Is It Worth Changing Your WordPress Login URL?

By Kevin DeesSecurity, Tips, Web, WordPress
green metal gate with brown metal padlock

No. As a security measure, I do not advise changing the login URL of your WordPress website, so it is hard to find. I advise making it easy to find. Here are two reasons why:

  • Most websites don’t hide their URLs.
  • Your security efforts should focus on passwords.

Throughout this article, consider your login URL as your website’s “door” location.

Most Websites Expose Login URLs

For a moment, think about the websites you login to: X, Facebook, Instagram, Gmail, or your bank. These sites don’t hide their login URLs. Why?

First, these sites are not concerned about the visibility of the “door” you enter through. The door is not something they want to hide. They want you to know exactly where the door is. They want you to enter their website and your account with ease.

Think of your WordPress site the same way. You want real users to be able to access your website and their account – if they have one. You should make it easy to find the door.

The secure part of the website should not be the location of the door. The door, lock, and keys are the parts to secure. Your website will be secure if you give it a blast door with a biometric lock, even in the center of downtown, for all to see.

Focus Security on Passwords

If you want a secure WordPress login, you need to focus on these top four items:

  1. HTTPS security.
  2. Enforcing strong passwords.
  3. 2FA.
  4. Attack mitigation – from brute force attacks, for example.

You will be secure even if you only require a string password and HTTPS. Most hosting companies, like Kinsta, will automatically give you HTTPS. And many plugins enforce strong passwords – install one of them.

If you take these two steps (HTTPS and enforced strong passwords), you will feel like you have that blast door with a biometric lock.

Next, you have 2FA and attack mitigation. These are optional steps and can be complicated to implement. If you don’t have a technical background, I’d advise having someone who is technical handle 2FA and attack mitigation. If you are technical, I like the Solid Security plugin for 2FA and Cloudflare for attack mitigation.

Closing Thoughts

Again, changing your WordPress website’s login URL will not make your website secure. Even if you change the login page URL, real attackers have other methods to gain entry. For example:

  • The unchangeable URLs of the WordPress REST API.
  • Exploiting outdated plugins.
  • Social hacking.

To take your WordPress security seriously, start with strong passwords.

By Kevin Dees

Kevin Dees is a speaker, entrepreneur, blogger, and developer. Heā€™s best known for his work in WordPress and podcasting for the retired SitePoint show. Kevin has developed sites for the brands Verizon, Dennyā€™s, RIDGID, Michelin, and others. Currently, he is working on TypeRocket which powers over 10,000 professional websites and products internationally.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.