Should I redirect login / admin pages to the home page?

Should I redirect login / admin pages to the home page? - If a page has internal and external outgoing links to redirecting URLs, it’s returning 3xx (301, 302, etc.) HTTP status codes standing for redirection. This issue means that the page does not exist on a permanent or temporary basis. It appears on most of the popular web browsers, usually caused by a misconfigured website. However, there are some steps you can take to ensure the issue isn’t on your side. You can find more details about redirecting URLs by reading the Google Search Central overview. In this article, we’ll go over how you can fix the Should I redirect login / admin pages to the home page? error on your web browser. Problem :

I'm on a security kick right now and my current project is a server with a Wordpress site (that used to be a Joomla site). I sometimes get 50 requests a day to

/wp-login.php (the Wordpress default login page)

or

/administrator (the Joomla default login page)

I obfuscate my login page so they 404 but they continue to give 200 OK instead of 404 Not Found.

I don't like to have people try to hack my website.

I'm thinking about 301 redirecting those requests to the home page hopefully to confuse the brute-force bots. Would there be any drawbacks to such an approach?

---

I'm also thinking about sending other hack requests there, like author pages, search pages and non-existent plugins.

Solution :

The short answer to your question is no, there will be no problem doing that but I'll definitely keep a fake /administrator and /wp-login.php files. That will keep bots and strangers occupied for nothing.

On the other hand, I'd take into consideration:

• Password protect the real server


• Limit login attempts


• Allow access to login files by IP


• Change default database prefix


• Disable directory browsing

Not Brute Force

50 requests per day is not brute force. That is unless you're password requirements are just two characters in length. Most often these hits are just internet scanners checking for specific credentials and then moving on to the next.

Brute Force Logins

Consider adding a Captcha or better yet some form of two factor authentication. There are a number of two factor options available such as Google Authenticator, Duo Security, etc. Find one that best fits your environment and you'll be set.

404 vs 301

Stick with the RFC standards. If the page doesn't exist return a 404 and if the application owner wants to redirect certain requests to a specific page then use a 301. A determined adversary will not be fooled by your proposed obfuscation techniques while internet scanners and bots are not really a threat unless you're already compromised. This leads me to the next point...

Securing WordPress

WordPress has a large attack surface as evident by the length of the OWASP WordPress Security Implementation Guideline. Your time will be better spent working through that document.

Use three things to keep your site safe from spam-

Add Captcha,
Uncheck the Anyone can register option from settings of Wp site. (If your site has no functionality of user account)
Use this Plugin to hide your login page- https://wordpress.org/plugins/wps-hide-login/

as well as if your site username is admin then change it to another because the admin is a very common term and hit by spam tolls and minds...

I wrote an article a couple of years back and it's worth a read, especially the section about "Creating a Strong Complex Password"

We hope that this article has helped you resolve the redirects, wordpress, 301-redirect error in your web browsers. Enjoy browsing the internet uninterrupted!