I’ve had many (and I mean many…) client ask me to change the URL of their sites administration area – so hackers can’t find it! They’ve read a couple of random blogs about online security and thought that everything that everyone says must be true. That’s how the internet works… doesn’t it?
The problem is that this particular “security hack” doesn’t actually do anything to help your sites security at all.
Let’s go through what happens with most sites. I’ll use this site as an example as it’s running on WordPress like a major percentage of the worlds websites are. For any WordPress website, you can easily find the admin URL by adding /wp/admin/ after the sites URL. So as an example the admin URL of this site is https://catacuastic.com/wp-admin – and I’m happy to show that.
The reason that I’m happy to give anyone that sites administration login URL is that anyone that knows about websites already knows it without me telling them. Anyone that’s actively trying to hack into my site already knows it and is actively trying all of the time. This site doesn’t get a lot of traffic, but so far in the last month Wordfence has told me that there’s been over 300 attempts to hack into the site.
None have been successful in getting in.
There’s no secret to good security, especially for WordPress. You need to choose a secure password. That means a compound word that no one else would know. Even better, use a passphrase to add in even more randomness. If you want the best, use one of the many password security programs out there, like Lastpass, to generate and store really secure passwords for you. On top of that you can look at 2FA (Two Factor Authentication) if you need another layer of security.
A real-world example
I can’t think of a better example of this then Gmail. Think about it – everyone knows the login URL for Gmail, and if you know someone’s email address you know their username. The only thing that you don’t know is their password. Even with all of this, a Gmail account getting hacked doesn’t happen often, and when it does it’s almost always a short or insecure password that’s the cause.