Leave a Reply

12 comments

  1. You can disable the wp-login page from your functions by hooking into login_head:

    add_action( 'login_head', 'wp_die');

    (that’s obviously a very clumsy way of doing it, but it prevents anyone from being able to login through that page. You could make that a redirect function, or a warning message, rather than just a die.)

    And copy the existing wp-login file to another location, making sure to update the relative path to wp-load.php near the top (and any other relative paths that may be in there, including the links to itself and the form actions.

    (Obviously you’ll have to remove the action that you added to login_head here, otherwise you won’t be able to login from this page either.)

    Then, you should just need to add a filter to login_url that returns the address of your new login page, otherwise people requesting wp-admin files will be redirected to the old login page, which is now disabled.

  2. This isn’t a great security idea because the wp-login or wp-admin page in of itself does not pose a security threat. Though it can be argued that if someone had your password/username they might not be able to find where to login, thus security through obscurity.

    As kronus said you could probably to some fancy re-directs, not sure how well that would scale with future releases or if it is even worth the trouble, personally I don’t think its worth it and I take security seriously.

    I would suggest some better ideas for your login.

    Enable ssl for the login/admin (htpps).

    Password protect your page using .htaccess ( so you will have a double login).

    Use a plugin like Limit Login Attempts, which locks out a user after failed logins.

  3. None of these answers were especially useful. I question the motives of the OP, but here is how to do it. Add this to your functions.php, but make sure to replace “$login_page_id”:

    // This will redirect the actual login page to your new page
add_action( 'login_redirect', 'custom_login_redirect' );
function custom_login_redirect()
{
    if ( 'wp-login.php' == $GLOBALS['pagenow'] )
    {
        // Set your $login_page_id
        wp_redirect( get_permalink($login_page_id) );
        die;
    }
}

// This will replace the login url used by WordPress
add_filter( 'login_url', 'custom_login_url', 10, 2 );
public function custom_login_url( $login_url='', $redirect='' )
{
    // Set your $login_page_id
    return get_permalink($login_page_id);
}

    On your new login page, you can simply add this function to show a login form:

    <?php wp_login_form(); ?>

    http://codex.wordpress.org/Function_Reference/wp_login_form

  4. In the five years that this question has been here, nobody has addressed the core issue: Security by obscurity is a valid technique to ward off automated bots and keep the logs clean. The goal of moving/hiding wp-admin is to appear to a bot that this is not a WordPress site.

    The way that I hide (but not move) wp-admin is to present to bots the standard 404 page when they try to access that URL. Only access from my home IP address allows the wp-admin page to return properly. This method looks to an attacker/bot as if wp-admin does not exist, yet it does not break core WP code or plugins that hard-code the wp-admin path. This .htaccess code does the deed:

    RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^12.34.56.78$
RewriteRule ^/?wp-admin - [R=404,L]

    Of course, when using the code replace 12.34.56.78 with your own IP address. Don’t forget to escape the . characters as the IP address is interpreted as a regex.

  5. I came up with a solution for moving the WordPress login from /login/, /wp-admin/ or /wp-login.php to /cms using only .htaccess rewrite rules.

    No plugin needed!

    Paste this into the .htaccess file of the root of the project:

    <IfModule mod_rewrite.c>
      # Move login to /cms.
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$
      RewriteCond %{HTTP_REFERER} !/cms(.*)$
      RewriteCond %{REQUEST_METHOD} POST
      RewriteRule ^(.*) ./cms?message=wrong_login_path [R=302,L]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$
      RewriteCond %{QUERY_STRING} !^cms=unlocked
      RewriteCond %{REQUEST_METHOD} !POST
      RewriteRule ^(.*) ./cms?message=redirect_to_custom_login_path [R=302,L]
      RewriteRule ^cms wp-login.php?cms=unlocked [L]
</IfModule>

    Cheers!

    Update:
    I improved some rules so even the POST requests to /wp-login.php will trigger a 403 forbidden error. This will help against bots that are trying to login to the dashboard using brute-force methods. Feel free to comment on this post if you have any improvements to these rules.

  6. OP, the best thing you could for this matter is IP filtering and allow only those networks that are allowed to login to the WP-Admin area (e.g. your office IP, developers’ IP, etc.).

    ## .htaccess inside the wp-admin folder
order deny,allow
deny from all
allow from xxx.xxx.xxx
allow from xxx.xxx.xxx
allow from xxx.xxx.xxx

  7. Just build out new login pages in subdirs. Copy the existing wp-login page into a new directory in your webroot (maybe “/login”), rename it index.php, add a WordPress bootstrap to the top of the page, and do whatever you like with it (theming, etc).

    You do have to adjust the login page’s default code a bit, mostly to find/replace for hardcoded links and redirects to “wp-login.php”. But as long as you leave all the hooks and filters in place, this approach won’t mess up any plugin integration. And WordPress core updates are fine, unless the update includes changes to the wp-login page itself (which rarely happens in minor versions).

    You can also build out user account pages this way (I put them in the dir “/profile”). Once you’ve done that, subscriber-level users should never need to go into wp-admin, so you can protect it with an htaccess file. This is the part that actually gives you the added security you were looking for. Just be sure to make an exception in your htacces for the admin-ajax file, since some plugins use it on the frontend.

    Pretty sure you’re not going to find a plugin-only solution. But if you do, let us know!

  8. You could use this plugin:

    http://wordpress.org/extend/plugins/wp-login/

    You can just create a page and tell the plugin that’s where the login is. But all it basically does is redirect wp-login.php to your “page”. So any bot searching for wp-login.php will just be redirected to your “page”.

    To protect you login page from bots you should use a combination of a cookie and .htaccess as most bots don’t use cookies. Something like this:

    RewriteCond %{HTTP_COOKIE} !^PHPSESSID=w+ [OR]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?example.com/ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^wp-(comments-post|login|register).php http://example.com [R=301,L,NS]

    In the example above I’m using a PHP Session Cookie, since it’s the easiest to implement.

  9. This answer is an addition to dotancohen because it is incomplete. dotancohen’s answer does not account for wp-login.php, which you should consider if you’re trying to obscure WordPress.

    Here’s how you 404 on both wp-admin and wp-login.php:

    RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^12.34.56.78$
RewriteCond %{THE_REQUEST}  /+wp-(admin|login)

  11. To modify logout URL (in admin) edit your functions.php:

    add_filter( 'logout_url', 'custom_logout_url');
function custom_logout_url( $login_url)
{
   $url = str_replace( 'wp-login', 'your_logout_file', $login_url );
   return $url;
}

  12. I solved this problem by deleting three of my blogs and changing the parameters of limit-login to the maximums possible. 9999

    For the one scum spammer at 208.91.199.94 who has hit my login page 750 times in the last two days, I am working on eliminating him other ways.