Last Updated on September 9, 2023 by Christopher G Mendla
I was using WPS Hide Admin to hide the login URL of my WordPress sites. That is a critical tool in preventing Brute force attacks. After migrating the sites to HTTPS, WPS Hide Login was not longer working. I found a simple solution to the problem.
About brute force attacks
Brute force attacks can allow a hacker to take control of your WordPress site. When Brute Force attacks are launched, they are launched from hundreds or thousands of computers. If you allow the attacks then the hackers will eventually crack the password. Many of hack attacks do not throttle their attack. In other words, they overload the server they are attacking. This will bring down the target site as well as other sites sharing the hosting.
Thwarting brute force attacks
Some things you can do to hinder these attacks are
- Do not use Admin, Administrator, <sitename>, <sitename>admin or similar easily guessed names for the site administrator. Use something obscure.
- Use a strong password. WordPress auto generates a strong password. That might be a pain but it will help avoid being compromised by a dictionary attack
- Use a tool such as WordFence, which when properly configured, will block IPs who fail a set number of times. Keep in mind that a Brute Force attack is launched by an army of bots under control of the attacker. Blocking an IP is like whack-a-mole, but it helps.
- Change the URL of the login page.
The last item is where a tool such as WPS Hide Admin comes in. That plugin allows you to easily change the URL of the login page.
Migrating from http to https broke WPS Hide ADmin
I was using WPS Hide Admin successfully. WPS Hide Admin stopped Brute Force attacks. However, when I migrated the sites to HTTPS, WPS Hide Admin didn’t work. If it was activated, I could not get into the site’s back end. Fortunately, renaming the plugin via FTP in the /wp-content/plugins folder from wps-hide-login to wps-hide-login.old disabled the plugin so I could get back into the site. Support at WPS Hide Login suggested a global replace plugin to change all instances of HTTP to HTTPS in the database. I was reluctant to do that because I wasn’t sure if there would be any issues resulting from that. (Hey, there’s a spider in the corner, hand me a grenade!!)
Not running WPS Hide Admin for about a week resulted in two of my sites coming under a brute force password attack. The resources on the server were maxed out. The attackers were hitting the /wp-logon url.
The fix – WordPress Address (URL)
I checked the site name in the the WordPress settings. I had neglected to change http to https there. As soon as I made the change, WPS Hide Admin worked normally. Using WPS Hide Admin and setting some aggressive settings in Wordfence along with Geo-IP blocking all non US users stopped the attack in about 12 hours.
Results
WPS Hide Admin worked correctly after changing the two URLs to HTTPS from HTTP