Protect your Wordpress login (/wp-login.php)

Oct 11, 2021

If you have a Wordpress website, you likely have a login at (here-in referred to as just “/wp-login.php”). But did you know this page receives more vulnerability scans than any other page on your website? For many websites, the /wp-login.php url is scanned hundreds of times each and every day!

Statistically, the /wp-login.php URL is the most scanned URL on ANY website, regardless of whether you use Wordpress, or not. For non-wordpress sites, the hit generates a 404 and the bot moves on to the next website in it's list. But for Wordpress sites, there is a huge problem because once the bot finds your door, it can begin to attack. Indeed, a successful hit to /wp-login.php is often followed by a crippling credential stuffing attack. Worst case scenario, the hackers get in and destroy your online business. But even if you have strong passwords, the attacks waste server resources (that you pay for) and can even take down your server.

To keep automated bots away from your /wp-login.php admin area (or any other admin area), set up a Honey Page™ and chose the Challenge option. Now, when an automated bot hits your website, it will be presented with a captcha. Consequently, the bot won’t even get to the /wp-login.php page, and doesn’t even register that the page exists. As the administrator, you'll also need to pass the captcha each time you login, but it's a small price to pay for this additional website security, and piece of mind.

As a bonus, Turnstil.Cloud tracks honey page events which you can see in the Honey Page > Events area. A quick look at the Events page shows how often you are getting scanned, and also will reassure you that setting up a Honey Page™ on your /wp-login.php URL to challenge all hits is likely the best security move you ever made for your Wordpress website. In the example above, /wp-login.php gets scanned over 10 times in an hour, and take it from us, this happens every hour of each and every day!

The best offence is a strong defence - using Honey Pages to protect your /wp-login.php page is a simple and easy way to protect your Wordpress  website from this extremely common form of attack.