April 21, 2021

Having www.companyname.com/admin as the admin URL, wordpress bad practice?

Working with a client who uses the /admin in the URL to access website administration. This is a wordpress site. Is this bad practice and can it be changed? Wouldn’t it make sense to use something random like www.companyname.com/admQ$7 or some other more random URL?



Security through obscurity is never best practice. One could argue that it’s a layer you can add to better your security, but by itself or even as a secondary layer is never good enough.

Changing the URL away from default may stop some automated scripts that run on the internet trying to exploit wordpress sites, which does have benefit.

You should first ensure that:

* All passwords are unique and secure

* All users are using MFA, preferably through OTP and not SMS or email.

* All plugins, themes, and WordPress installations are fully up to date.

* Any unused plugins and themes are disabled/removed.

This applies both to your actual wordpress accounts, but also through any hosting accounts that can SSO into wordpress like Cpanel via BlueHost or GoDaddy.


Assuming all else is secure (login credentials), there is not any pressing security issues with accessing the administration panel via that URL. A little obfuscation may help if the site is experiencing excessive automated login attempts, but other than that there isn’t much issue.


Security through obscurity is the sprig of parsley on the plate with your defense in depth steak.


Considering that it’s WordPress and WP’s history of security flaws and RCEs, I’d say yes, it is.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.