Security is always top concern when you’re running a website.
But… sometimes all the hubbub over hacking seems a little over the top. All the scary stories about big businesses like eBay, Target, Adobe, Steam, and others who have suffered big data breaches can feel like fear-mongering. Surely hackers won’t go after your website when they have such big fish to fry?
The data, unfortunately, tells us otherwise. Smaller websites are hacked just as frequently as big ones, with almost half of small businesses reporting being hacked, their resultant costs averaging $8,700.
And those are only the businesses who are willing to report being hacked. It’s probable that others keep their vulnerability a secret, not wanting their users to lose their trust in their ability to keep private data safe and secure.
Even if you only take into account reported instances, tens of thousands of websites are hacked every day, and many of them don’t even know they’ve been hacked and that their websites are being used to spread malicious code.
As a WordPress user, you’re using one of the most secure content management systems available. But no CMS is 100% invulnerable, and hackers are evolving their methods just as fast as developers can patch vulnerabilities.
You may have heard that hiding WordPress is the best way to keep your site secure from hackers and bots.
There’s actually quite a bit of debate among developers and security experts about this practice.
I’ll go over the pros and cons of both sides and the reasoning behind them, and leave it up to you to decide if hiding your CMS is right for your website.
Then we’ll talk about how you can obscure your implementation of WordPress.
Let’s get started!
Isn’t WordPress Secure Enough Already?
WordPress is known for being a very secure content management system (CMS). Security issues are a top concern of WordPress core developers, and the software is patched and updated regularly to address any vulnerabilities that arise.
The security of WordPress is one of the reasons for its popularity. WordPress is now one of the most popular content management systems on the web, used for tens of millions of websites around the world. Even big websites like CNN, The New York Times, eBay, and Mashable use WordPress for their blogs.
But just the fact that you’re using WordPress for your website doesn’t make your website invulnerable to hackers.
In fact, its very popularity is what makes it a popular target.
Hackers know that millions of websites that are using WordPress aren’t using the best security measures to keep their sites secure. Many of those sites are using weak passwords, outdated versions of WordPress with known vulnerabilities, or old and insecure plugins and themes. Hackers know there they’ll have plenty of targets out there once they discover those vulnerabilities and create a way to exploit them.
The most common ways that hackers attack WordPress sites are with brute force attacks or HTTP requests.
Brute-force hackers use software to try to gain access to your website by guessing at your password until they get lucky and break in. Often, simple countermeasures like requiring CAPTCHA or 2-step verification on login can easily stop brute force login attempts in their tracks.
Another common category of hacker attacks are specially-crafted HTTP requests sent to your server. These requests are designed to exploit specific vulnerabilities which are often caused by outdated or insecure software, themes, or plugins. Anything contained in your wp-content directory, whether active or inactive, can potentially introduce security vulnerabilities to your website that knowledgeable hackers can exploit to disable or gain access to your blog.
Why Hide WordPress?
Here’s where the debate comes in.
But first, let’s get our terminology straight: Sometimes people mean different things when they say they’re hiding WordPress.
What’s usually meant by “hiding WordPress” is that you’re attempting to obscure the fact that your site runs on WordPress from any person or bot that attempts to identify the CMS.
But hiding WordPress could also mean just trying to hide which version number of WordPress you’re using, or changing permalinks, file names, subdirectories, etc. to hide them from bots.
Is hiding WordPress worth the effort? Depends on who you ask.
The fact is, there’s no way to completely obscure the fact that your website runs on WordPress. A tech-savvy person who knows enough about WordPress will be able to detect your CMS using any number of means.
Even if you’re just trying to hide your WordPress version number, there are a multitude of ways to discover what WordPress version you’re using just by being familiar with the differences between versions.
And security experts warn that security through obscurity is a discouraged practice, since it can encourage laxness in addressing vulnerabilities if you think no one can find them: “The security of a system should depend on its key, not on its design remaining obscure,” security engineer Ross Anderson wrote.
Does that mean it’s a waste of time to hide WordPress?
Maybe, maybe not. It won’t help you to foil a dedicated hacker that’s targeting you specifically.
But the majority of hacking attempts are made by bots, and you may be able to foil hacker bots by obscuring your WordPress installation. Just by changing some default permalinks, you may be able to protect your website against things like brute-force attacks, SQL-injection, and requests to your PHP files.
Other WordPress Security Measures
Hiding WordPress by obscuring a few permalinks and files can be a good security measure, but it’s not your only option, and it shouldn’t be the only action you take to protect your site.
There are some basic WordPress security tips you can easily follow to keep your site more safe from hackers, without hiding WordPress:
- Always use strong passwords.
- Always keep your WordPress core updated to the latest version.
- Keep all your themes and plugins updated, delete inactive themes and plugins, and stop using any themes and plugins that are no longer being updated.
- Consider protecting your login page from brute force attacks by requiring CAPTCHA and/or 2 factor authentication.
- Consider installing an all-in-one security plugin like iThemes Security or Bullet Proof Security.
(If your website’s already been hacked, check out this great guide by Nathan B. Weller here on ElegantThemes to find out how to fix it: “Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked.”)
How to Hide the Fact You’re Using WordPress
So you’ve decided you still want to try to hide the fact that you’re using WordPress from your visitors as well as potential hackers and bots.
How exactly do you go about it?
There are plenty of tutorials out there for hiding just your WordPress version number, but I’m not going to rehash those for a few reasons:
- If security is really your goal, you should always be updating to the latest version anyway.
- The WordPress version number shows up in a multitude of places in various files, so it can be difficult and time-consuming to obscure them all, and not worth the effort, because…
- Even if you do manage to erase every mention of your WordPress version number, there are still plenty of ways someone can find out what version of WordPress you’re using.
- Obscuring your version number won’t protect you from bots, either. Bots don’t generally check to see what version of WordPress you’re using; they just go straight for the vulnerability they’re targeting. If you keep your WordPress core updated, they won’t find it. And if you’re using an old version of WordPress, they will find it regardless of how well you try to hide your version number.
Still determined to hide the fact you use WordPress? It could be that you have a client demanding you hide WordPress for them, or maybe you think that your business looks unprofessional using blogging software to run your website.
In that case, I recommend a premium plugin called Hide My WP, available on Code Canyon. It works well as a general security plugin, and will hide the fact that you’re using WordPress by changing your permalinks without making changes to the actual locations of your files.
Hide My WP has a number of features that improve your WordPress security:
- Changes permalinks of files (like wp-admin) to obscure them from bots
- Removes meta info (like version number) from your headers and feeds
- Controls access to your PHP files
- Changes the default subdirectories of vulnerable folders like wp-content
- Changes query URLs to protect from SQL injections
- Hides files that can give hackers information about your WordPress installation (like readme.html or license.txt)
- Gives you the option to disable specific archives, categories, tags, pages, posts
- Notifies you of security risks with the new “Intrusion Detection System”
Hide My WP is also compatible with many other popular WordPress security plugins. It’s rated 4.5 out of 5 stars on Code Canyon, and the plugin author is very timely to respond to support requests.
Are You Hiding Your WordPress Installation?
Back to you!
After reading the pros and cons, are you determined to hide the fact that your website is powered by WordPress? What steps have you taken to obscure your CMS, and how well have they worked for you? Share in the comments below!
Great post. It’s nice that “Hide My WP” plugin doesn’t affect on SEO.
I’ve modified .htaccess file and remove WP version from functions.php for one of my clients. It really worked for him. I also suggest him to keep backups frequently. He is now very happy and I’m also 🙂 .
Thank you! Great article! It was very instructive! 🙂
Same thing i also want to know which Biplab mention above. I want to protect my blog from “wordpressthemedetector”
Thank you
Hi, KeriLynn Engel
I am looking to hide some info of my blog.
Whenever i put url to wpthemeditector
It always detect which theme i am using and also which plugin i am using. I want to hide my wordpress blog from wpthemeditector.
Will you please tell me the method
Great Article KeriLynn Engel. but I have still doubt that whether hiding wordpress is possible with subdirectory installation and with htaccess
I have tried HideMyWP and it is very technical and very low on guidance, which for my level is an issue!
I just need a solution to stop browsers knowing I use WordPress, on request of one client. I love WordPress and all it offers but if every time it updates or a theme updates it reverts back to showing all reference to WordPress & WP it is an impossible task to “Hide My WP”, literally!
Currently I use the free version of wordfence. Sometimes I got email telling that somebody tried to login into my website. This plugin prevents login more than 4 false. I think if I hide my wp-admin page, nobody will find the login page, and it will be more secure.
Useful article. I myself had the idea of hiding some of the source code and wordpress code, but really why the trouble. WordPress is a secure CMS.
Hey! Thank you! Securing WordPress is important to me and your article definitely helped! Cheers 🙂 Will check all the plugins mentioned
Great article, Thanks alot. After reading everything though it does get information overload, so many recommendations i don’t know where to start. I’m running wordpress multi-site with Salient and Jobify themes.
My site was hacked when i went live the first time, this was with a different theme though. Had to get a complete rebuild.
Any suggestions for these themes i’m running?
Hide my wp is the important plugin these days to hide wordpress from your unwanted competitors, hackers and spammers
What do you think about the Swift Security plugin? Wich is better hide my wp or swift security?
I bought Hide My WordPress. It is NOT hiding my wordpress.
Do you have a blog post about how to actually use it?
I could still look into your style.css file and see the standard WordPress stylesheet comments at the top this is a massive giveaway.
I’ve never had the need to hide the fact I’m using WordPress, you just need the required security to keep your site safe.
Trying to hide the fact you’re using WordPress is much harder work than just securing your website. But if you do hide the fact you’re using WordPress you’ll still need to add the required security settings…so I don’t see hiding WordPress as being worth the hassle.
> Trying to hide the fact you’re using WordPress is much harder work than just securing your website.
My thoughts exactly. If you’re just hiding WordPress for security reasons, there are plenty of other better ways to go about securing your site.
I have gone thru all the comments and I haven’t seen an answer to my question. Maybe I missed it but I will ask it anyways.
Are there any known compatibility problems between iThemes Security, WordFence and HMWP?
Thanks
Hi Serdar, I’ve heard of lots of people using iThemes Security + WordFence together without issues.
I’d be a little more cautious about adding Hide My WP to the mix; however, the plugin description claims they’re compatible with other security plugins. You might want to check with the plugin author about those two plugins specifically, though, to see if they’re aware of any issues.
Let us know how it goes!
Good article, I learned a lot more reading it and the comments!
I too, use Cloudflare and Elegant Themes and love the security stuff. I am pretty dumb about all this but I try!
I require my member to register selecting 3 names that have to be unique, one for login, one for user, and one to show as author. Then I go into the backend and change which name goes where. I also require to reply to their registration confirmation email with a temporary verification password, if they do not reply in a specific amount of time or the email returns as not deliverable, I just check the blacklist for their IP or add it to my blacklist immediately.
I get about 8000 attempts to comment from spammers every day, a few trying to login as admin, but gee, I don’t have an admin :), that could drive me batty but they automatically get blacklisted and reported and then I manually add them to my on-site blacklist, or report them where pertinent.
My prefixes are not wp-. I got mean once and set lockout for 6 months but softened up when I started using Stop Spammers plugin. I have found a couple of really great ‘developer people’ who can understand my garble and help me through things that I have a problem with. I have to write (type) everything because of my lack of short term memory issues so my library at my bed-desk is a 2 TB external drive just for those notes!
Without htaccess capabilities I am always running a circle somewhere but a couple of plugins, like lockout and disable file editing via my site and the goofy username methods, along with captcha on specific pages, I do fairly well. I tested my passwords and it said it would take over a million years to break them so I just keep creating passwords like that for other people and sites.
I do have the WP version number hidden via a plugin too, but I wouldn’t bother to remove all trace of WP, even though my time on my site is pretty unlimited as I am bedridden, but I can actually find more fun things to do. Sometimes it takes me 5 months to solve an issue because I have research and test everything, make my notes, then when I find the right solution I build and test on my local install. That helps for my issues resulting from my accident and closed brain trauma 14 years ago.
Also, I do not display the author name in any page/post on the directories. Most of my site you need to be a member to access. I have a few public categories and posts but not the majority.
I am sure those more smart than me could find a lot of problems with my site but I do try to learn something every day!
I think I am going to back up twice today just to be safe!
Thanks for all the new information — much will be filed away into my library, ready for that dark, stormy, cold night when a stranger doesn’t bother to knock before he comes in!
Great, and after all these security plugins, mods etc, you activate a theme which farts “proudly driven by wordpress”…
nobody here thought of this. Maybe you add some info here as well how to delete this texts or how to edit the language-files?
Haha, great point, Connie. Wouldn’t make sense to go to all that trouble if THAT’S still there in the footer!
You can fix this by opening your footer.php file, searching for the offending text, and commenting it out or editing it as you like.
Thank you for the article.. But I wouldn’t attempt to hide the fact a website runs on WP.. I its almost impossible to completely hide it and it’s uncalled for.
– Instead use 100% strong password and up-to-date theme/plugins.
– Regularly backup data/files. that’s about it
Agreed!
You don’t really need to hide which your CMS have chosen.
All you need is Latch (love too of course 😉
The thing is once you’ve implemented latch in your WP site, nobody, even if you give then the password, could possibly access your install, until you unlatch it, with your smartphone.
Give it a try, you won’t regret!
https://wordpress.org/plugins/latch/
Some resources you might find useful:
https://www.youtube.com/watch?v=JhR9Vfyd7eI&list=UUX_PjrbhDhw_IsaNmiZkfGQ
http://www.slideshare.net/elevenpaths/latch-installation-guide-for-wordpress
Interesting, I hadn’t heard of Latch before. Thanks for sharing the links- going to check it out now 🙂
Hi, I always recommend to anyone new to WordPress to make sure they create an administrator with an obscure name and a nickname of their actual name. (I use my mums middle name and her d.o.b). Then choose use the nickname and then delete the default admin user. That way when you login you use a name that never appears on your site.
Login lockdown is brilliant too. The fault is three attempts and you are locked out for 15mins. I have mine on 1 attempt and locked out for 60 mins. Because my password is so good I regually lock myself out and have to use Tor browser to get in.
I also use the free version of Wordfence and BPS security together.
I believe BPS security removes the WordPress meta tag for you on its initial set up and check so novices do not have to use tutorials. It also does all you need to do with securing .htaccess in all folders.
Hope this helps
Chris
Great security tips, Chris! Good point about not using the default “admin” as your login.
if you ar using a theme from wp.org all css classes are the same because of the theme rules
in source you will find wp-content/themes/style.css or wp-includes/,,,/jquery
=> and I can find this on elegantthemes.com too :-))
but you believe if you are hiding the WP versionsnumber your blog is secure?
Monika,
It will definitely help to hide WordPress version. It will at least deter some bots trying to exploit vulnerabilities.
Besides all the things that were already mentioned using htpasswd for a 2-step login procedure helps alot. And always controll the access-rights to the folders on your server and your files.
As long as a bot or hacker isn’t allowed to write on your files, it doesn’t matter that much if he’s able to find them.
Great point, Stefan!
Hi, I want to ask, does it effect with SEO matter?
Hi Paeh- using the “Hide My WP” plugin should NOT affect SEO as far as I can tell.
You can and should hide the wp version number, and deploy a million other security measures, such as hiding the login screen, etc,,,.
That said IT IS ALMOST IMPOSSIBLE to hide the fact that you are using WordPress. All one has to do is look at the page’s source code, and see what plugins/themes you are using, either by looking at the css and javascript files being loaded, or by the class prefixes that themes and plugins use. In most cases, you don’t even have to look at the class prefixes. Look at the path of the external files being loaded, the names of the plugins/theme is usually right in there.
Hide the fact that your site runs on WordPress? You are dreaming, unless you countless spend hours changing tons of code, manually…
Yup, totally agree it’s impossible to completely hide WordPress!
I’m curious why you believe you should attempt to hide the version number, and how you implement that in your own sites. Mind sharing? 🙂
..and since WP is used in over 23% of websites, there is a very good chance you’ll stand out as using WP. (Source: http://en.wikipedia.org/wiki/WordPress)
I’m with Nick.. Not worth the effort, troubles and the risk of breaking something before a hacker does.
Love the eyes peeking out of the box
Me too! Sometimes it’s hard to find a good relevant image, but this one was PERFECT!
I use two great plugins: Limit Login Attempts and Lockdown WP Admin.
Hadn’t heard of those- thanks for sharing, Arjan!
One of the best results of articles like this are users’ comments with tips, so here’s my two cents about some useful ‘light’ plugins (provided I often couple iThemes Security with Wordfence) alternatives: Better Login Security and History to include a captcha in admin login form and keep track of logins, Rename wp-login.php to hide WP’s admin login alltogether, thus grealy reducing brute force attempts, and of course some other tricks like changing database’s prefix (manually or with Change DB Prefix plugin) and admin’s ID if it’s still 1 (creating a new admin user and deleting the first one after logging in with the new one). Most of these results may be obtained with iThemes Security (along with several others) but I’ve found this plugin’s security measures too ‘hard’ if used intensively, often creating problems when migrating websites or similar. BTW, Wordfence is great at speeding up your website, too, besides protecting it. And, of course, for a good backup and restore tool take a look at UpdraftPlus Backup.
I totally agree! I’m learning so much from the comments here. Thanks for sharing your tips, too 🙂
I have been using three tools with no conflicts.
1. Brute Protect – hooks into your WordPress account and has a good auto update feature.
2. Wordfence – important to set things up properly
3. iThemes Security – important to set things up properly
I should probably write an article on how to set these things up properly on my site. Each website may have different priorities so there is no “one size fits all” setup for Wordfence and iThemes Security.
I set them up in the order above for a reason. Brute Protect requires little setup. Just connect it using your WordPress account. Then set up Automatic Updates and site Monitoring if you want.
Next install and set up Wordfence. Note: it also has a great caching system under Performance. If you only care about Google like we do you can set your Throttles up for crawlers and humans. If 404’s for known vulnerable URL’s exceed, I set to 4 per minute and set it to Block. The Block or Throttle I set for the Max, 1 Month. 30 per minute on all others and Throttle instead of block. Of course, check Immediately block fake Google crawlers.
The above will throttle even good search engine bots but so what? Google still has unlimited access.
Last is iThemes Security. There is a quick setup but I encourage you to get into the weeds there. Read over all the settings. You can run their brute protect along with the plugin brute protect. I’m guessing they both use different databases so you’re more likely to catch bad IP’s with both enabled. I enable just about everything that does not warn you that it might interfere with certain plugins. You just have to remember to disable parts of it if you want to edit your themes or plugins in the admin area or online in cpanel.
Cloudflare helps too.
Thanks for sharing your method, Mike! This is great. I use iThemes Security and CAPTCHA on login on most of my sites. I haven’t tried Wordfence and hadn’t heard of Brute Protect. I’ll have to check them out.
If you do write an article on this, be sure to share it here! I’d definitely be interested in learning more.
I agree 🙂
I have found this which is actually working if we only need to hide wordpress and nothing else.
################
For one, add this to your wp-config file, at the bottom, just before wp-settings.php are included:
define ( ‘WP_CONTENT_FOLDERNAME’, ‘media’ );
define ( ‘WP_CONTENT_DIR’, ABSPATH . WP_CONTENT_FOLDERNAME );
define ( ‘WP_SITEURL’, ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/’ );
define ( ‘WP_CONTENT_URL’, WP_SITEURL . WP_CONTENT_FOLDERNAME );
Then, simply rename your directory from wp-content to “media”
################# Credits: http://www.graemeboy.com/how-to-hide-that-you-use-wordpress
G.R.E.A.T. ! I think some times you guys just read in my mind!!!! 😀 That’s what i was thinking Litterally today!
Haha, awesome 🙂
Aw! Thanks but I already knew there was a plugin to do this. I was here thinking you might say something else. haha finally concluded redirecting me to that premium plugin again. 😛 thanks anyways. Cheers
Sorry, Harish! Were you looking for instructions to hide WordPress without a plugin? I think that would take hours and hours of fiddly work, and I really don’t think there’s much benefit to it. Why do you want to hide WordPress? Maybe there’s another method I can recommend.
Thank you so much for your email. I have been using serval plugins that I need to hide. With regard to competitor analysis, I need to hid my wp. however, I don’t want to use a premium plugin as I don’t need any additional security except to hide the facts that I’m using a particular theme/plugin.
Please let me know if you have any instructions for me.
Again, thanks for your concern.
Cheers.
Hm, ok, interesting. Thanks for sharing – I’m afraid, though, that in trying to hide a particular theme or plugin you will come across the same issues. Namely, that a determined person who really knows what they’re looking for will be able to discover what you’re using no matter what measures you take.
I don’t think there is a way to completely prevent anyone from knowing what theme you’re using. You could customize the theme so that it doesn’t LOOK the same, but a determined and knowledgeable person could probably look under the hood and figure it out anyway. It depends on how tech-savvy you think your competition in 🙂
You COULD hire developers to custom build your themes and plugins. That would definitely prevent your competition from using the same ones! But this would probably be out of budget for most.
I don’t know the details of your website or business… but my philosophy in general is to not worry about others stealing or copying our work or ideas. We’re all unique, in everything from our personality and style to our work ethic. So even if someone else copied all your themes and plugins, there’s no way they’d be able to 100% copy what you’re doing. You bring your own strengths and flair to the project.
I know this isn’t the technical tutorial you were probably hoping for, but I’m afraid that would be out of my depth. I hope this answer helps you anyway and wish you the best of luck with your website!! 🙂
Congratulations KeriLynn for your article. My opinion is that is better to hide Plugins name, Theme names and possibly the fact site is running on WP. This for security and mostly to make a bit more difficult for competitors to make a ‘photocopied’ website.
Days and Weeks of research and testing to create the best possible site and then some competitor builds an exact copy and make it his own by changing the header in three-four hrs is not fair. At least let’s do that a bit more difficult.
My question is any by using “Hide my WP” is there any impact on SEO and loading speed? Or any other downsides?
Hi, nice one but I did a little digging about one of the plugin you reviewed WP-Hide precisely and the plugin author told me that you can hide the fact that you are using WP even if they right and view the source code from their browser. He said, “Yes, you can hide theme name, all plugin names, WP default upload path, other WP default paths, and all WP traces..” How about that? Check http://codecanyon.net/item/hide-my-wp-no-one-can-know-you-use-wordpress/4177158
Thanks for the link bb- I believe that plugin would work to hide the fact you’re using WordPress from most people, but I wouldn’t expect it to be 100% foolproof. I imagine a determined person who really knew WordPress inside and out could think of a way to discover it no matter what.
Wordfence is a very good plugin.. also I use Hide My WP.
I’m a new wordpress user, and just after a couple of days I wasn’t able for the life of me to access my dashboard, only to find out that the wordforce plugin caused it all, and after uninstalling it it was back to normal.
Thanks man! this is also an awesome plugin 🙂 and free 😀
We have a secure WordPress + Divi template on http://www.itmplatform.com with iThemes Security plugin and checked with WPScan. It’s a good and simple solution.
Where do you find the setting in iThemes Security to hide the WordPress install from the site’s source view?
Pablo, just to clarify. Ithemes Security will hide the fact that your using wordpress, right? What is the purpose of using wpscan if you already have Ithemes Security?
Awesome, I use iThemes Security myself and love it. Divi is also a very secure theme!
Thanks Pablo, Good Job 🙂 Its better than the plugin recommended by the author at least for hiding the fact that we are using wp 😛
Another great service you can use is Cloudflare, which has Application level firewalls for specific software, including WordPress (Drupal, Joomla and other CMS’s as well). This will prevent common SQL injection attacks, XSS attacks and known vulnerabilities/attack vectors if you have not yet patched your WordPress installation. I believe Cloudflare’s free account includes the web application firewall (or was it the Pro for $20 per month?).
As a bonus, they also include HTTPS security as well (but that’s another topic).
I love Cloudflare! Didn’t even think to bring it up in the article, so thanks for mentioning it. Cloudflare is now included with Bluehost, which is pretty awesome. (They’re my web hosting company though I’m not an affiliate 🙂 )
Arash thank you for sharing Cloudflare i signed up for them also thank you KeriLynn this was a great article. I have one question are some premium theme more secure then other? I currently use Elegant Themes now and love them am i secure?
Thanks, Xavier! Glad you found it helpful.
I’d definitely agree that some premium themes are more secure than others. It can be difficult to tell which, though, if you’re not a developer yourself, so it’s important to do the research on the theme you’re planning to buy.
ElegantThemes has a great reputation for keeping security a top priority in theme development. They have all their theme code audited regularly by third party security experts. You can check out more details on that here: http://www.elegantthemes.com/blog/general-news/theme-security-audit-by-sucuri
I also like to rename the WordPress login. These a plugin available that makes it a snap and it helps cut down on brute force attacks.
Have you used this plugin?
I bought and used this plugin, HMWP has serious compatibility issues with wordpress, themes and settings, and the developer provides very little support; so you are more or less on your own.
Kevin you should have sounded a warning about this,
if you are interested in using this plugin, read the developer support forum before purchasing the plugin:
http://support.wpwave.com/
Read it before you part with your hard earned money, because it is very difficult to get a refund from codecanyon.net. consider all options, request for a demo, and wait till you get it, which is what is should have done. Good luck.
I use protect your WP free plugin to lockdown WordPress admin, but I am seriously considering trying out hide my wp plugin for busier websites that have more forms for user interaction.
I do like the idea that it hides folders and theme folder names etc.
What plugin do you use? This feature is included in some security plugins, but I didn’t know there was a standalone plugin for it.
I changed my log-in from /wp-admin using a plugin called “Admin Branding” though it does not replace wp-admin just gives you another option which I use to brand the log-in. So, I don’t think it helps from a security view point.
Ah, cool! Maybe not security-related, but still very interesting. I’ll keep that plugin in mind if I need to customize the login on any sites. Thanks!
iThemes security will hide the backend login, and make both wp-admin and wp-login.php inaccessible. It can also change the admin username if you left it default, and change the number, the wp_prefix for the database tables, etc. along with a slew of lockout features and security measures. I’n not affiliated with them, I just like the plugin.
A combination of Wordfence and CAPTCHA really helped one of my clients who was continually under some kind of hacking attack. And of course, regular backups with several copies of the site kept in reserve go a long way towards peace of mind 🙂
One thing I dislike about some of the security solutions is that they are plugins, which also introduces more chances of capability issues with other plugins.
Very true, in some ways it’s kind of a catch-22. I believe you can have a relatively secure WordPress installation without plugins if you’re careful, keep it updated, use strong passwords, etc. But I like to play it as safe as possible and use a security plugin as well.
I personally haven’t had compatibility issues with other plugins- is there a specific plugin(s) you’ve had issues with?
Generally I’m opposed to requiring CAPTCHA because of usability issues, but I can do it easily enough myself, so I use the CAPTCHA on Login plugin for my websites. It’s great for preventing those brute force hacking attempts!