Are WordPress sites secure?
Login hiding is not an excellent strategy to secure your website. It is even worse when you do this by installing plugins that hide or change the login addresses.
Even if your website isn’t currently under attack or hacked, there is always risk associated with it. The WordPress platform has been a popular content management system for years, and it’s no surprise that hackers are going after the most vulnerable victims – small websites. With large-scale cyber attacks happening more often than anyone would like to admit, you might think that the chances your small WordPress website will be hacked are slight to none. After all, who would hack your website when there are so many bigger and better sites to attack?
Small businesses are hackers’ targets.
Unfortunately, small business websites are just as targeted by cyber criminals as large corporations. And because small business websites are often not as concerned with major security breaches, their websites are left more vulnerable and open to attack.
Using login hiding to secure the website.
Today we want to discuss a prevalent topic – security by obscurity or why login hiding is weak security in WordPress?
The majority of the security specialist will agree that security by hiding and tightening is not security. There are three main types of security:
- security by design,
- security by openness,
- and security by obscurity.
WordPress is based on the Open Design concept (GPL), and all elements should be designed similarly. Two first have a proven record of being effective. Security by obscurity is not an effective way of securing the website (or anything else).
Interesting metaphorical comparison:
” If your house entry door has a shoddy lock, but each time when you leave the house, you put the sticker to cover this lock, do you think it will work?”
Another excellent example from Stack Overflow […] “Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it’s there. Real security is putting it behind a lock or combination in a safe. You can put the safety on the street corner because it is secure that no one can get inside it but you.” […]
Obscurity is fine until it is discovered, but once someone has worked out your particular obscurity, your system becomes vulnerable again. Given the persistence of attackers, this equates to no security at all.
Why shouldn’t you hide your WordPress login or admin URL?
The main reason for this technique is to protect the website against brute-force attacks. Because brute force attacks aiming at breaking the login and password are often not carried out through the login screen. Hackers usually use a much faster and remote procedure called the XML-RPC mechanism. The rest API mechanism can also be used to negotiate the password.
So there are mechanisms that are interfaces, and they are faster than the login screen, and you can easily use them to crack passwords.
Reasons you shouldn’t hide WP login:
- Hackers (and attacks) don’t check – they attack (specific vulnerability).
- Even if you hide wp-login.php there are other ways to log into your WordPress, like XML-RPC or the REST API (you can disable XML-RPC, but you can’t disable REST API because Gutenberg uses it)
- Customising the login URL is also known to cause conflicts with other plugins.
- Attacks are designed to be fast. Login hiding slows down the website, so a brute force attack can turn into a DDOS attack (see explanation below) and cause website downtime
- Plugins that offer this functionality also have vulnerabilities.
We need to tell more about the mechanism described in point 3. The point is that the WP login form is written to be quick. Its loading time is about 0.5s. Meanwhile, changing the address causes a 404 error instead of it. The theme generates a 404 page, which means that the loading time is, on average, 2-3 sec and more (on a slow website can be 5 sec!).
So if the bot assumes that it can hit a form that loads in 0.5s with the appropriate frequency, then by hitting a 404 that loads four times longer, it will start killing the server.
When it comes to plugins offering login hiding, they have problems with security. For example WPS Hide Login plugin:
- until November last year, it did not block anything at all, and it was possible to bypass its security without any problems,
- until January 2020, you could easily find out the login address,
- in July 2019, several vulnerabilities were patched in it that allowed to bypass security and learn the login address,
- previously, it had a CSRF vulnerability, i.e. it even reduced the website’s security.
It shows that the security plugin has been struggling with severe bugs in its code for several years, making it not deliver what it promises.
So what to do instead of login hiding?
There are good alternatives to improve login security. The good idea is to block the login screen or the entire login for a specific IP address. Also, VPN connection to your server, having two-factor authentication enabled and confirming the login with your phone.
- Keep your WordPress up-to-date.
- Use SSL
- Use strong passwords.
- Use 2FA – Two Factor Authorisation.
- Block/restrict access to wp-admin (if you can, by IP, or even with BasicAuth)
Two Factor Authentication (2FA) is secure and proven way of improving the security of your website.
It is a topic for a separate post. Still, we can ask why banks and other serious institutions use 2FA (and login restrictions, VPNs, and so on) instead of login hiding?
If you are a small business using WordPress for your website, you need to secure it. The important thing is not to choose the easy way and install random plugins which promise that they can do something automatically. But remember that these plugins are doing nothing or almost nothing – they’re pretty good at pretending. Each website is different and needs to be treated differently. Login hiding in WordPress is not a proper way to secure the website.
The better way is to follow the five points above if you have the skillset and time to do it or pass this work to a specialist.