ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Add option to (more easily) rename /wp-admin/

December 12, 2018 · 19:32 · Daniel Hendricks
Description

An easier/built-in way for users to change the login URL/admin path from the default would be nice. I think that if it was a built-in option, it might encourage more people to do it. Purely as an example:

Voters
+16 more
Discussion
Daniel Hendricks

I don't know how to link an image here. Markdown didn't work. Attempt #2:

<img src="https://i.snag.gy/gFw4Vo.jpg" alt="Example Screenshot - Rename Login URL" />

If that didn't work, here it is: https://snag.gy/gFw4Vo.jpg

invisnet

What are you trying to achieve by renaming wp-admin?

Ian

Some script kiddies have wp-admin hardwired in their scripts as the directory where interesting stuff is. Should you get hacked, having it somewhere else it delays them for a few seconds.

invisnet

I'd say this is almost entirely pointless without refactoring admin-ajax.php first - obfuscation only works without discoverability, and even then only as a last resort.

Paul G.

Simply renaming the admin URL won't protect your site from "script kiddies" and doing so will likely break 1001 different things where the perceived upside is far in-excess of any real-world benefits.

Daniel Hendricks

I can accept the argument that it won't protect you from bots, I suppose (I mean, I certainly wouldn't have recommended it as the <em>only</em> thing that you should do). As far as it breaking 1001 different things - I do it on every site that I create. I have not yet encountered an issue. It should be noted, however, that I am not talking about renaming the actual <em>directory</em>, but aliasing it like many of the security plugins do (which maintains the actual path, greatly reducing the likelihood that it will break poorly-developed plugins/themes).

Regardless, I am willing to concede because @invisinet made a valid point. I wonder, however, why so many articles/security plugins recommend it. False sense of security for purposes of marketing?

A part of me feels like it is a rather easy feature to implement, though perhaps unnecessary. I suppose that testing and support would not be as easy - it's never pleasant when someone locks themselves out of WP Admin because they did something silly. Further, the type of person using ClassicPress to begin with probably already knows how to do such things if they want to.

Paul G.

I represent the author of the Shield Security plugin and a long time ago we added the ability to "rename WP Login" - this also effectively makes the WP Admin return a 404 if you're not logged-in. It "works" - there's no accessing WP Admin (or login) without already being logged it. But frankly I wish I could remove the option as it represents "security" by obscurity and is a major support load as it does "break" some sites but more accurately it breaks the understanding and workflow of sites that users (who themselves have implemented the option) don't fully appreciate.

It's a massive headache for many, as it just adds obscurity and offers no true security benefits.