Prevent Mass Hacker Login Attempts

June 2020


WordPress is the most popular CMS of the Internet. This gives users great power and customization and ease of use. However this also attracts hackers and other security threats. So keeping your WordPress website safe and secure can be challenging.

One method used by hackers is mass login attempts. This is when hackers have identified the point of login for a website, have identified a possible user login, and attempt hundreds if not thousands of possible passwords, all via code. All of these attempts can be done within seconds.

Open Source

WordPress is it open source platform which means all of the code that WordPress uses is available for free at any time. It does not take long for a developer or anyone with technical experience to identify which file contains all the logic for the login of WordPress.

That file is `wp-login.php` and even comes with great developer comments. The first comment in the file is:

* WordPress User Page *
* Handles authentication, registering, resetting passwords, forgot password,
* and other user handling.
* @package WordPress

With this comment it's clear we know this file handles authentication aka login.

Public Access

If the hacker understands the source code of WordPress, how does that translate to an actual live website? Simple, since WordPress is PHP based, the hacker can simply go to that file via a browser and the correct URL, ``.

Now does this mean they can see the contents of the file that you are website is using? No. They only know how it works. Think of it like a particular model for a door lock. If the blueprint for the inside of that door lock was open source, available to the public, then a burglar can understand how the door lock works. They can't see what is in your door lock.

Hide Public Access

So how can we prevent hackers from performing mass login attempts on our website? We can simply rename the login file. Unfortunately the step does require help from a developer, but ultimately it should only take 5 to 10 minutes. We can't find developer, don't worry, just contact us and we can help you.

So how does renaming the file prevent mass login attempts? By renaming the file we are essentially moving the public access to a unique location, unknown to hackers. If the hackers don't know where the login is then they can't hack it.

Renaming And Replacing

To implement this solution we need to rename the file and rename any occurrences of `wp-login` with in the file. We can name it whatever we want, you can name it after your favorite dog or have it be a random collection of characters like `jkdhsfgjkdf9044b8g`.

 dogAdded from Giphy.

Regardless of what you name it, make sure you remember it or write down, because you need to login via the new URL which will be the same as the new name.

For sake of example, we will rename a demo website login file to `blah_blah.php`.

Now all we have to do is find all of the `wp-login` references within the new login file and replace it with our new name `blah_blah`


Now that we've renamed our login file and have replaced the references within the file to our new name, we can simply go to the new login via `you_domain.php/blah_blah.php`.

With this new URL, we can protect our WordPress website from mass login attempts. There are additional ways to prevent this type of hack, i.e. paid plugins, but this will give us nice first line defense.

 thumbs upAdded from Giphy.
Continued Reading
The #1 WordPress Business Newsletter