Protecting WordPress

Preventing brute force login programs from guessing your WordPress installation can be a pain, but I started changing the name of the wp-login.php file long ago when I figured that I couldn’t easily change the ‘admin’ username and didn’t want to wrap the wp-login.php file in basic auth (not really secure). Remember there is no silver bullet for security. This is just another layer.

Every time you update WordPress, take these extra steps.

  1. SSH into your server.
  2. Navigate to your blogs directory ( eg: cd /var/www/blog )
  3. Backup your wp-login.php file ( eg: mv wp-login.php wp-login.pbackup.452012 )
    Some web scanners will look for every file accessible and change the extension to .backup or php.old or .php.bak, so I include the date to add another layer.
  4. Think what you want to change your wp-login.php file name to. For this example I’m going to use wp-banana.php. I like bananas, there is one on my desk.
  5. Run this sed command: sed 's/wp-login/wp-banana/g' <wp-login.pbackup.452012 >wp-banana.php
  6. Open a browser and access your new login page.
    You should see the normal login and it should take you to your Dashboard.
  7. If this didn’t work, copy the backup back.( eg:cp wp-login.pbackup.452012 wp-login.php )
  8. Make sure wp-login.php doens’t exist. should return a 404 error.
  9. Use your blog, don’t forget your new filename and now you can keep attackers from brute forcing your WordPress admin password.