WordPress URL Masking: The Sauce

WordPress URL masking is the process of changing the default login URL (or any other URL) in order to prevent any sort of malicious attacks on your site.

A WordPress sites login URL is always coolwebsite.com/wp-login.php by default. According to w3techs.com, 34.6% or 525,299,765 websites are powered by WordPress. Taking these two pieces of information into account, you can imagine the ease with which a malicious actor could jump from site to site simply appending /wp-login.php to the URL.

Brute Force Attacks

The primary reason for masking a URL is to prevent a brute force attack on your site. A brute force attack, in regards to website logins, is where the attacker uses a process of trial and error to try and gain access to your site. Usually, the actual “attack” is carried out by a script that can try email/password combinations much faster than any human would be able to by typing. This type of attack exploits human laziness, which is why password complexity is so important.

Even with a complex password, given enough time a program will figure it out, this is basic cryptography. So why even give them the chance to try? This is why I highly recommend URL masking. You make it that much harder for a bad actor to gain access to and compromise your site, and it’s as simple as installing a plugin.

How to mask a login URL

There are a couple of reputable plugins I have seen for WordPress URL Masking, but I only have experience with one. That plugin is Defender Pro from WPMU Dev (side note, I get no money from you clicking on that link. WPMU is staunchly against affiliates). Besides the security and peace of mind Defender Pro gives, it makes URL masking as simple as typing a couple of letters and clicking save.

WPMU Dev has the highest quality suite of plugins I’ve used as a WordPress Developer and I would seriously consider taking them up on their 30 free-trial. Wow, this sounds like a pitch, but I just really like their stuff.