Rather than repeat this subject over again, perhaps try a forum search using keywords “change wp-login.php” or just “wp-login.php” or “change login url” as we’ve yammered on this subject with thousands of words, and begged Wordfence to provide this as an option, but they don’t like “security through obscurity.”
A simple change is to password-protect your wp-login.php. I run a few hundred sites and this change alone has stopped what must be millions of brute-force login attempts against wp-login.php, definitely worth it for the few minutes it takes to set up.
Place the following in your root .htaccess (the same directory as wp-login.php).
# Stop bots from knocking on wp-login.php
<files wp-login.php>
AuthName "Login Required"
AuthType Basic
AuthUserFile /var/.htpasswd
require valid-user
satisfy any
deny from all
allow from xxx.xxx.xxx.xxx
</files>
The ‘allow from’ line allows you to bypass authentication for your IP. The location of AuthUserFile depends on your server. In this file, you have a user/password that’s required for entry.
See https://codex.ww.wp.xz.cn/Brute_Force_Attacks#Password_Protect_wp-login.php for more details.
It shouldn’t be the only solution you implement for login security, but it’s a good first step.
Hi @exdesign,
The implementation of a feature to rename or move wp-login.php is still being discussed internally.
In the meantime, password protecting your wp-login.php file as described in the WordPress Codex is indeed an option.
Please also make sure you go through all Wordfence Login Security Options
(Thanks @mountainguy2 and @ablears, for stepping in)
