Thanks for reaching out. I’ll be happy to explain.
Changing the login URL is a feature we do not include in Wordfence. Though it is something that many people swear by and can help a little in certain situations it’s ultimately not very beneficial. These are the reasons why:
1. Changing WordPress URLs involves a risk of breaking functionality of WordPress themes and plugins.
For example, WordPress JavaScript XMLHttpRequest object (AJAX) functions are triggered via admin-ajax.php which is located in wp-admin folder. Changing /wp-admin is a URL but it is also a folder path. We have seen plugins that change the admin URL break this functionality unintentionally, but it causes confusion as to what happened, what went wrong, and what was to blame..
2. Changing the URL makes us feel more secure but it does not actually make the site more secure.
It is what many security analysts refer to as “security through obscurity”. It’s like boarding up the front door of your home to protect yourself against a burglary. Someone looking for a quick break in may be deterred, but any seasoned thief is just going to go look for another door or window to get in. Any serious attacker can and will anticipate this and look for other ways in too.
3. Over half of all login attempts that are made on WordPress sites are made via xmlrpc.php.
Those will not be stopped by changing your admin URL. Our Wordfence Login Security and Wordfence plugins offer the option to block XMLRPC or at least require 2FA with authentication requests using XMLRPC on the Login Security > Settings page.
Additionally, if you change the wp-admin or wp-login URLs you also lose visibility on who is attempting to log in to your site and when they are doing it since we’re not looking for logins on a random URL that you created.
What we recommend as a basic means of reducing login attempts is to use Country Blocking (available in the Premium Wordfence plugin only) to restrict access to your login only to countries that you are yourself going to log in from. This will make login via wp-login.php and xmlrpc.php only available from your country. Or by using the Brute Force Protection settings and by blocking XMLRPC like I mentioned before. Also using the 2FA functionality we give you for free in Wordfence and Wordfence Login Security will greatly reduce the risk of a compromise.
I hope my answer helps you understand our position on this.
Tim
