Lockdown WordPress not hiding ‘login’ or ‘admin’

Hardening WordPress

I have been using the Lockdown WP plugin. It makes sure that if a user isn’t logged in and they attempt to access WP Admin or WP Login directly, they will be unable to and it will return a not found error page (404).   Thus leading the hacker’s botnets to a dead-end.

However, after installation I was still experiencing illegal login attempts.  I had not thought about the other redirects that WordPress automatically generates: www.example.com/login and www.example.com/admin, which were still happily redirecting all and sundry, including botnets, to my new private login URL.

Thankfully a line of code in your theme functions file will resolve this as follows:
remove_action( ‘template_redirect’, ‘wp_redirect_admin_locations’, 1000 );

I realise most people do not manage their own WordPress templates but this can of course be passed onto a WordPress developer if you experience similar issues.

Related: Keeping WordPress Safe from Intruders


Share on FacebookTweet about this on TwitterPin on PinterestShare on LinkedInShare on Google+Email this to someone

© Tracey Rickard. If you want to use any of my content please ask me first, you can't use it without permission that's stealing. You can use an excerpt as long as it is linked back to this article.