Books    Photo Galleries    Blog    Elsewhere    About

Lately in my server logs I’ve been seeing a lot of attempts to hack into WordPress. The hackers appear to have automated means of working well-known exploits such as to timThumb.php and phpMyadmin, but also I’ve seen persistent efforts to do brute force login attacks using a big password set. A lot has been written about the exploits and patches exist for them that you can find elsewhere, but the simple way I avoid the most common brute force login hackers out of the gate is to not even have the well-known wordpress login script wp-login.php visible. If you rename that file to something like wp-myspecial-xyz-login.php and do a full text replace of the filename as it appears in the code of that page to match your new name, you should find that your login works as previous (but with a revised URI to match the new name). However, the simple wp-login.php login hackers will just get 404’s and might move on to greener pastures.
Of course, this can complicate later patches, so keep a backup of the original file and stick it back in when you are patching. At least, that’s one approach you can take. There are many similar ones.