I’ve used Better WP Security for a while now to help protect this WordPress site. Its ability to ban users who try to log in with incorrect credentials has been very valuable. This has been especially true because of the botnets I wrote about before. The problem with that solution, in addition to .htaccess getting corrupted, is that the ban list can get quite large.
Because of that, I decided to use another feature of Better WP Security – the Hide Backend option which is on its own tab in Better WP Security’s options. One of the things it does is (sort of) move the login page to one you specify. The default page is /wp-login.php but when the Hide Backend feature is activated, going to that page gives an error instead of the username and passwords fields.
I said “sort of” because the page actually still works but only if a secret key is attached (e.g. /wp-login.php?xxxxxxxxxxxx). Going to the name you specify (the default is /login) redirects it to the /wp-login.php page with the secret key filled in. It then allows you to enter the username and password as before.
Using this option should provide a good defense against the botnets pecking away at the default login page. I’m only sorry I didn’t notice the option sooner. You could say it’s security through obscurity but I’d argue there’s nothing wrong with that as long as it’s not your only defense. It’s just one more layer of security (and a nice way to keep the list of banned IPs shorter). Having a very good password and keeping up to date with the security updates are still essential and changing the username from the default “admin” is quite helpful as well.
Edit 3/28/14: I updated the plugin today and found it has been renamed iThemes Security and features have changed quite a bit. I haven’t explored it much yet but I did end up locking myself out of the admin area. Once I logged out, I couldn’t log back in. That was quite annoying. I had to use a file editor and rename the index.php file for the plugin to regain access via the old fashioned way (/wp-login). The new default for the Hide Backend feature (now called Hide Login Area) is /wplogin. The plugin indicated /login can no longer be used as WordPress uses it. Of course if security is a huge concern, you should never use the defaults for anything.
The way it works seems to have changed as well. It no longer seems to use a secret key. I’m sure they had their reasons but I can’t read up on why or how it was changed at the moment.