I started adding denies for all those IP addresses to the site’s .htaccess file, but that quickly became a maintenance headache, since I was getting about 10-15 warning emails every day.
I thought about implementing two of the other solutions, password protecting the admin directory, or using .htaccess to only allow certain IP addresses to the admin directory.
The problem with the former is that while my computers would remember the directory password, if I ever needed to access the site from somewhere else, it was one more password I would need to remember. The problem with the latter solution is that most people including my self and my clients have dynamic IP addresses, and it also assumes I’ll never need access from some different IP address when I’m traveling. That was the deal killer for that solution.
So I investigated further. It seemed the best thing to do would be to hide the wp-login.php file by putting it in a different directory, much as Zen Cart allows you to rename its admin directory. WordPress sadly doesn’t have such an ability built in, and it really should, seeing as it has become the new favorite target of hackers due to its immense popularity.
I did find a plugin though called Rename wp-login.php which does what I wanted. It allows you to change the login URL from www.mydomain.com/wp-login.php to www.mydomain.com/whatever. Not only does it hide the login URL, you get an easier to type URL for the admin page.
After spending the day installing that plugin for all of the WordPress sites I maintain, I was dismayed to find that three sites still were being attacked. Checking those sites, I found that I had missed installing the plugin. Whew! So now with those three sites also protected I haven’t received any more warnings from Login Security Solution.
I would recommend installing both plugins on every WordPress site you maintain. There were other security plugins I came across, but these two were the easiest to install and configure.