At some point in your site’s journey, you become important enough to start getting hit by spambots. I don’t know exactly what the limit is, but it always happens. This can take many forms – rogue crawlers, comment spam, and login spam. Of these three, by far the last one is the most annoying. You can block crawlers, and add captchas to comment spam, but dealing with login page bots is the most difficult.
It’s not just the volume. The problem with spamming the login page is that it uses up precious resources in the database. It’s not a page that should be cached, so it’s always generated fresh by the server. And when someone tries a username/password combination, the query needs to be executed on the database each time – there’s no shortcut.
This kind of constant spamming can slow your site to a crawl. You may not even realize it’s happening – your site will be slow, and you’ll blame your hosting provider, or try measures like caching to speed things up, but it won’t help. You need to nip the wp-login.php spammers in their tracks. NameHero already has a tutorial on the various ways to secure your admin folder. They include password protecting your admin directory, limiting login attempts, creating 2-factor authentication, and limiting the number of login attempts.
But I find the simplest and most resource efficient solution is to simply rename the login page to something that only you know. This way, everyone trying the old login page will just get a 404 error with no resources consumed. The redirection is done in the .htaccess file, so it places barely any load on the server at all!
Using the iThemes Security Plugin
For this particular use-case, I choose to use a plugin instead of custom WordPress code. The reason is that it’s too sensitive a matter and I don’t want to be locked out of my own website in case something goes wrong. iThemes is a well-respected WordPress plugin with paid and free versions, and they have a complete security team working on it. So that’s what I’m going with.
Download and install the plugin from the WordPress directory. Once activated, head over to the settings and click the “Advanced” tab on the top right as shown here:
This will open up a bunch of special options that I highly recommend you look into. One of them is called “Hide Backend”. This module will change the name used to access wp-login.php and redirect everyone else to a 404 page. Going forward, enable the functionality by clicking the checkbox here:
In the “Login Slug” section, choose a name that you want to use for your new login page. In this example, I just use “newlogin”. This is the name that you append to your WordPress site to access the login page like this:
Save your changes. Now when you try and access the old wp-login.php page, it should redirect to the page of your choosing – usually a 404.
And when you use the new URL above, you get the real login page as shown here:
And that’s it! You’ll no longer be spammed by bots hijacking your database resources by guessing usernames and passwords. Even if you have a strong password, you need something like this to essentially deal with denial of service attacks.
Another thing you can do is to protect your xmlrpc.php file as this is another vector through which people can spam your site with credential guessing. These two measures together, should significantly drop the load on your site and allow you to dedicate more resources to things that matter – serving your real visitors!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!