A simple way to protect your Wordpress site from being hacked

I'm a long-time Web application developer. My development platform of choice is ColdFusion and has been since it was originally published by Allaire back in 1995.

Wow, has it been almost 15 years now?

Anyhow, despite the fact that CF is a great language and a very rapid development platform, these days I've converted over to using self-hosted Wordpress for many of my sites, especially new ones, because it is such a great CMS and a fantastic way to get sites up and tested and performing very, very quickly. I still use CF for all the heavy lifting, but for many sites Wordpress is the ticket for me.

So that led me to think about the security aspect of WP sites. You guys who are using WP know that by default the way to log into your WP admininstration panel is like this:

Well, if you left it that way then it's only a matter of a hacker executing a brute force attack against your administration login page. In other words, the only thing standing between your WP administration system and some guy who wants to take over your site is a username and a password.

This problem is worsened if you've used a relatively non-complex user name and password. If your site is "Joe's Site" and the admin username is "adminjoe" and the password is "joe123" then it shouldn't take too much time for a hacker to brute force his way in.

So here's a simple way for any non-programmer-types to protect your WP administration system from such an attack: using FTP to log in to your site, rename the "wp-admin" subdirectory to something else, like "wp-admin-x43q178e". Then, any attempts to login to the WP control panel like this:

Will throw a 404 error. Even login attempts like this:

would fail because, by default, WP is looking for components in the "wp-admin" directory (which no longer exists).

Then, when you need to login to your WP administrator, simply FTP in first and rename the directory back to "wp-admin". Then you can login as normal. The best part of this simple technique is that you don't have to remember the new, more complex name of the wp-admin directory, since you only need to FTP in, find the renamed directory and change it back to "wp-admin" in order to administer Wordpress. When you're finished, change it something else more complex again.

Leaving your admin directory named "wp-admin" means that anyone running a discovery script against a list of domains looking for backdoor access will discover that your site is running on WP and that your admin directory is visible to the world. After that, a brute force script may be all that's necessary to take over your WP site.

Is this a foolproof method? No, of course it isn't. But at least it adds another simple layer of security which slows down a hacker enough that he may move on to another, more easy to enter site. Does it add another step to your administration? Yes, it does. However you may feel that the protection you gain is worth the extra 15-30 seconds you need to expend in order to obscure your WP administration panel from the world.

And... it's free.