Thanks for reaching out.
We’ve found most attacks aren’t targeted. They follow a shotgun approach. So whatever bot or script that happens on your site will just try hitting known vulnerable URLs, hoping that your site is using one of the affected versions of a vulnerable plugin. They don’t really know if the plugin is there. You’ll likely see vulnerable URLs for CMS’s that you aren’t using too. Exploitable URLs for Joomla, Drupal, etc might be seen too.
If someone wants to see what plugins you have bad enough there are ways to do that. Hiding your login is no longer really considered a security solution. We currently do not offer a feature for changing the wp-admin URL for three primary reasons:
1. Changing WordPress URLs involves a risk of breaking functionality of WordPress themes and plugins. For example, WordPress JavaScript XMLHttpRequest object (AJAX) functions are triggered via admin-ajax.php which is located in wp-admin folder.
2. Changing the URL makes us feel more secure but it does not actually make the site more secure. It is what many security analysts refer to as “security through obscurity”. It’s like boarding up the front door of your home to protect yourself against a burglary. Someone looking for a quick break in may be deterred, but any seasoned thief is just going to go look for another door or windows to get in. Any serious attacker will anticipate this and look for other ways in too.
3. More than half of all login attempts that are made on WordPress sites are made via xmlrpc.php. Those will not be stopped by changing your admin URL. If you want to block this you can in the Wordfence plugin on the Login Security > Settings page. Please see the warning before you do. If you use some features of Jetpack or remote posting with the WordPress app, you cannot block XMLRPC.
Additionally, if you change the wp-admin or wp-login URLs you also lose visibility on who is attempting to log in to your site and when they are doing it since we’re not looking for logins on a random URL that someone made up.
I hope this helps.
Tim
Thank you so much I really appreciate it. All that makes perfect sense!
So stating that hackers “scan” for certain themes and plugins is only true in some cases and hiding themes and plugins dont really help if they are attempting to attack you in the method you mentioned above?
-
This reply was modified 3 years ago by
GoldieGal.
Most aren’t targeted. By targeted I mean someone specifically trying to compromise your particular site. They might try to find the plugins and theme that you use, etc and use that to get in. Most of the time it is random where they try these exploits on hundreds of sites. That’s what usually happens. Hiding the plugins and themes really isn’t a good solution. A much better solution is keeping all of the themes and plugins (and WordPress!) updated. Updating is one of the best ways to make sure you stay safe.
Tim
