WordPress Security Essentials: Rename wp-login.php

WordPress Security Padlock Image

Rename wp-login.php is a simple plugin that closes one of the most abused security weaknesses in WordPress. Spammers and hackers frequently target wp-login.php to try and gain access to your website. If you do not think you are at risk, check your server logs, or install Wordfence. You will be amazed at the number of fake login attempts. I was similarly amazed how this dropped to zero when I installed Rename wp-login WordPress plug-in.

Once installed, wp-login.php will generate a 404 Page Not Found Error, and attempts to access /wp-admin/ when not logged in changes the display to:

You must log in to access the admin area.

Rename wp-login.php Weaknesses

Though the plugin performs excellently, you do need to be careful if you use the WordPress commenting system.

If comments are allowed, WordPress, by default, leaves a couple of links to your hidden wp-login.php. This negates the whole point of the plug-in, but fortunately it is easy to fix.

Login form revealed with no comments

L℮αve α R℮ply
Yοu must b℮ lοgg℮d in tο pοst α comm℮nt.

In every theme I have seen, this text is set near the end of comments.php. You should copy comments.php to your child theme, then edit the call to comment_form();

Though the ‘lοgg℮d-in’ link is most important, now is a good time to also change ‘L℮αve α R℮ply’

This phrase is frequently targeted by spammers to find pages to corrupt. Save yourself some useless bandwidth, and change the phrase to something more meaningful. To help your visitors focus, it is a good idea to ask a question based on your page title. The phrase is determined in the comment_form() function by an argument: title_reply.

The argument that will remove the default login link, and improve security, is must_log_in.

Therefore, amend your child theme comments.php to something similar to:

  $args = array(
      'title_reply' => 'What do you think about '.get_the_title().'?',
      'must_log_in' => '<p class="must-log-in">Login is required to add comments and questions.</p>',
      'label_submit' => __( 'Add your Comment or Question' ),
      );
  comment_form($args);

Note that I also changed the default text on the Submit button to something more inviting. As well as securing the login link, it is good to be creative with your text to encourage quality comments.

Login form revealed with existing comments

Each existing comment is headed:

Keith Taylor
February 3, 2014 at 8:56 am   Lοg in tο R℮ply

Getting rid of that link was harder, but thanks to a helpful code snippet to remove the log in link for comment replies, it now only takes a few seconds.

Many people recommend adding functions to the theme via functions.php. The problem with this is that you have to copy the functions.php file every time you change themes. I only use functions.php for changes that are theme specific. For everything else, I use the Functionality plugin. More on that in a separate plug-in review. For now, just install and activate Functionality plugin, then add the following:

if ( ! function_exists( 't5_do_not_ask_for_comment_log_in' ) )
  {
      add_filter( 'comment_reply_link', 't5_do_not_ask_for_comment_log_in' );
      /**
      * Replaces the log-in link with an empty string.
      *
      * @param string $link
      * @return string
      */
      function t5_do_not_ask_for_comment_log_in( $link )
      {
          if ( empty ( $GLOBALS['user_ID'] ) && get_option( 'comment_registration' ) )
          {
              return '';
          }
          return $link;
      }
    }

WordPress Security Essentials: Rename wp-login.php

WordPress Security Padlock Image
So there you have it. Make the theme changes and function addition first. Then install Rename wp-login.php, and set your new login link. Let your users know the new link privately, and ask them not to share it.

What do you think of Rename wp-login.php as a WordPress security tool?

One Reply to “WordPress Security Essentials: Rename wp-login.php”

  1. I tried to move the comment_form changes out of the theme using comment_form_default_fields filter. No luck, unfortunately. I need to check the code to see why that might be the case, unless you know the answer?

    If you know how to change the output of comment_form function without editing the theme, please let me know at https://google.com/+Shrewdies, or see my contact page – http://shrewdies.com/contact-keith-taylor/

Leave a Reply