Change login URL

I have been having the same issue. In the last 24 hours, one low traffic site running Wordfence blocked 600+ login attempts. I have the attempts at 2, the logins are coming from tons of IP’s.

Enough is enough, I just completed the moving process of the login URL on site 1 and no emails for the last 30 minutes. Literally, they were coming constantly.

This is the plugin I am trying, which is in active development. It just adds a rule to the .htaccess file, changeing the location. Pretty simple, it seems the plugin shouldn’t be needed with properly written code for .htaccess but I didn’t try that for time concerns.

Just thought I would share an option that is working for me so far. I’m not the author or an affiliate either, just a happy user.

https://www.ads-software.com/plugins/sf-move-login/

Dan

Ugh we’re having this SAME exact issue. Is it possible to BLOCK “/WP-LOGIN.PHP” and then just whitelist yourself ?? I know you can block certain pages but it says in the Wordfence documentation that the page CANNOT exist to do this?

Wordfence is great for preventing them from actually breaking in … but since the bots can access WP-LOGIN.PHP from thousands of bots it still uses bandwidth. My site was just banned by my hosting provider for “abuse of resources” even though I have the most ridiculously tough Wordfence login settings. So now I need a solution instead of (or in addition to) Wordfence.

Are the plugins mentioned above legit ? Can anyone confirm ? Thanks

Update: I downloaded the “WPS Hide Login” plugin as Julie @ Nackery mentioned above (since she said it is actively maintained – not sure of the other plugins). It looks cool and the re-direct appears to be working fine with Wordfence. Time will tell if it keeps the bots/brute force attempts away – Thanks

We have heard of at least a few people using WPS Hide Login and Rename wp-login.php successfully. (See the quoted text from IvanRF above.) Some hosts may have trouble, possibly if the site used a “one-click” installer to install WordPress, but others may be fine.

This feature is also under consideration for a future Wordfence release. Thanks!

-Matt R

Hi again, just to confirm for those wondering that I’ve been using WPS Hide Login since I left my last message, and have had no problems. My install was indeed a one-click install, but that doesn’t seem to have been an issue for me. I also haven’t received any failed login attempt emails since then ??

Quick question for @wfmattr: I followed the instructions and added my new login URL to the list of cache exemptions since I’ve activated the Falcon Engine. I went a step further and also disallowed the new login url in my robots file. Not sure if that matters at all? Does that prevent more hits to the page, or does it make things worse by then providing the link to search engines? Thanks in advance for your insights ??

@julie if your login page is not included as a link in your front pages or in any sitemap, bots will never find it. If you include the login URL in the robots file, you are just telling hackers/bad bots where to find it.

@julie: I’m not sure if adding the URL to robots.txt will help or hurt — I have seen a site where registration by spammers would spike a few days after bad searches on bing spiked (for searches with a product name followed by “comment” or “leave a reply”), so some bots do appear to find sites that way.

Any reputable search engine shouldn’t index files excluded in robots.txt, so that part is good, but some other search engines might ignore it. It’s possible for bad bots to look at robots.txt too, though I’m not sure if any currently do.

IvanRF’s point about the sitemap is good too, if the login page appears there.

-Matt R

Thanks @ivanrf & @wfmattr!! I’ll remove that from the robots file, and change my login url again, just to be sure ?? Cheers!

I agree this should be a feature in Wordfence. Wordfence is so good and offers so much, the fact that this is missing is very surprising. Please take this as a compliment ??