Why you shouldn’t hide your “wp-admin” or “wp-login” URL?

Security may be divided into three basic categories:

  • Security by design
  • Security by openness
  • Security by obscurity

Since WordPress is founded on the Open Design idea (GPL), all of its components ought to be made in a similar manner. The effectiveness of the first two has been demonstrated. Obscurity-based security is ineffective for protecting websites (or anything else).

Here's an example: Do you believe it will work if you put a sticker over the lock on the entry door of your house, which has a poor lock, every time you leave the house?

Here's why:

  1. Because assaults and hackers don't check before attacking (specific vulnerability).
  2. Even though wp-login.php is hidden, there are other login methods for WordPress, such as XML-RPC and the REST API (you cannot block REST API because Gutenberg requires it, but you may disable XML-RPC)
  3. Attacks are intended to happen quickly. A brute force assault turns into a DDOS attack when login concealment causes the page to load slowly.
  4. Other plugins have been known to clash when the login URL is customized.
  5. You demonstrate that you don't understand WordPress or security when you utilize one of the well-known (but pointless) plugins to hide login.

What then, in place of hiding?

  1. Continue to update WordPress.
  2. Use SSL.
  3. Employ secure passwords.
  4. Use two-factor authentication (2FA).
  5. Limit or block access to wp-admin (if you can, by IP, etc.).

The safe and effective method of enhancing the security of your website is two-factor authentication (2FA).

Post your questions in the comments section if you have any.


DesignThat Cloud