Solid Security Hide Backend

Hides the login page (wp-login.php, wp-admin, admin, and login), making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.

If you forget your new login slug, this article can help you find it: How Do I Recover My Hide Backend URL?

 

Enable Hide Backend

You can enable this setting in Security > Settings > Advanced > Hide Backend

 

Hide Backend Options

 

URLs

Login Slug

The login URL slug cannot be "login," "admin," "dashboard," or "wp-login.php" as these are used by default in WordPress. 

Register Slug

The URL/slug you want to use for site registration.

Note: The output is limited to alphanumeric characters, underscore (_), and dash (-). Special characters such as "." and "/" are not allowed and will be converted in the same manner as a post title. Please review your selection before logging out.

 

Redirection

Enable Redirection

Instead of displaying a "403" error, you can choose to redirect to any page or post - your 404 page or another page with on-screen instructions for your users.

Redirection Slug

The slug to the page or post redirects the site users when they try to access wp-admin while not logged in.

 

Advanced

Custom Login Action

WordPress uses the "action" variable to handle many login and logout functions. By default, this plugin can handle the normal ones, but some plugins and themes may utilize a custom action (such as logging out of a private post). If you need a custom action please enter it here.

 

Why can I still access the /wp-admin/ URL with Hide Backend activated?

The way that Hide Backend functions changed since the version 4.1.0 release.

Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin.

The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin.

While this may not be desirable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first.

If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.

 

If I hide my WordPress login URL, does that fully protect me from brute-force attacks?

The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute-force attacks?

The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bulletproof security strategy.

While hiding your backend wp-admin URL can help mitigate some of the attacks on your login, this approach won’t stop all of them.

We frequently receive support tickets from people who are perplexed at how Solid Security Pro is reporting invalid login attempts when they have hidden their login.

That’s because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. After you change the login URL, another plugin or theme could still link to the new URL.

In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent most users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL.

The truth is that you can’t completely hide the backend login page of your WordPress website.

If you were to change the wp-admin URL, you would break your site. Everything you install on your site, including WordPress, assumes that /wp-admin will be in the URL. When you do something as basic as creating a post, you have to go through the wp-admin before you get to /wp-admin/post.php.

Customizing the login URL is also known to cause conflicts. There are some plugins, themes, or third-party apps that hardcode wp-login.php into their code base. So when a hardcoded piece of software is looking for yoursite.com/wp-login.php, it finds an error instead.

A brute force attack is a trial-and-error method used to obtain information such as a username or password. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

Have more questions? Submit a request