One of the most common method of "hacking" WordPress, is the brute force attack. Hiding your login URL can help prevent this type of attack, and adds an extra layer of security to your website.
Brute force attacks are generally performed by scripts or "bots" automatically, and their sole purpose is to attempt to log in to a website or other service using as many different username and password combinations as possible, until it finds one that works.
It's one of the simplest forms of "hacking" and relies on you, the website owner, using a weak or commonly used password and/or username.
We strongly recommend using a username and password combination that you don't use on any other website, other than your own, and that you use a password that contains uppercase and lowercase letters, as well as numbers and special characters, and we also recommend that you do not use the username "admin" or "administrator" or anything else that would be commonly used as an administrator account.
Well, banks have a lock on their front door, but valuables are still kept in a vault, right? Simply put, your website can never be too secure, but it can be too insecure - if you can add an extra layer of security and don't have a good reason why you shouldn't, or can't, then you really should consider it, and as you'll see below, it's quick and easy too!
Hiding your WordPress login URL is quick and easy, if you're familiar with WordPress, you're most likely familiar with plugins, and that's what we'll be using. Even if you're not familiar, our simple steps outlined below will talk you through each step and hide your login URL for you.
Log in to your WordPress admin area and navigate to Plugins->Add New
We'll then use the search box to find our plugin, before installing it.
In the search box, search for WPS Hide Login you should then see a screen like this:
Click on install, then click on activate.
Once you've had the installation confirmation message, we need to go to Settings->WPS Hide Login where we'll be able to choose a new login URL, and where people should be directed if they attempt to use the original login URL
Once you've changed the URL and clicked on the save changes button, you'll need to use the new login URL for any new logins, if you visit the old URL you should be redirected to the page you selected (usually a 404/page not found error!). You now have a much greater level of protection against brute force style attacks.
If you've followed our instructions and have now forgotten the custom URL you set, and are unable to log in, you'll need to access the files on your webhosting server. Once you've logged in (either via SSH, file manager, or FTP) you'll need to navigate to the wp-content/plugins/ folder and remove the wps-hide-login folder. Once that's done, you'll be able to log in again via the standard /wp-admin/ or /wp-login.php link and set the plugin up again.