Choose login url instead wp-admin

Will be great to be able to choose the login name instead of just the plain wp-admin. of course some plugin does, but why not implemented?


Read-only archive: Issues · ClassicPress/ClassicPress · GitHub

Author: Joaquim

Vote count: 25

Status: open

Tags:

  • difficulty-moderate
  • request-modify-feature
  • request-add-feature

Comments

While security thru obscurity is not really security, it is a major problem in WP that every kiddo knows the log in URL of a WP install as well as its admin url.

Allowing to customise that, not only would avoid probably 90% of all brute force, but also actually help branding the tool (wether that be cp-admin or beda-admin)

However, I believe this is not easily possible because of several hardcoded instances of the wp-login and wp-admin inside core code.
Just scan the core code for wp-admin and wp-login to see the first has 31375 matches across 569 files, the second has 361 matches across 34 files

Non actionable, IMO, even if I very much would like to see it, it would require a full rewrite to make those hardcoded instances all dynamic using a $var, which is possible, however, I have yet to see the people available to do such monster-job in a proper amount of time.

Not to mention that those are often file names and I am not sure one could even “dynamically” rewrite a filename like wp-login.php to wp-anything.php (and that would be necessary at least to avoid the URL call to wp-login.php), without causing a ton of issues, and conflicts each time WP would update, and so on.

By what I know all plugins that allow to fully rename login and admin, are also all somehow broken or cause huge issues and conflicts with other code and plugins/themes. I have given up on renaming that when I started with WP back in 2012, exactly because there where just always issues with any solution found, or the solution found was working but not complete enough.

5 Likes

There are security plugins doing this. BUT a very big issue is that usually mishaps like being blocked out from your own site or fatal errors arise when using them

There are also better solutions to security by obscurity.

If I am not mistaken @anon71687268 coded htaccess rules to require a secure login to be loaded BEFORE accessing (or even loading) CP.

This IMHO is a better solution to protect admin access, paired with disabling registration for all other people.

Here’s the relevant post.

2 Likes

Is Shield Security among these plugins? I can’t be sure, cause I’m using my phone and can’t check my dev site, but if I remember correctly, it has this option to rename the login link. I’m planning to activate it once I’m done building.

If I use this on CP, where shall I put this on .htaccess? At the very top?

And this code does prevent robots, right, from accessing wp-login and xmlrpc, not just people?

Yes.

Yes, it prevents robots, people, plants, animals, insects, and a variety of microorganisms. :wink:

3 Likes

Setting this to close in a week, it doesn’t provide much real security but does break a lot of things.

The .htaccess tweak mentioned above is a good alternative. Another good security measure is to enforce password strength for all registered users.

1 Like

This topic was automatically closed after 7 days. New replies are no longer allowed.