Whether an experienced hacker or a WordPress newbie you can look at any WordPress website and make an educated guess at the URL of the login page — http://yourdomain.com/wp-admin. I have had the opportunity to watch bots and hackers attack servers with WordPress installs in real time. It’s a scary scene. Once they find a WordPress login URL they slam that login page with targeted username and password login attempts.
What does this mean for your website and how can you prevent the issue?
If a net-bot, spammer, or hacker locates a server with a bunch of WordPress installs they will slam that server with username and password attempts to try to get in to the website and server. With tens of thousands of login attempts being made over the course of an hour, the server will slow to a crawl. This means your web pages will load for legitimate users at ridiculously slow speeds. Search engines like Google have their own bots that scan the internet for content. If they index your website while your server is running slowly because of the bad-bots attacking your server, your website will likely be punished for its slowness and moved down in search engine rankings. Even worse, should a hacker actually penetrate your website with correct login credentials, they can do a number of harmful things: inject your website with virus-laden scripts, send out spam through your email accounts, or destroy, alter, or take down your website pages. Fortunately, there is a simple solution for reducing this risk—move your wp-admin page. Doing so will reduce your risk of bots, spammers, and hackers finding it in the first place!
Moving your admin login page is a relatively simple task thanks to plugin developers who have realized the need for a simple solution to this problem. There are probably many plugins available that have this functionality, but two of the more simple ones to use are WPS Hide Login and Move Login. Both plugins are fairly well reviewed by users and very easy to implement.
Once you download and activate the plugin, you then provide an alternate location for your login page. So instead of logging in at http://yourdomain.com/wp-admin you can login at http://yourdomain.com/my-hidden-login-page.