Last month, my /wp-login.php page was hit about 7,000 times according to AwStat. That’s a little frightening… Unfortunately, there’s little that can be done to hide your wp-login.php page. I guess that’s the double-edged sword that comes with using the most popular CMS right now.
So, how do hackers figure out you’re running WP? Most likely, they’re using a spider/crawler that’s looking to see if http://www.example.com/wp-login.php exists. (I’m going to start making some assumptions here…) They determine if a page exists by checking the HTTP status code [of the page]. If the HTTP status comes back as “HTTP/1.1 200 OK” you know that the page exists. On the other hand, if the HTTP status comes back as “HTTP/1.1 404 File Not Found” the page does not exist.
In PHP, you can force an HTTP status by setting your own in a header(). So, let’s set the HTTP status to 404 on the login page to make it look like the page is not there. (After making a backup of the file!) Open wp-login.php in your favorite editor . Directly after the comment block, add this:
header("HTTP/1.0 404 File Not Found");
Save it and open up the page in a browser. In the Chrome debugger or the Firefox firebug, you’ll see that the page is actually 404′ing. This won’t affect how the page looks or functions.
Lets take a step back. If those hackers are smart (most are), they’re going to Grep/Regex the page for elements that are typically on the page. Like the submit button, input fields, etc. In which case, they may not look at the HTTP status …and you’re hosed. Bummer, dude.