Preventing brute force login programs from guessing your WordPress installation can be a pain, but I started changing the name of the wp-login.php file long ago when I figured that I couldn’t easily change the ‘admin’ username and didn’t want to wrap the wp-login.php file in basic auth (not really secure). Remember there is no silver bullet for security. This is just another layer.
Every time you update WordPress, take these extra steps.
- SSH into your server.
- Navigate to your blogs directory ( eg:
cd /var/www/blog) - Backup your wp-login.php file ( eg:
mv wp-login.php wp-login.pbackup.452012)
Some web scanners will look for every file accessible and change the extension to .backup or php.old or .php.bak, so I include the date to add another layer. - Think what you want to change your wp-login.php file name to. For this example I’m going to use wp-banana.php. I like bananas, there is one on my desk.
- Run this sed command:
sed 's/wp-login/wp-banana/g' <wp-login.pbackup.452012 >wp-banana.php - Open a browser and access your new login page. http://www.yoursite.com/wp-banana.php
You should see the normal login and it should take you to your Dashboard. - If this didn’t work, copy the backup back.( eg:
cp wp-login.pbackup.452012 wp-login.php) - Make sure wp-login.php doens’t exist. http://www.yoursite.com/wp-login.php should return a 404 error.
- Use your blog, don’t forget your new filename and now you can keep attackers from brute forcing your WordPress admin password.
