iThemes Security Hide Backend

Hides the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform. If you forget your new login slug the article below can help you find it.

I forgot my Hide Backend URL

Enable Hide Backend

You can enable this setting in Security > Settings > Advanced / Hide Backend

 

mceclip0.png

 

Hide Backend Options

Login Slug

The login url slug cannot be "login," "admin," "dashboard," or "wp-login.php" as these are used by default in WordPress. Note: The output is limited to alphanumeric characters, underscore (_) and dash (-). Special characters such as "." and "/" are not allowed and will be converted in the same manner as a post title. Please review your selection before logging out. 

Register Slug

The url/slug you want to use for site registration.

 

mceclip1.png

Enable Redirection

Instead of displaying a "403" error, you can choose to redirect to any page or post - your 404 page, or another page with on-screen instructions for your users.

Custom Login Action

WordPress uses the "action" variable to handle many login and logout functions. By default, this plugin can handle the normal ones but some plugins and themes may utilize a custom action (such as logging out of a private post). If you need a custom action please enter it here.

 

mceclip2.png

The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks?

The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bullet-proof security strategy.

While hiding your backend wp-admin URL can help to mitigate some of the attacks on your login, this approach won’t stop all of them.

We frequently receive support tickets from people who are perplexed at how iThemes Security Pro is reporting invalid login attempts when they have hidden their login.

That’s because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. After you change the login URL, another plugin or theme could still link to the new URL.

In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent most users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL.

The truth is that you can’t completely hide the backend login page of your WordPress website.

If you were to change the wp-admin URL, you would break your site. Everything you install on your site, including WordPress, assumes that /wp-admin will be in the URL. When you do something as basic as creating a post, you have to go through the wp-admin before you get to /wp-admin/post.php.

Customizing the login URL is also known to cause conflicts. There are some plugins, themes or third party apps that hard code wp-login.php into their code base. So when a hardcoded piece of software is looking for yoursite.com/wp-login.php, it finds an error instead.

A brute force attack is a trial-and-error method used to obtain information such as a username or password. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

Tutorial Video

Powered by Zendesk