I have noticed that I have been getting a lot of attempted logins on my WP site. Looks to be scraping users/authors and attempting to login as them. They are all failing of course, but it still makes me nervous.

I do need to put my site behind an additional firewall, such as Cloudflare or Sucurri, but cannot do that yet for a list of reasons that I don’t want to get into here. Once I do that I know that I can block IPs, etc.

My questions is, does anyone have any experience with renaming the wp-admin with Pantheon? I know that there are plugins that do this, as well as just modifying the functions code. Any known conflicts with host?

Also, another caveat is that I DO have WooCommerce and still need customers to login to their accounts. I just don’t want unknown admin login attempts. I don’t think that you can seperate these login types though.

Hi Luke,
There are a couple of ways you could go about that.
First, you can restrict access to wp-admin /wp-login by IP without an additional firewall.

Second, use a plugin as you suggested. iThemes Security is one, and has a “hide the backend” feature. Note some other iThemes Security features require write access to nginx.conf which is not allowed. See our docs for details.

Not sure you could “hack core” by renaming/moving core php files without breaking your ability to do updates. But the above two options should work w/testing.

Hey Luke,

Yes, there are quite a few plugins that can block out things too. Another one that comes to mind is: https://wordpress.org/plugins/restricted-site-access/

As for the renaming of folders, not the greatest as WordPress core would be a little confused too when looking for things. The upstream updates would be a bit trickier as well because of all the modified file paths.

It seems to me that the best approach would be to use an external firewall, to filter out bad traffic and allow for 1-off removal of bad actors as needed, so that the server resources are not taken up by php workers and database I/O trying to handle this on Pantheon’s end.

@lukesdyer as long as your login page isn’t super customized, the overall load from brute force password attempts should be pretty low.

We do offer a Web Application Firewall through our Advanced Global CDN product. Many customers will leverage that to restrict admin pages to an allowlist of IPs, blocking all other wp-admin traffic.

I’d generally recommend using a WAF that doesn’t live in WordPress for the same reasons you mentioned, tying up your application with database queries etc isn’t ideal

Hey, Luke–

If one of these answers helped you out, do you mind selecting it as the “accepted answer” so future visitors know where to start?

Thanks!
Tara