How to hide your WordPress admin address and prevent your blog from being hacked. Protecting and hiding the admin panel through .htaccess Make a hidden page in wordpress
Reading time: 4 min
A year ago, my server load very often exceeded the limit allowed by the tariff limit. At the same time, the problem was not in the sites themselves, but in a banal attack by intruders on the admin panel, in order to gain access for some of their purposes.
Today I will tell you how I coped with the problem, which I advise you to do just in case at home.
As a result, it was decided to change the address of the login form in the admin panel, as well as cover the admin panel for all outsiders who do not have my IP.
It is worth noting that some hosting companies themselves have automatically created for all users new address admins. If you use the services of such hosting, then do not read further articles and do not waste time.
How to Change WordPress Admin Address
I posted this article before. Here it seems to be a similar result, but the effect and purpose are different.
Don't forget to back up the files you work with.
- First, copy the wp-login.php file from the site root (where wp-config.php is located) to ftp to your computer.
- Rename it whatever you like. For example vhod.php
- Open this file free program Notepad++ (or whatever you prefer to edit) and replace all occurrences of the phrase wp-login.php with vhod.php .
You can quickly do this by pressing CTRL+F in Notepad++. Well, in the window that appears, enter:
So in a second I replaced the occurrence of the phrase I needed in the entire file. It came across 12 times.
Upload the new file to ftp.
A similar thing will need to be done in the general-template.php file, which you will find in the wp-includes folder right there on ftp. Those. change the occurrence of the phrase wp-login.php to vhod.php , but do not change the file name itself!
Now you have a .htaccess file in the same place at the root of the site. We also copy it to our computer and open it for editing (you can use the usual Windows Notepad). We insert such a piece of code that blocks everyone from accessing the wp-login.php file
Order Deny,Allow Deny from all
< Files wp - login . php >
Order Deny
Deny from all
< / Files >
It was this step that removed the load, and also hid the authorization form. The load was removed by inserting the presented code into .htaccess: if there was a call to http://site.ru/wp-login.php, then it would return a 403 error, not a 404.
Let us briefly repeat the algorithm of work:
- Rename the wp-login.php file to an arbitrary name and replace the occurrences of the name in it with a new one.
- Similarly, we replace the old name wp-login.php in the general-template.php file with the new one.
- We prescribe in the .htaccess file a ban on wp-login.php access for everyone
After wordpress updates only the general-template.php file remains to be corrected. But since the engine is updated not so often - this is a trifle compared to the effect.
We put a restriction on entering by IP through .htaccess
As an additional measure to protect the site, I adopted a restriction on entering the admin panel by IP. The problem was solved very simply: create an empty .htaccess file and add the following code to it
order deny,allow allow from 192.168.0.1 deny from all
order deny , allow
allow from 192.168.0.1
deny from all
We save the file and upload it to the wp-admin folder in the same place at the root of the site.
Instead of my IP from the example, put your real one. Moreover, you can add several IPs from a new line each:
order deny,allow allow from 126.142.40.16 allow from 195.234.69.6 deny from all
order deny , allow
allow from 126.142.40.16
allow from 195.234.69.6
deny from all
If the IP is dynamic, then you can put numbers only up to the first-second-third dot:
WordPress site management almost always attracts malicious login attempts. Brute force attempts to connect to WordPress are so common that page in the Code dedicated to the topic. We you , You can take a look at it.
There are many strategies to deal with this problem and the best strategy is to deploy multiple strategies. In this tutorial, I will explain how to implement one of the simplest strategies: hide the WordPress login page.
I have a specific WordPress site that was set up a few years ago. This is a standard WordPress installation running a typical series of plugins. To access the login page, all you have to do is navigate to " wp-admin /"Or" /wp-login.php .
This site is not seeing tons of traffic. In one month, it generates about 5,000 page views. However, on the login page, malicious login attempts occur surprisingly regularly. This site includes a Jetpack security plugin that monitors the number of malicious login attempts. Since the module was added last March, more than 11.600 malicious login attempts have been blocked.
If you do a little math, this equates to almost 800 malicious login attempts per month, roughly 25 per day, or a malicious login attempt every 58 minutes.
Connection attempts occur at a constant rate. Weeks can pass without a malicious connection being attempted. Then, all of a sudden, multiple connection attempts are logged in a short amount of time trying to hack your site's login page.
Why should you hide the login page of your site?
What can I tell you before I start. If your site asks others to log in, malicious login attempts are inevitable. This strategy will not work for you. In a situation like this, you need to easily find the login page so that users can easily use your site. One of the things you can do to combat malicious attempts is to use a plugin that restricts connection attempts.
However, if your site is not intended for a membership area, then you may want to hide the login page in that case.
Now let's find out how you can hide the login page on your WordPress site.
Step 1: Install WordPress in Your Own Directory
You probably already know when and . It's not too difficult and you can use WordPress from a subdirectory, whether it's new installation or not.
However, if you want to move an existing installing WordPress before doing anything else, consider creating backup your site.
Step 2: Hide login page url and redirect wp-login.php
You probably know that the default behavior of WordPress is as follows: WordPress loads a login page when wp-login.php is accessed (hence http://www.example.com/wp-login.php). If you are using /wp-admin "(after your domain name in the address bar), you will be automatically redirected to "wp-login.php" (So www.exemple.com/wp-login.php).
If you've installed WordPress in a subdirectory, then you've already done some of the things that need to be done to hide the login page. The truth is that now someone can find your login page quite easily.
Unless you have taken steps to prevent the default behavior of WordPress, because even if WordPress is installed in a subdirectory, if someone tries to access http://example.com/wp-login.php, they will be redirected to correct page login which for example is like this http://example.com/dwiiw/wp-login.php ( with dwiiw in a subdirectory).
The next step is to block access to wp-login.php and redirect to a page or 404 page other than your login page and use a fully customized login URL that will be hard to guess.
You must know what you choose as your name. Don't accept something difficult. Below you will see several plugins that will help you easily hide the login page.
1 - WPS Hide login
The slogan speaks for itself: replace WP-login.php At your request.
This plugin only does one thing. This simplifies the custom url rather than using the standard url. Once this plugin is installed and activated, " /wp-admin"AND" /wp-login.php Not available, replaced with a custom URL of your choice.
With over 50.000 active installs and a brilliant 4.7 out of 5 star rating, WPS Hide Login is a solid solution if you want to quickly change your login URL.
2-WP Hide & Security Enhancer
The basic premise of this plugin is that it masks the fact that you are using WordPress.
Hiding your site from using WordPress requires creating custom URLs and disabling all standard URLs. This plugin has over 1000 active installs, which isn't overwhelming, but this solution would also be helpful.
Cerber is a fairly popular plugin that limits connection attempts. It is active on over 10.000 sites and has an outstanding rating of 4.9 on 5 stars.
As you may have guessed, you will probably need to limit the number of login attempts, even for new page entrance.
eventually
Security is not something you should take lightly. If your login page isn't secure enough, regrets won't be very helpful because you'll probably have to reinstall your blog().
If you manage a multi-author WordPress blog or have multiple client sites that need to be served not only by you, but also by your editors, then you would be interested in knowing how to limit or even hide some elements of the wordpress admin for your users?
There are many points in which it is better for users not to climb. And in this article I will clearly demonstrate how to hide the wordpress admin panel, or rather elements that are unnecessary for other users.
We will perform actions using the useful Adminimize plugin, which you can download from the official wordpress website.
Install and activate the plugin from the admin panel. After activation, go to Settings -> Adminimize and shamanize there.
The settings page has a Mini menu that divides the page into different sections for wordpress admin screens. Clicking on each will take you to additional options. For each section, you will see a number of items that you can disable or change. You will also notice checkboxes with the choice of roles for your users.
After you have deactivated some items, you need to click on "Update" or Update Option, which will be below, to save the changes.
Please note that the changes will not be visible on the plugin settings page. To see them in action you will need to open new tab in the browser and go to the admin panel in it.
We will show you each item in the Mini Menu and how to change it.
After the "About Plugin" element comes next element Admin Bar Option (in other words, administrator options). It appears whenever you log into your blog. Some of its items can be turned off or assigned to different users of your site, i.e. you can set different roles for your readers.
The first option allows you to hide the user menu and its subcategories that appear on the right upper corner. After that, you will notice that it is highlighted with a pinkish color. Deactivating the main menu also hides its elements. For example, you can turn off the WordPress logo and all links included in it will be hidden along with it.
Among other options, you will see checkboxes where you can hide the comment icon + add a new one.
Remember that you can also hide the submenu. For example, you want to keep the current menu + add a new one to the admin panel, but you also want to hide pages from it, then just add pages and enable the “deactivate” option selectively for users.
Administration option (backend)
Not all plugin settings sections will have checkboxes. The administration option is significantly different from the previous ones. It allows you to make global settings in the admin area for all types of users.
The first option here is the configuration of the info section for users at the very top right of the admin panel, which is located next to the user's avatar. You can choose to either hide it, show or exit, or show only "exit".
The next option is redirects. You can redirect the user when he "clicks" on the info section. You can already configure either redirect your user to any other page, or leave it by default in the section, or hide this section. All this is saved by clicking on the Update Options button.
By default, when you are working on a post (article), the publication time is hidden by a link that can be edited. To schedule a release, you must click on the edit link to make the timestamp visible.
In the administration options, you can make the date always visible.
Similarly, by default in WordPress, you can hide some of the categories in the category field on the post edit page. You can control the behavior by selecting "Activate" next to the "Category Height" option. This is how you adjust the height so that all your categories are displayed.
You can put any of your text or link in the footer area so that all users can see it on all pages of the WordPress dashboard. You can do this by clicking on the “Advice in footer” item. This can be used for branding, adding a shortcode, anything.
The last option in the plugin's admin panel is to set redirects to the wordpress admin. To use it, you need to deactivate the panel itself first. We will cover this in a future article.
Global settings
The section with global options allows you to activate/deactivate certain settings for different user roles. The first item here is to hide or show the admin panel. Unlike the option of the Admin bar section, which only changes the top menu of the admin bar, this checkbox will disable the entire bar for some selected user roles.
The WordPress login page is one of the most vulnerable parts of your website. Of course, attackers are well aware of this. Therefore, an important task of any site owner is the maximum protection of the login page.
There are many ways in the network to solve this problem - different in complexity and execution time. However, in this article, we will talk about securing the WordPress login page with plugins.
Table of Contents
Why should you secure the WordPresss login page?
There are two ways to get to the login page:
- Type wp-login.php into your browser's address bar;
- Go to http://yoursite.dev/wp-admin/
Why do hackers and bots attack your login page?
Now imagine what a load on the site is created with each such selection of a password and pressing the "Login" button! Regular Users may experience difficulties when working with the site, and the reason for this is the robots sorting out passwords. This is called a "brute force attack" or "password brute force attack".
The easiest way to protect against brute force attacks is to create a unique address for your login page, that is, not wp-login, and wp-admin, but some kind of your own. Moreover, it is important that when opening standard addresses authorization popped up "page 404". Then the bot, when it hits such a page, sees a “404 Error” and leaves the site. Very smart and easy way!
How To Secure Your WordPress Login Page With The Clearfy Plugin
To secure the login page, we will use one of our free plugins. The first is the Clearfy plugin with built-in WordPress login page security. In addition, the plugin has many features for protection, optimization (including SEO) and acceleration.
Protecting the wp-admin directory
Its only function is to protect the login page.
Conclusion
In this article, we talked about why it is so important to protect the login page, and also considered the possibilities of our plugins to solve the problem.
Based on your goals, you can choose which plugin suits you best - Clearfy or Hide My Login.
Remember that timely and reliable protection of your site will save you a lot of time and financial resources.
Good afternoon!
Today I will tell you how to hide a page in WordPress.
Hiding a page means excluding it from the general list of pages when it is displayed. But this does not mean that this page will not be indexed by search robots. That is, if the robot finds out about this page, it will definitely index it. This can happen if somewhere on the site there is a link to this hidden page or you or someone else will notify the search engine of this page. In general, if you need to hide the page from robots, then use the .
What can be used to hide a page from the output list?
For example, when connecting Yandex or Google search on the site. To display search results on the site, you need a page. By default, it will be empty and you don't need to go directly to it.
Or, simply, you have pages that you want to link to from other pages, but not from the main one. Also, you can display some of the links to the pages in the header, and the other part in the footer or sidebar.
Earlier, I wrote . The page is hidden in a similar way, only the wp_list_pages function is used to display a list of pages.
How to find the id of a WordPress page
In order to hide a page, we need to find out its serial number, which is assigned to the page in the database (identifier or just id).
To do this, go to the section Pages.
In the list of pages, move the mouse cursor over the name of the page whose id you want to find out.
In the browser below in the information line you will see the url address of a link of this type:
http://website/wp-admin/post.php?post=192&action=edit
Find the value of the post parameter in this line. In this case, post=192 is the page id. Those. in this example page id is 192.
Also, to see this url-address, you can click on the link to edit the page and then the desired url will already be at the top of the browser's address bar.
More, id WordPress pages can be found directly in the database in the wp_posts table. All posts with post_type = "page" are pages. Those. You can get a list of all pages with the following SQL query: .
The ID field contains the identifier we need.
How to Hide a Page in WordPress
Now that we know the page id, we can proceed directly to hiding this page.
The list of pages in WordPress is displayed using the function wp_list_pages.
Open the /wp-content/themes/yourtemplate/header.php file and find the call to the wp_list_pages function in it.
Here is the code in my header.php:
If you need to hide several pages, then list their id separated by commas.
