Locking Down WordPress Login Pages

WordPress has many best practices when setting up a new site, one of which is changing the links for the WordPress login pages. When I set up my own site I realized I took some shortcuts and never got around to this.

Lately I’ve been getting a lot of brute force attacks. I use the Wordfence plugin and it helps to block out people who have too many failed logins (which I set to 2) or failing on a non-existant user. I knew I needed to add the extra step of moving my login page so this morning I did just that.

I’ve been reading Tania Rascia‘s site and guides recently and she has a lot of great information. I was reading her Front End Web Development Setup and saw her recommend the Move Plugin for WordPress sites. It looked like a solid plugin so I decided to go ahead and set it up.

The plugin lets you choose your links for login, logout, register, lost password, and reset password. Servers running Apache can have the plugin write to the .htaccess file for these redirects. However my site, and my wife’s, both run on an a Digital Ocean droplet running Nginx. This meant I had to change the Nginx config file myself.

I did set up the servers but I had to remind myself where things were when after I SSH’d in. The plugin gives you the code that you need to insert into the config, but it’s wrong.

location / {
    rewrite ^login-page/?$ /wp-login.php break;
    rewrite ^logout-page/?$ /wp-login.php?action=logout break;
    rewrite ^lost-password-page/?$ /wp-login.php?action=lostpassword break;
    rewrite ^reset-password-page/?$ /wp-login.php?action=resetpass break;
    rewrite ^register-page/?$ /wp-login.php?action=register break;

This is what the plugin tells you to use but it doesn’t work. There is a support topic for nginx that has the code that works, but the plugin still gives the bad information.

The correct code is similar, but needs to go in the main server block, not a location.

rewrite ^/login-page/?$ /wp-login.php last;
rewrite ^/logout-page/?$ /wp-login.php?action=logout last;
rewrite ^/register-page/?$ /wp-login.php?action=register last;
rewrite ^/lost-password-page/?$ /wp-login.php?action=lostpassword last;
rewrite ^/reset-password-page/?$ /wp-login.php?action=resetpass last;

I added these lines to the end of my main server block in my config file and everything worked great. The plugin lets you choose what action to take when someone uses an incorrect page and I chose display errors for both.

Note: You’ll want to choose your own page names that make sense for you.

Leave a Reply