SOLVED – WPS Hide Admin not working after deploying HTTPS in WordPress
I was using WPS Hide Admin to hide the login URL of my WordPress sites. That is a critical tool in preventing Brute force attacks. After migrating the sites to HTTPS, WPS Hide Login was not longer working. I found a simple solution to the problem.
Brute force attacks can allow a hacker to take control of your WordPress site. When Brute Force attacks are launched, they are launched from hundreds or thousands of computers. If you allow the attacks then the hackers will eventually crack the password. Many of hack attacks do not throttle their attack. In other words, they overload the server they are attacking. This will bring down the target site as well as other sites sharing the hosting.
Some things you can do to hinder these attacks are
- Do not use Admin, Administrator, <sitename>, <sitename>admin or similar easily guessed names for the site administrator. Use something obscure.
- Use a strong password. WordPress auto generates a strong password. That might be a pain but it will help avoid being compromised by a dictionary attack
- Use a tool such as WordFence, which when properly configured, will block IPs who fail a set number of times. Keep in mind that a Brute Force attack is launched by an army of bots under control of the attacker. Blocking an IP is like whack-a-mole, but it helps.
- Change the URL of the login page.
The last item is where a tool such as WPS Hide Admin comes in. That plugin allows you to easily change the URL of the login page.
I was using WPS Hide Admin succesfully. WPS Hide Admin stopped Brute Force attacks. However, when I migrated the sites to HTTPS, WPS Hide Admin didn’t work. If it was activated, I could not get into the site’s back end. Fortunately, renaming the plugin via FTP in the /wp-content/plugins folder from wps-hide-login to wps-hide-login.old disabled the plugin so I could get back into the site. Support at WPS Hide Login suggested a global replace plugin to change all instances of HTTP to HTTPS in the database. I was reluctant to do that because I wasn’t sure if there would be any issues resulting from that. (Hey, there’s a spider in the corner, hand me a grenade!!)
Not running WPS Hide Admin for about a week resulted in two of my sites coming under a brute force password attack. The resources on the server were maxed out. The attackers were hitting the /wp-logon url.
I checked the site name in the the WordPress settings. I had neglected to change http to https there. As soon as I made the change, WPS Hide Admin worked normally. Using WPS Hide Admin and setting some aggressive settings in Wordfence along with Geo-IP blocking all non US users stopped the attack in about 12 hours.
- WordPress – Brute force attacks stopped with the wps-hide-login plugin
- Securing your WordPress site
- Securing your Joomla admin login from brute force attacks.
- Things to do to stop a brute force attack on a WordPress Blog
- Using the Author Feature of WordPress to Brand Your Name
- A basic set or WordPress Plugins, mostly free.
- Did you forget your adminexile key (Joomla)
- Carbonite forces password changes