Why cybercriminals target the default WordPress login page, /wp-login.php

The default login page of a WordPress website is familiar to many and easy to find. Typically, it is accessed via routes such as yoursite.com/wp-login.php, yoursite.com/wp-login or yoursite.com/wp-admin, where "yoursite.com" of course stands for your site's actual web address. This predictability provides malicious actors with an ideal starting point for their attacks.

Every WordPress expert knows that when WordPress is configured by default, the login page is a favorite target. It is one of the most vulnerable points of any WordPress site. But what makes this page so attractive to cybercriminals? The answer lies largely in the technique of brute force attacks.

In a brute force attack, attackers use automated scripts to try numerous combinations of usernames and passwords to gain access. The predictability and familiarity of the /wp-login.php page make it an ideal place for them to carry out these attacks. By trying different combinations at lightning speed, they hope to eventually find the right login credentials. In this light, it is crucial to properly secure the WordPress login page and in this article you will learn how to do that yourself.

Change the WP admin login URL with the plugin WPS Hide Login

The lightweight and free plugin WPS Hide Login allows you to easily and securely change the URL of the login page to an address of your choice. It does not change or rename any files in the WordPress core, nor does it add rewrite rules. Instead, it simply intercepts page requests and works on any WordPress website. The default wp-admin folder and wp-login.php page become inaccessible, so it is advisable to memorize the new URL or save it somewhere. If you deactivate this plugin, your site will return to its original state.

To use "WPS Hide Login."

• Within the WordPress admin (/wp-admin/ environment), go to Plugins ' Add new.
• Search for "WPS Hide Login."
• Find this plugin, download and activate it.
• The page will redirect you to settings. Here you can change your login URL.
• You can always change this option by going back to Settings ' WPS Hide Login.

It is important to understand that hiding your login page is only one step in securing your WordPress website. It is always a good idea to regularly evaluate your site's security and update as needed.

Shielding the WordPress login page from specific IP addresses via .htaccess

A substitute or additional strategy to (additionally) secure your login page is to grant access only to certain IP addresses. This is particularly useful if you and your team typically access from a fixed IP address. Here's how to set this up:

• Backup your website and .htaccess file first. Before making any changes, it is always a good idea to make a backup of your website and your current .htaccess-file.
• Open the .htaccess file. This file is located in the root folder of your WordPress installation. You can access this file via FTP or through your hosting account's cPanel.
• Add the following code to your .htaccess file:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
</Files>

• Replace xxx.xxx.xxx.xxx by the IP address you want to allow. If you want to allow multiple IP addresses, add additional Allow from rules, such as:

Allow from xxx.xxx.xxx.xxx
Allow from yyy.yyy.yyy.yyy

• Save the changes and upload the .htaccess file back to your server.
• Test access. Try accessing your login page from a permitted IP address and from a non-permitted IP address to confirm that the restrictions are working correctly.

Notice: If you accidentally lock yourself out of your website, you can always use the .htaccess-file via FTP or cPanel and delete the added lines.

Bonus: The role of account numeration and username gaming

Before cybercriminals turn to brute force attacks, they often use techniques such as account numeration and username guessing. In account numeration, attackers try to figure out which usernames are valid on a Web site. They do this by paying attention to specific error messages or system responses when entering different usernames. On the other hand, when guessing usernames, attackers rely on popular or common names, or use information obtained from other sources. By combining these techniques, cybercriminals can conduct their brute force attacks in a much more targeted and efficient manner, increasing their chances of success. It is therefore essential not only to secure your login page, but also to be alert for signs of these preparatory activities.

Are you unsure about the security of your WordPress website? Then consider a WordPress pen test to get a clear picture of your site's current security status.