Is changing default admin URLs an effective security measure?

Question

Consider WordPress, which houses all of its admin functions in the /wp-admin/ directory. Accordingly, its admin URLs all begin with /wp-admin/. I'm wondering if it would be significantly more secure to have each installation use a unique name for the admin folder and URLs, For example, the admin folder for a particular installation might be /8404f25a73ec25d1/.

The first thing that comes to mind is that this is security through obscurity. However, this seems like it could be an effective, first-line-of-defense against automated scripts. If the name was sufficiently random and long enough, there is no way an attacker could guess the name of the admin folder. Also, in zero-day attack against a newly found security hole against the admin side, this might be the only defense.

Should off-the-shelf web applications like WordPress provide a way to change default admin URLs?

To be clear, I am not thinking that this should replace any other security measure; I'm only wondering if the additional security (if any) would be worth the effort.

Probably better to use htaccess to 403 deny the admin url to all but your admin IP address ranges. That way they can't sit there dictionary cracking your admin login. — Fiasco Labs, Aug 27 '13 at 05:36
+1 @ Fiasco; recommended on all admin-logins for all kinds of cms — that guy from over there, Aug 27 '13 at 07:05

score 5 · Answer 1 · answered Aug 27 '13 at 17:09

It will unquestionably protect you from automated attacks that rely on the location of the wp-admin directory as part of their programming, which is not insignificant, since automated attacks make up the vast majority of wordpress compromises. You may call it security through obscurity, but you're not actually replacing any of your security apparatus with obscurity, you're augmeting it. So a better term would be defense in depth.

Note that a far better strategy is to require HTTP Authentication to access the wp-admin directory. Just plunk an .htaccess file and .htpasswd file in there and you're done. This is widely regarded and recommended as a good idea. That way not only do you have to log in to wordpress to use the admin features, but you also have to provide a password to the server just to allow it to show any content from that directory. That protects you against all sorts of authentication-bypass vulnerabilities if they ever crop up.

See the rest of the Hardening Wordpress documentation for more similar "good ideas".

score 3 · Answer 2 · answered Aug 27 '13 at 17:18

Non-standard URL are similar to using a non-standard port (e.g. putting your SSH server not on port 22, but on some other port): they may help against automated attacks, not really for actual security, but in order to reduce the noise. A standard "admin" URL will get hundreds of connection attempts per day, generating tons of logs, thus preventing efficient detection of non-automated attacks, the kind that you should worry about.

However, changing a URL to some non-standard, site-specific value can have hidden costs. For instance, if there is an "admin" button on the main page, that button will have to be adjusted to point to the actual admin URL; hardcoding the link value in a HTML file provided with the software won't work anymore. Note that this non-standard URL will not be exactly secret if it is advertised through such a button...

So if you can easily, with little or no overhead, change the "admin" URL to some non-standard value, then by all means, go for it. Just don't believe that it really increases security. Its job is to decrease noise from mindless attack automatons (and that can promote more efficient attack detection, which may indirectly help with your security).

Having an admin URL on the main page would probably defeat the purpose of randomizing the admin URLs because automated scripts could just be programmed to run their login attacks against every link on the page. — poke, Aug 29 '13 at 02:32

score 1 · Answer 3 · answered Aug 27 '13 at 16:57

I think changing defaults to avoid simple 0day exploits is a vastly underrated defensive strategy. Bad guys have already used Google to survey and build databases of existing systems and version fingerprints, and are just itching for the next 0day to quickly exploit. It may be anti-social, but I'd be happy to let the less-cautious sites take the brunt of the first wave of attacks.

score 0 · Answer 4 · edited Mar 17 '17 at 10:46

In my opinion, it could be a good measure depending on the type of users that will need to access the admin interface. If they are users that need to know without thinking where is the admin interface, changing it to a difficult string may lead to writting down the URL or continuous support calls. If they are skilled and few people it could be a good additional security measure.

Just look the question https://security.stackexchange.com/questions/41282/what-can-i-do-with-an-admin-password-and-email. My recommendation is to look for default admin URLs so if it has been changed to a random string it will be difficult for any script kiddie to find it.

Is changing default admin URLs an effective security measure?

4 Answers4