An easier/built-in way for users to change the login URL/admin path from the default would be nice. I think that if it was a built-in option, it might encourage more people to do it. Purely as an example:
Read-only archive : Issues · ClassicPress/ClassicPress · GitHub
Author : Daniel Hendricks
Vote count : 22
Status : open
Comments
I don’t know how to link an image here. Markdown didn’t work. Attempt #2:
If that didn’t work, here it is: https://snag.gy/gFw4Vo.jpg
~ posted by Daniel Hendricks
I can accept the argument that it won’t protect you from bots, I suppose (I mean, I certainly wouldn’t have recommended it as the only thing that you should do). As far as it breaking 1001 different things - I do it on every site that I create. I have not yet encountered an issue. It should be noted, however, that I am not talking about renaming the actual directory , but aliasing it like many of the security plugins do (which maintains the actual path, greatly reducing the likelihood that it will break poorly-developed plugins/themes).
Regardless, I am willing to concede because @invisinet made a valid point. I wonder, however, why so many articles/security plugins recommend it. False sense of security for purposes of marketing?
A part of me feels like it is a rather easy feature to implement, though perhaps unnecessary. I suppose that testing and support would not be as easy - it’s never pleasant when someone locks themselves out of WP Admin because they did something silly. Further, the type of person using ClassicPress to begin with probably already knows how to do such things if they want to.
~ posted by Daniel Hendricks
I represent the author of the Shield Security plugin and a long time ago we added the ability to “rename WP Login” - this also effectively makes the WP Admin return a 404 if you’re not logged-in. It “works” - there’s no accessing WP Admin (or login) without already being logged it. But frankly I wish I could remove the option as it represents “security” by obscurity and is a major support load as it does “break” some sites but more accurately it breaks the understanding and workflow of sites that users (who themselves have implemented the option) don’t fully appreciate.
It’s a massive headache for many, as it just adds obscurity and offers no true security benefits.
~ posted by Paul G.
There’s another Petititon very similar to this here
While security thru obscurity is not really security, it is a major problem in WP that every kiddo knows the log in URL of a WP install as well as its admin url.
Allowing to customise that, not only would avoid probably 90% of all brute force, but also actually help branding the tool (wether that be cp-admin or beda-admin)
However, I believe this is not easily possible because of several hardcoded instances of the wp-login and wp-admin inside core code.
Just scan the core code for wp-admin an…
james
October 2, 2021, 8:17pm
3
Setting this to close in a week, it doesn’t provide much real security but does break a lot of things.
The .htaccess tweak mentioned here is a good alternative. Another good security measure is to enforce password strength for all registered users.
1 Like
james
October 9, 2021, 8:17pm
4
This topic was automatically closed after 7 days. New replies are no longer allowed.
