• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero Blog

NameHero Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • VPS Hosting
    • WordPress Hosting
    • WooCommerce Hosting
  • Reseller
  • Enterprise
  • Domains
  • Account
  • Blog Home
  • Categories

How To Prevent Bots From Hammering Your Login Page

Bhagwad Park

Published on: April 17, 2019

Categories: Website Performance 3

At some point in your site’s journey, you become important enough to start getting hit by spambots. I don’t know exactly what the limit is, but it always happens. This can take many forms – rogue crawlers, comment spam, and login spam. Of these three, by far the last one is the most annoying. You can block crawlers, and add captchas to comment spam, but dealing with login page bots is the most difficult.

It’s not just the volume. The problem with spamming the login page is that it uses up precious resources in the database. It’s not a page that should be cached, so it’s always generated fresh by the server. And when someone tries a username/password combination, the query needs to be executed on the database each time – there’s no shortcut.

This kind of constant spamming can slow your site to a crawl. You may not even realize it’s happening – your site will be slow, and you’ll blame your hosting provider, or try measures like caching to speed things up, but it won’t help. You need to nip the wp-login.php spammers in their tracks. NameHero already has a tutorial on the various ways to secure your admin folder. They include password protecting your admin directory, limiting login attempts, creating 2-factor authentication, and limiting the number of login attempts.

But I find the simplest and most resource efficient solution is to simply rename the login page to something that only you know. This way, everyone trying the old login page will just get a 404 error with no resources consumed. The redirection is done in the .htaccess file, so it places barely any load on the server at all!

Using the iThemes Security Plugin

For this particular use-case, I choose to use a plugin instead of custom WordPress code. The reason is that it’s too sensitive a matter and I don’t want to be locked out of my own website in case something goes wrong. iThemes is a well-respected WordPress plugin with paid and free versions, and they have a complete security team working on it. So that’s what I’m going with.

Download and install the plugin from the WordPress directory. Once activated, head over to the settings and click the “Advanced” tab on the top right as shown here:

iThemes Advanced Options

This will open up a bunch of special options that I highly recommend you look into. One of them is called “Hide Backend”. This module will change the name used to access wp-login.php and redirect everyone else to a 404 page. Going forward, enable the functionality by clicking the checkbox here:

Enable Hide Backend on WordPress

In the “Login Slug” section, choose a name that you want to use for your new login page. In this example, I just use “newlogin”. This is the name that you append to your WordPress site to access the login page like this:

https://www.yourdomain.com/[loginslug]

Save your changes. Now when you try and access the old wp-login.php page, it should redirect to the page of your choosing – usually a 404.

And when you use the new URL above, you get the real login page as shown here:

New Login Page

And that’s it! You’ll no longer be spammed by bots hijacking your database resources by guessing usernames and passwords. Even if you have a strong password, you need something like this to essentially deal with denial of service attacks.

Another thing you can do is to protect your xmlrpc.php file as this is another vector through which people can spam your site with credential guessing. These two measures together, should significantly drop the load on your site and allow you to dedicate more resources to things that matter – serving your real visitors!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Comments

  1. Vivek says

    February 18, 2020 at 5:47 am

    Thanks. I discovered this plugin by your content and found it very useful. Cheers !!

    Reply
  2. Bhagwad Park says

    April 7, 2021 at 2:47 pm

    trying to sell your plugin ?

    Reply
    • Bhagwad Park says

      April 12, 2021 at 11:58 am

      If I owned iThemes, I wouldn’t need to resort to articles like this to sell it 😛 .

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!

Most Popular Posts

Speed up your site: solving the WordPress slowdown

NameHero’s Recommended WordPress Plugin and Theme Setup (2023)

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • Website Performance
  • Web Hosting
  • Resellers
  • Website Development
  • Website Security
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Domains
Help & Support
  • NameHero Blog
  • Knowledgebase
  • Announcements
  • Affiliates
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2023 NameHero, LLC. All rights reserved.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA