Title: Hide WordPress Login Last modified: October 29, 2017 --- # Hide WordPress Login * Resolved [mountainguy2](https://wordpress.org/support/users/mountainguy2/) * (@mountainguy2) * [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/) * Interesting, Wordfence has come out against hiding WordPress login, due to their aversion to “security through obscurity.” On the other hand, they recommend using a unique admin name rather than the default “admin” that WordPress installs with. In my mind, changing the default admin user name is also “security through obscurity.” Following the Wordfence logic trail, should we now not bother changing the WordPress default admin name? * [https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/](https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/) * Me, I’ll continue to hide my WordPress login page as well as use a hidden and unique login user name. I’ll also change the name of any default WordPress components as is humanly possible (for example, renaming all readme files). Security through obscurity works, in my opinion. * Come to think of it, doesn’t Wordfence rename at least one readme file? Security through obscurity? * But what say you Wordfence, obscure the WordPress login name but leave the login page for all to see? What’s the difference? * MTN Viewing 5 replies - 1 through 5 (of 5 total) * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/#post-9637505) * Hi [@mountainguy2](https://wordpress.org/support/users/mountainguy2/), * This is indeed an interesting remark and we ought to clarify. * A URL and a username are quite distinct; a URL is an address to a resource. A username is a factor in your set of credentials. * One important difference is that the login URL is a part of your system that many other parts of the system may depend on, which means you risk breaking functionalities if you modify it in some way; that is not the case for your username. Nothing in the system depends on the username being _“admin”_. * There are several ways of logging in other than the _wp-login.php_: _xmlrpc.php_ and the _REST API_ to some extent (authenticated requests). * In case you are the only person using the site, then you can go ahead and block all of these if you so choose. However, if you want other people to be able to use it (co-admins, subscribers, etc…) then the system will have to work in an expected way. * Also, if you want to be able to use plugins like _Jetpack_, you can’t block all the aforementioned login methods because the plugin won’t work. * Thread Starter [mountainguy2](https://wordpress.org/support/users/mountainguy2/) * (@mountainguy2) * [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/#post-9637991) * Thanks for the clarifications, in our case we only have a couple of admins for each website, and they rarely change, so obscuring standard login as well as simply deleting things such as xmlrpc is working nicely for us. I’m not sure deleting a file or otherwise causing a file to disappear is “security through obscurity,” it’s more like “security through deletion.” In any case, too bad you guys won’t give us a built-in login obfuscation, but your reasons are clear. * As for keeping systems working in the expected way, noble sentiment, but install any one of thousands of plugins, and chances are a new admin will see something quite unfamiliar anyway. * MTN * Thread Starter [mountainguy2](https://wordpress.org/support/users/mountainguy2/) * (@mountainguy2) * [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/#post-9641572) * I’d add one other thing, there is a social contract (or so we hope). An enormous amount of money and time are being spent on bandwidth and other issues created by bots. Much of this bot traffic is based on standardized WordPress components that are incredibly easy to attack programmatically. If these components had more of a tendency to be obscured, if developers would pay more attention to the social contract and helping with “obscurity” bot traffic would diminish to at least some degree. I’m an example. By doing country blocking and other obscurity measures, I’ve kept my bandwidth under a threshold that would cost me upwards of $600/year to increase to next ISP level. Clearly, security through obscurity is saving me thousands of dollars. I’d encourage everyone to try it, despite what Wordfence says. MTN * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/#post-9670970) * Hi [@mountainguy2](https://wordpress.org/support/users/mountainguy2/), * Thanks for sharing this. It’s very good point. * I passed it on to the team so we can include it in our discussions about hiding the WordPress login page. - This reply was modified 8 years, 6 months ago by [wfyann](https://wordpress.org/support/users/wfyann/). Reason: Fixed spelling * Thread Starter [mountainguy2](https://wordpress.org/support/users/mountainguy2/) * (@mountainguy2) * [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/#post-9671075) * Perhaps we should call it “efficiency through obscurity” so we get away from your forbidden concept of “security through obscurity.” Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Hide WordPress Login’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [Brute](https://wordpress.org/support/topic-tag/brute/) * [force](https://wordpress.org/support/topic-tag/force/) * [hide](https://wordpress.org/support/topic-tag/hide/) * [login](https://wordpress.org/support/topic-tag/login/) * 5 replies * 2 participants * Last reply from: [mountainguy2](https://wordpress.org/support/users/mountainguy2/) * Last activity: [8 years, 6 months ago](https://wordpress.org/support/topic/hide-wordpress-login/#post-9671075) * Status: resolved