WordPress Security

Security Through Obscurity: Should you change your WP-Admin Directory?

One of the most common recommendations that you hear regarding WordPress security upgrades is to change the name of your WP-Admin directory. Does this really make much of a difference?

Not really.

Improving WordPress Security by changing the WP-Admin directory

So what does this do exactly? Well it makes it harder for a hacker to find your WP-Admin directory and attempt a brute force hack. That’s known as “security through obscurity,” and while it will prevent a certain number of malicious IPs from reaching your login screen, it won’t prevent sophisticated attacks in any real way. Here is what the WordFence Security experts have to say about this:

Changing your WP-Admin Directory Can Break Your Site

There are tons of plugins and themes that depend on wp-admin being located at /wp-admin. One common reason is that plugins or themes may rely on accessing the admin-ajax.php file, which is in the root of the WP-Admin directory. If you change this directory, the plugin or theme may not have the proper configuration to be able to find it at its new directory, and the AJAX call will fail. For many sites, changing this directory isn’t a viable option, and as you will see, it does little to protect your site at the end of the day.

Better WordPress Protection Against Brute Force

The security pros at WordFence have a great feature that detects brute force hack attempts and bans the IP address that attempted the hack. It then submits this IP to a blacklist, which includes blacklisted IPs from all over the world. Sites that are on this blacklist are not permitted to access your website.

The easiest solution for protecting your site is to ensure that every user has a strong password. This is critical. Your WordPress site security is only as bulletproof as your weakest armor, and if users are creating weak passwords, there will always be security issues. We recommend auditing password strength for all users automatically, and making sure that they are all using strong passwords. For an extra layer of security, you can also enable 2FA to force users to verify their login on new devices.

Contact Valier for a full WordPress Website Security Audit

To refer back to the armor analogy, its important to note that security issues with themes and plugins is the most common manner in which WordPress sites are hacked. It’s imperative that you keep WordPress website up to date, including themes, plugins, and WP-Core, and that you audit every plugin that you use to make sure you aren’t installing something that damages the security of your site.

The best way to make sure that you are doing everything you can from a security standpoint is to hire a WordPress security expert. Valier offers a fixed-rate audit for any WordPress site, which is a great way to make sure you are doing what you can to protect your website and your customers’ data. We will analyze plugins and themes, and perform a series of updates to make sure your site is safe and secure. We also offer ongoing WordPress security services, which includes premium security services and ongoing testing/updates. If you want to be a worry-free WordPress site owner, this is the way to go.