WordPress.org

Forums

[resolved] FEATURE REQUEST - Custom wp-admin.php naming (5 posts)

  1. jeremyduffy
    Member
    Posted 4 years ago #

    I've hidden the link to my administration page (the login button), but that doesn't matter because the bad guys know to just load http://www.mysite.com/wp-admin. What if we could specify in code somewhere or options a different, custom name for our administration page? Like maybe I call mine florby.php?

    This would require that the code be altered to point to a variable instead of being hard-coded for wp-admin, but it's not a terribly horrible request I figure.

    Am I right in thinking this would make it just a little bit harder for evil-doers?

  2. Yes, but not enough harder. Security through obscurity doesn't help as much as it should, since at some point, you have to access the URL, and it can get scraped.

    See http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin for better ways to protect your wp-admin section.

  3. jeremyduffy
    Member
    Posted 4 years ago #

    Clearly this isn't a foolproof option, but I believe it would significantly reduce the bad-guy's ability to script their attacks. Either that or make the attacks more noticeable since they'd first have to find the administration page.

    Even better, I could code my page to trap anyone or block them if they try to load wp-admin.

    There are a lot of options so I'd like to see this implemented if possible.

    But I hadn't seen that link before so thanks for that :)

  4. The amount of work that would go into making that doable is not-insignificant, and the number of attacks it would prevent would be so small as to make the effort basically wasted.

    http://codex.wordpress.org/Hardening_WordPress#Security_through_obscurity explains what you CAN do that way to make it a bit safer, but if I could find the link, I'd toss you to the one which explains why your theory, while sound, simply doesn't work in the long run and is wasted effort. It IS a great idea, but it doesn't consider the fact that most attacks are via bots, who know very well how to scan :/

    I'd suggest, instead of putting in that effort, to make sure of the following:

    1) My SERVER has good security - That if someone logs in as me, they can only screw up ME and not anyone else on the server.
    2) My server has a good firewall.
    3) That I'm using good file/folder permissions
    4) I have a good password
    5) I'm not doing something stupid (like the ONE time my server was hacked, I was on a non-virus protected Windows XP box, and I saw a weird pop-up. I KNEW I should use ssh/sftp but I didn't. I was an idiot).

    For plugins, try things like Login Lockdown and Bad Behavior to stop hack attempts. Also consider these: http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow

    There's a LOT you can do to make things safer, but moving wp-admin won't help in the long run, since that's generally NOT the point of attack anyway.

  5. jeremyduffy
    Member
    Posted 4 years ago #

    Ipstenu: if you what you say is true that it would be difficult and not very useful, then nevermind.

    I'll check out the plugins too, but I sure wish I could SSL to my admin page :(

    My server charges extra for SSL certificates (but luckily not for secure FTP)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags