WordPress Security: How to Protect Your Site from Brute Force Attacks with URL Masking

WordPress URL Masking

Imagine it’s 10pm on a Friday night. You’re catching up on some (insert cool, recent TV show), trying to relax. Suddenly, you get a concerning text from your employee telling you to look at your website. You get on your computer and head to your site to find childish graphics plastered on the homepage, along with a link to, “fix the problem,” which will almost certainly be extorting you for money. This is an extreme example, yes, but it helps paint a picture of what a lack of security can lead to on your WordPress site.

Brute Force Attacks

The primary technique used by hackers is called a, “Brute Force Attack,” which is exactly what it sounds like. Someone enters username/password combinations over and over again until they get it right, forcing their way into your admin area with almost zero sophistication. Now, obviously this is incredibly time-consuming, so people write software that can do the attacking for them. According to w3techs.com, 34.6% of all websites (or 525,299,765), are powered by WordPress. Within WordPress is this handy feature that makes it even easier for hackers, called user enumeration. If you type in example.com?author=1, this will tell WordPress that I’m looking for the profile of the author with the ID of 1. It will then display this author’s profile, and the URL will change to example.com/author/authorusername. So, all our little bot has to do is scroll through all users on the site and try hundreds of thousands of passwords, rather than hundreds of thousands of usernames and passwords, effectively cutting our hacking time in half.

Changing your URL

So now that we know all of this, how do we prevent this from happening? The process is called URL masking. Like any cybersecurity measure, it’s not impregnable, but it still makes it difficult for bad actors to hack your site, which is a good thing. The login in every fresh install of WordPress can be accessed at example.com/wp-admin or /wp-login.php. This is super convenient for someone who wants to run a brute force attack on your site, as they can write software that just queues up hundreds of websites and goes to each one, appending /wp-admin to the end and bam, there’s the login. This is where URL masking comes in. Let’s say we have a website, carolsprettyflowers.com. What URL masking allows us to do is change the login page URL to something like carolsprettyflowers.com/cpf-admin, making invasion more difficult. It’s likely that anyone looking to hack your site will just leave if they don’t find your login at /wp-admin. However, if your website is worth enough to the hacker, or they have a vendetta against you, they’ll keep trying. If that’s the case it’s vital to remember the importance of strong passwords and 2-Factor Authentication.

Defender Pro

You might be asking yourself, how do I go about masking my URL, I have no idea how?! Well, every website that Curious Minds maintains has a premiere security plugin installed called Defender Pro. Defender Pro handles both URL masking, and prevents user enumeration with the click of a button. So, if you don’t want to be interrupted on a Friday night while you’re catching up on (insert cool, recent TV show), ask us about our WordPress Maintenance plans, and we’ll set it up for you! It doesn’t get easier than that.

About Curious Minds
We are a web development firm in New York and Chicago, providing development resources and consulting for websites and mobile apps since 2004.