Protecting your WordPress Login Page


It comes as no surprise that WordPress powers nearly 20 percent of the websites on the internet. (That number does become surprising if you consider that over 70 percent of websites don’t use any content management system at all.) It’s the most ubiquitous CMS online. But along with this spotlight comes multiple security attacks on the well-known wp-admin folder used to access the backend of site.

Robots crawl WordPress sites looking for the wp-admin login page. Once internet robots find it, they attack the site in the simplest way possible – by continually hammering at the login page until they get in.

The bot cycles through common passwords, obscure passwords and everything in between. It takes longer for the bot to gain access depending on the complexity of the username and password. So, the first step in website security is arming yourself with secure login information.

No matter how long it takes, these brute-force attacks eat up server memory and cause problems with performance. One solution to this widespread problem is to hide the important WordPress directory by concealing it and making it un-readable to internet bots.

At Zenman, we’ve recently included WordPress login page obfuscation to our standard security package. We’re giving our clients another tool to fight against internet bots and giving internet bots a harder time hacking into sites.

To make this happen, we’ve taken advantage of cookie setting and the URL rewriting powers of the .htaccess file.

First, we block all access going directly to the wp-admin folder. When the server gets a request at www.example.com/wp-admin, it’ll throw back a 403 Forbidden error. Internet bots can’t even attempt to login at this point. The next step is enabling the wp-admin folder through another channel for human users of the site.

In a separate folder at the root of the site, named a random string of characters, a few lines of php code tells the server to set a cookie whenever you visit this separate folder in the site. It’ll look something like this: www.example.com/the-same-random-string-of-characters-here

Then we write a couple rules in the site’s .htaccess folder based around the cookie value set in the separate folder. The rules say, “If the cookie is set, rewrite the URL when you visit that random string of characters folder to visit the wp-admin folder.”

This way, we’re accessing the wp-admin login page through a side, more concealed, door rather than going to the login page directly.


Rewriting the URL disconnects the site files and the already created map the server uses to connect pages and site files. But it’s a clever way to serve up a page through an alternate URL. It’s often used in SEO practices so Google sees the “prettier version” of the URL. It would see www.example.com/about/ rather than www.example.com/site-file-name.php. This helps with usability, as well.


Various WordPress security plugins offer similar results but our solution eliminates excess files and functionality often found in plugins that aren’t needed for this extra layer of security. Other plugins can also be unnecessarily invasive to your site.

WordPress admin obfuscation is just one of many steps we take to ensure your site is protected from hackers in our standard package for clients. Here at Zenman, we’re also always open to upgrading clients to our premium security packages, especially if a site has sensitive information.

Calendar October 26, 2015 | User Corinne | Tag ,