Last Updated on January 19, 2020 by Christopher G Mendla
I was using WPS Hide Admin to hide the login URL of my WordPress sites. That is a critical tool in preventing Brute force attacks. After migrating the sites to HTTPS, WPS Hide Login was not longer working. I found a simple solution to the problem.
Brute force attacks can allow a hacker to take control of your WordPress site. When Brute Force attacks are launched, they are launched from hundreds or thousands of computers. If you allow the attacks then the hackers will eventually crack the password. Many of hack attacks do not throttle their attack. In other words, they overload the server they are attacking. This will bring down the target site as well as other sites sharing the hosting.
Some things you can do to hinder these attacks are
The last item is where a tool such as WPS Hide Admin comes in. That plugin allows you to easily change the URL of the login page.
I was using WPS Hide Admin succesfully. WPS Hide Admin stopped Brute Force attacks. However, when I migrated the sites to HTTPS, WPS Hide Admin didn’t work. If it was activated, I could not get into the site’s back end. Fortunately, renaming the plugin via FTP in the /wp-content/plugins folder from wps-hide-login to wps-hide-login.old disabled the plugin so I could get back into the site. Support at WPS Hide Login suggested a global replace plugin to change all instances of HTTP to HTTPS in the database. I was reluctant to do that because I wasn’t sure if there would be any issues resulting from that. (Hey, there’s a spider in the corner, hand me a grenade!!)
Not running WPS Hide Admin for about a week resulted in two of my sites coming under a brute force password attack. The resources on the server were maxed out. The attackers were hitting the /wp-logon url.
I checked the site name in the the WordPress settings. I had neglected to change http to https there. As soon as I made the change, WPS Hide Admin worked normally. Using WPS Hide Admin and setting some aggressive settings in Wordfence along with Geo-IP blocking all non US users stopped the attack in about 12 hours.
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.