How to Make WordPress Logins More Secure

February 27, 2017

Most WordPress sites follow a common url for the admin login and core directories. Since this is predictable, bots and other automated tasks can go to the /wp-admin or /wp-login.php and bombard the login with common usernames and passwords in the hopes of gaining access. Good news is that by making a small change our file architecture we can change these paths to make our site more secure, and make it more difficult for the machines to find our login screen.

Changing Login Path

Before we install WordPress initially, we’re going to first create an empty directory in the root directory of our site called ‘wordpress’ or whatever you’d prefer. Dealers choice, but since we’ll be typing it in every time a user logs in it should be something reasonable.

Next we’ll install WordPress into this newly created folder and copy the wordpress/wp-content directory and add it to the root, and do the same to  wordpress/index.php and wordpress/wp-config-sample.php, and rename to wp-config.php. Now for the code-y bits.

Configuring

Lets make some file changes. In our new index.php file, we’ll need to change the following line:

require('./wp-blog-header.php');

And update it to:

require('./wordpress/wp-blog-header.php');

Next let’s go into our new wp-config.php file. Since we have the WordPress core files in a separate directory, we need to tell WordPress. Add the following 2 lines to the file:

define('WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/wordpress');
define('WP_HOME',    'http://' . $_SERVER['SERVER_NAME']);

This lets WordPress know that the core files are in our custom directory, but our site is being served from the root of the project directory.

Lastly, we moved the wp-content directory out of the core, so we need to provide a map to that as well. Simply add the following snippet to the wp-config.php file beneath the previous 2 statements:

define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/wp-content');
define('WP_CONTENT_URL', 'http://' . $_SERVER['SERVER_NAME'] . '/wp-content');

And we’re done! Now when a user wants to access the admin side of the site they’ll need to go to sitename.com/wordpress/wp-admin, and by making it more customized for your site it should make the login more secure. We can also do some tricky things like moving the uploads folders and changing some other default settings to really confuse SkyNet, but we’ll get into that later.

Stay in Touch!

Subscribe to our newsletter.

Solutions Architecture

browse through our blog articles

Blog Archive