Hi @mountainguy2,
This is indeed an interesting remark and we ought to clarify.
A URL and a username are quite distinct; a URL is an address to a resource. A username is a factor in your set of credentials.
One important difference is that the login URL is a part of your system that many other parts of the system may depend on, which means you risk breaking functionalities if you modify it in some way; that is not the case for your username.
Nothing in the system depends on the username being “admin”.
There are several ways of logging in other than the wp-login.php: xmlrpc.php and the REST API to some extent (authenticated requests).
In case you are the only person using the site, then you can go ahead and block all of these if you so choose.
However, if you want other people to be able to use it (co-admins, subscribers, etc…) then the system will have to work in an expected way.
Also, if you want to be able to use plugins like Jetpack, you can’t block all the aforementioned login methods because the plugin won’t work.
Thanks for the clarifications, in our case we only have a couple of admins for each website, and they rarely change, so obscuring standard login as well as simply deleting things such as xmlrpc is working nicely for us. I’m not sure deleting a file or otherwise causing a file to disappear is “security through obscurity,” it’s more like “security through deletion.” In any case, too bad you guys won’t give us a built-in login obfuscation, but your reasons are clear.
As for keeping systems working in the expected way, noble sentiment, but install any one of thousands of plugins, and chances are a new admin will see something quite unfamiliar anyway.
MTN
I’d add one other thing, there is a social contract (or so we hope). An enormous amount of money and time are being spent on bandwidth and other issues created by bots. Much of this bot traffic is based on standardized WordPress components that are incredibly easy to attack programmatically. If these components had more of a tendency to be obscured, if developers would pay more attention to the social contract and helping with “obscurity” bot traffic would diminish to at least some degree. I’m an example. By doing country blocking and other obscurity measures, I’ve kept my bandwidth under a threshold that would cost me upwards of $600/year to increase to next ISP level. Clearly, security through obscurity is saving me thousands of dollars. I’d encourage everyone to try it, despite what Wordfence says. MTN
Hi @mountainguy2,
Thanks for sharing this. It’s very good point.
I passed it on to the team so we can include it in our discussions about hiding the WordPress login page.
-
This reply was modified 8 years, 6 months ago by
wfyann. Reason: Fixed spelling
Perhaps we should call it “efficiency through obscurity” so we get away from your forbidden concept of “security through obscurity.”
