: Should I redirect login / admin pages to the home page? I'm on a security kick right now and my current project is a server with a Wordpress site (that used to be a Joomla site). I sometimes

@Turnbaugh106

I wrote an article a couple of years back and it's worth a read, especially the section about "Creating a Strong Complex Password"


10 ways to stop Brute Force attacks in WordPress

Many WP plugins will stop brute force hackers in their tracks however
because most plugins work on banning IP addresses after X attempts
they may not stop determined password crackers using multiple IP
blocks in the thousands.

Most plugins lift bans after X minutes meaning with enough IP
addresses you become pretty much immune to these bans unless you opt
to use an extremely long duration on those bans. Administrators
generally do not use long duration bans because they don’t want to get
locked out themselves.


A lot of the current answers are way over complicated

Normally I would suggest fail2ban or hiding wp-login.php but 50 attacks is nothing! with a decent password it would take them many decades. Personally I would keep things simple and just install... Loginizer for WordPress.

It is used by millions of sites and by installing it, it will automatically ban bad users by IP address for a few hours, a day, weeks, months or even years. Also, it will show you how many attacks it has blocked.

Vote Up Vote Down

@Sarah324

Not Brute Force

50 requests per day is not brute force. That is unless you're password requirements are just two characters in length. Most often these hits are just internet scanners checking for specific credentials and then moving on to the next.

Brute Force Logins

Consider adding a Captcha or better yet some form of two factor authentication. There are a number of two factor options available such as Google Authenticator, Duo Security, etc. Find one that best fits your environment and you'll be set.

404 vs 301

Stick with the RFC standards. If the page doesn't exist return a 404 and if the application owner wants to redirect certain requests to a specific page then use a 301. A determined adversary will not be fooled by your proposed obfuscation techniques while internet scanners and bots are not really a threat unless you're already compromised. This leads me to the next point...

Securing WordPress

WordPress has a large attack surface as evident by the length of the OWASP WordPress Security Implementation Guideline. Your time will be better spent working through that document.

Vote Up Vote Down

@Si4351233

Use three things to keep your site safe from spam-

Add Captcha,
Uncheck the Anyone can register option from settings of Wp site. (If your site has no functionality of user account)
Use this Plugin to hide your login page- wordpress.org/plugins/wps-hide-login/
as well as if your site username is admin then change it to another because the admin is a very common term and hit by spam tolls and minds...

Vote Up Vote Down

@Cofer257

The short answer to your question is no, there will be no problem doing that but I'll definitely keep a fake /administrator and /wp-login.php files. That will keep bots and strangers occupied for nothing.

On the other hand, I'd take into consideration:


Password protect the real server
Limit login attempts
Allow access to login files by IP
Change default database prefix
Disable directory browsing

Vote Up Vote Down