I’ve been going through a nightmare of trying to secure our blogs now that the internet is a playground for hackers (can you hear them laughing?). Renaming the WordPress login URL is a bit amateurish of a solution, I’ve been told, but it appears to be quite effective as a basic security measure. Problem is, many of the wp-login.php renaming plugins and Worpress mods don’t play well with other plugins. This one worked for me.
I’d give it 5 stars, but was disappointed when I got ready to pay for the delux version and found it would be a yearly wallet ding. A paid “subscription” for a small trivial plugin just doesn’t work. Am happy to pay once, then pay every so often for a major upgrade if necessary.
In case anyone is curious, here are the steps we are taking to secure our WordPress admin/login, somewhat listed in order of importance from most to least:
1. Bought SSL and configured so it’s forced for admin.
2. Whitelisted admin IPs, all others blocked, this implemented by managed server company, not us, to block what were essentially DDOS attacks due to the number of login brute force attempts.
3. Country blocked the whole world from admin, other than current country we are in.
4. Login attempt limiter plugin, in case other measures fail or are hacked.
5. Got rid of “Admin” user name, but of course.
6. Created special users that never author a post, are only used for admin, so they remain more private and are easily deleted if compromised.
7. Adjusted all user roles to absolute minimum capabilities, on an as-needed basis.
8. Public user display names are not login names.
9. Rename of login URL, using this plugin!
Read it and weep, and pray that the WordPress developers get more aggressive with building security features into the core. Then you might have some time to actually write a blog post (grin).
- The topic ‘Appears to work as stated.’ is closed to new replies.