New WordPress Security Options - Pentestmag

New WordPress Security Options

New WordPress Security Options

by Bob Weiss

I have developed some expertise around the area of WordPress security. One of my clients has a WordPress site under development, and recently the web designer changed the name of the login URL from to  Basically, the wp-admin page name had been replaced with random characters.  I found out when I tried to log in using the usual URL.  I wondered if this was really an effective way to secure your login page from brute-force password attacks, so I looked through the WordPress codex and forums for other people’s opinions and experience.  In the course of my research, some other new ideas showed up as well.  I will discuss them in today’s post.

  • Changing Your Login URL – This can be accomplished through certain WordPress security plug-ins, such as iThemes Security, or using other plugins such as WPS Hide Login.  My take on this is that this is another “security by obscurity” idea, that really isn’t all that secure.  Eventually the URL will show up in Google search and be revealed with some simple Google dorking.  The big problem that I see is what happens if you forget your secret login URL?  What happens is your site is irretrievably broken, and can no longer be updated or developed.
    The thing is, if you have a decent security plug-in installed, and have done some rate throttling and login blocking on a series of password errors, as well as geo blocking, this is largely unnecessary.  Also, using two-factor authentication pretty much eliminates brute forcing from working, ever, even if they get the right password!  My recommendation – skip this.
  • Renaming the wp-admin folder – According to my research, this cannot be done without breaking a bunch of other stuff in WordPress.  In the forum queue I followed, there were some coders who had solutions, but nothing is supported in the Codex, and some future update could mess with your custom code and break your site. My recommendation – skip this.
  • Replace your user ID with your email address – The theory here is that your user ID on WordPress, especially your admin ID is too easily guessed.  True to a point.  But you should have changed your admin ID when you created your site, or created a new admin user and disabled the default admin account.  Email addresses, unfortunately, are not at all secret, yours has probably turned up in a  breach somewhere.  You can check it out on Have I Been PwnedIn reality, a well chosen user ID that is not based on your actual name is the best solution. 

You may run across these ideas online or at a seminar somewhere.  In my opinion, these steps are unnecessary because these either duplicate work done elsewhere, or they simply are dangerous to the long term health of your site.

About the author

Bob Weiss is Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

The note was originally published at:


March 20, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013