Hiding, Securing & Changing WP Admin

Estimated Read Time: 3 minutes

Once an open source system becomes so popular as WordPress very often it becomes vulnerable to attacks. I wonder why the folks at WordPress have not done anything to enhance the security of the admin site, which, by default, you can access by going to /wp-admin.

The problem is that if you rename the directory then your WordPress installation becomes broken. I’ve looked and I could not find a plug-in that would let you secure wp-admin folder to something else, or at least conceal it. The only result that I found about how to do this is by Michi Kono. However the solution proposed has a few drawbacks like some links no longer working. Of course you have the option of restricting access to selected IP addresses via .htaccess but if you are like most non-commercial internet subscribers you don’t have a static IP, which makes things more complicated.

So here is another solution to make WordPress more secure while keeping all WordPress functionality. The first thing we need to do is to pick what “name” we want for your admin section. For purposes of this “tutorial” we will call it “secure-login”.

Note: You are about to modify crucial files in your wordpress installation. So do this at your own risk, and please, please backup your files before you do this.

Now, open your .htaccess file and add the following line after the “RewriteBase ” line.

RewriteRule ^secure-login$     wp-login.php [L,NC,QSA]

so your .htaccess should look something like this.

# BEGIN WordPress
 <IfModule mod_rewrite.c>

RewriteEngine On
 RewriteBase /
  RewriteRule ^secure-login$ wp-login.php [L,NC,QSA]

RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule . /index.php [L]

</IfModule>
# END WordPress

This tells your server that when you ask for “secure-login” you should be taken to wp-login.php

Now we need to edit wp-login.php which is located at the root of your installation. Add this before anything else.

 session_start();

//See what file is being requested by the web client, also store the arguments just in case.
list($file,$arguments) = explode("?", $_SERVER['REQUEST_URI']);

//if the user just logged out, destroy this session and redirect them to root
if("/wp-login.php?loggedout=true" == $file ."?" .$arguments || "action=logout" == substr($arguments, 0, 13))
{ session_destroy(); header("location: /"); }

//If our sentinel variable is set and true do nothing, allow normal script execution
if(isset($_SESSION['valid_entrance']) && $_SESSION['valid_entrance'] == true) { /* As they say, "Silence is golden" */ }

//Now if the user is requesting wp-login.php and our sentinel is not true, redirect the "attacker" to root.
elseif(stripos($file, 'wp-login') && !isset($_SESSION['valid_entrance']))
{  header("Location: /"); exit(); }

//If the user is requesting the right login entrance set the sentinel to true
elseif ($file == "/secure-login")
{  $_SESSION['valid_entrance'] = true; }

That’s all you need to do. Your wordpress installation just became more secure. Don’t forget to upload your updated files to your server.

I may do a plug-in whenever I find the time.

I would also recommend using Login Lockdown by Michael VanDeMar.

Let me know if you have any questions or recommendations for this

Leave a Reply