With the latest version of the Patchstack plugin, we have re-introduced WordPress login page protection – a feature to block access to the standard login page.
Recently we removed the ability to “hide” the wp-login.php and /wp-admin/ (which redirects to the login page) pages due to the fact that the real login page can be exposed in many other ways, especially in combination with other plugins that may re-introduce bypasses to allow regular users to login.
Security through obscurity (STO) is a process of implementing security within a system by enforcing secrecy and confidentiality of the system’s internal design architecture. Security through obscurity aims to secure a system by deliberately hiding or concealing its security flaws. (Source)
We’ve always tried to avoid security through obscurity and do our best to not give the users a false feeling of security.
For that reason, we have recommended using the captcha challenge on the login page, rate-limiting, and 2FA for privileged accounts (you can enable those options in Patchstack under Hardening options) as a better way to solve this issue.
Brute-force attacks against accounts are mostly only successful when the passwords are weak. Therefore, the very first step is to enforce strong passwords (read how).
We have listened to the feedback of our customers and decided to completely rework the /wp-admin/ protection option and add it back in a slightly different way.
With the new approach – access to wp-login.php is completely blocked (not hidden). The only way to access the login page is to access a secret page/link after which the IP address will be whitelisted for 10 minutes. You will be then allowed to access the wp-login.php page to log in.
This approach solves many issues with the previously known methods. It’s also more fail-safe than existing solutions that can easily conflict with other plugins. For more ways how to secure your website, read about the top 4 reasons why WordPress websites get hacked and how to avoid it.
Check our updated WordPress login page protection from the Patchstack app.