New WordPress Security Options

I have developed some expertise around the area of WordPress security.  One of my clients has a WordPress site under development, and recently the web designer changed the name of the login URL from https://clientsite.com/wp-admin to https://clientsite.com/A9u3ycGH37.  Basically, the wp-admin page name had been replaced with random characters.  I found out when I tried to log in using the usual URL.  I wondered if this was really an effective way to secure your login page from brute-force password attacks, so I looked through the WordPress codex and forums for other people’s opinions and experience.  In the course of my research, some other new ideas showed up as well.  I will discuss them in today’s post.

  • Changing Your Login URL – This can be accomplished through certain WordPress security plug-ins, such as iThemes Security, or using other plugins such as WPS Hide Login.  My take on this is that this is another “security by obscurity” idea, that really isn’t all that secure.  Eventually the URL will show up in Google search and be revealed with some simple Google dorking.  The big problem that I see is what happens if you forget your secret login URL?  What happens is your site is irretrievably broken, and can no longer be updated or developed.
    The thing is, if you have a decent security plug-in installed, and have done some rate throttling and login blocking on a series of password errors, as well as geo blocking, this is largely unnecessary.  Also, using two-factor authentication pretty much eliminates brute forcing from working, ever, even if they get the right password!  My recommendation – skip this.
  • Renaming the wp-admin folder – According to my research, this cannot be done without breaking a bunch of other stuff in WordPress.  In the forum queue I followed, there were some coders who had solutions, but nothing is supported in the Codex, and some future update could mess with your custom code and break your site. My recommendation – skip this.
  • Replace your user ID with your email address – The theory here is that your user ID on WordPress, especially your admin ID is too easily guessed.  True to a point.  But you should have changed your admin ID when you created your site, or created a new admin user and disabled the default admin account.  Email addresses, unfortunately, are not at all secret, yours has probably turned up in a  breach somewhere.  You can check it out on Have I Been Pwned. In reality, a well chosen user ID that is not based on your actual name is the best solution. 

You may run across these ideas online or at a seminar somewhere.  In my opinion, these steps are unnecessary because these either duplicate work done elsewhere, or they simply are dangerous to the long term health of your site.

More information:

1

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Comments

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.