Books    Photo Galleries    Blog    Elsewhere    About

Ads precede the content. I don't control the ad content, but money flows to me if you click on them.

December 27, 2011

Avoiding WordPress login hackers

Filed under: blog,hacking,security,software,wordpress — Tags: , , — admin @ 3:44 pm

Lately in my server logs I’ve been seeing a lot of attempts to hack into WordPress. The hackers appear to have automated means of working well-known exploits such as to timThumb.php and phpMyadmin, but also I’ve seen persistent efforts to do brute force login attacks using a big password set. A lot has been written about the exploits and patches exist for them that you can find elsewhere, but the simple way I avoid the most common brute force login hackers out of the gate is to not even have the well-known wordpress login script wp-login.php visible. If you rename that file to something like wp-myspecial-xyz-login.php and do a full text replace of the filename as it appears in the code of that page to match your new name, you should find that your login works as previous (but with a revised URI to match the new name). However, the simple wp-login.php login hackers will just get 404′s and might move on to greener pastures.

Of course, this can complicate later patches, so keep a backup of the original file and stick it back in when you are patching. At least, that’s one approach you can take. There are many similar ones.


Ads follow before the comments section. I don't control the ad content, but money flows to me if you click on them.
  1. I salute your efforts and go back to hide in my secure computerless cave.

    Comment by Control-escape. — December 27, 2011 @ 4:18 pm

  2. Im glad to know that! great Thanks for contributing so much with this wonderful content! good job !

    Comment by Car Repair — March 19, 2012 @ 5:08 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment



Powered by WordPress