By default, WordPress websites have a publicly accessible wp-login.php page. This enables hackers to attack websites through malicious means such as brute force attacks.
The Guyana National CIRT recommends hiding this page on websites so that it is not publicly accessible. This would help to mitigate Brute Force and/or Zero-Day vulnerability attacks. On a standard WordPress site, the publicly accessible login page is either "/wp-admin" or "/wp-login.php" which makes it easier for hackers and bots to access websites and launch brute force attacks.
The Guyana National CIRT recommends the using the following plugins for WordPress which allows the login page’s URL to be changed:
- WPS Hide Login: https://wordpress.org/plugins/wps-hide-login/#description
- Rename wp-login.php: https://wordpress.org/plugins/rename-wp-login/