It appears the amount of Brute Force password attacks is increasing exponentially lately. Several of my Wordpress sites have been getting hammered almost daily without fail.
Previously, we discussed how to secure your Wordpress site. But hackers are getting clever and we must stay in front of the ball in order to keep from getting knocked out of the game.
After some investigation of what I could do to block would be hackers from attacking my site I went through a list of possibilities.
- Add another Wordpress Plugin to add more security. The downside is this could slow down my websites, another plugin to maintain, and it could just not work
- Create a Webserver level Password to block hackers. Well this sounds good in principal but the hackers will just run their brute force password cracker on this password next.
- So just like most spy movies is the term what people can't see they won't find.
So number 3 is what I decided on. So by default and practically every Wordpress site on the internet the login page is in the default place (www.yourdomain.com/wp-admin). So why don't we move the "wp-admin" login page to another name? This not only makes your site a non-default installation but it will take a hacker a considerable more amount of time to find the new name of the login page. Kinda brilliant huh?
First, I started hacking my webserver and changing things around when a lightbulb went off. Yeah, hello! I asked myself? Stop trying to reinvent the wheel and look to see if someone else has already done the work.
Well I found the plugin rename wp-login.php. It works great. I installed it and almost immediately my webserver logs went back to normal event traffic. Wow what a relief. So since renaming the wp-admin on my sites I have yet to receive an alert of a Brute Force attack.