I want basically a random admin route to be generated on installation.

This is not a good idea and doesn’t work. It does make a user’s installation impossible to support.

Hiding, moving or pretending to move things just obscures the problem. And users will forget where they put their random URL.

If anyone is concerned about security, and that’s a good thing, then these steps do work. Though there never is a 100% guarantee as anything security related is a process and not a setting.

1. Choose strong passwords.
2. Keep all of your code up to date.
3. Harden your WordPress installation.
4. Apply two-factor authentication when necessary.

Item number one is the easiest. Many people use 1Password, LastPass or another password manager to generate strong passwords. WordPress will accept a password up to 4096 characters. Don’t do that BTW. 😉

Here’s a sample of passwords my 1Password app generated for the asking.

gya8EPV!akc4cjt4xwn
haf_BQW8qxh1vwc7vrm
ukf2hdz6YFJ6fan*wug
gxj3bju1VXN!fzk_jyw

I’m not using them and they are just examples of strong passwords. It’s called 1Password because it uses one strong password to access and can be synced to my phone, my desktop, etc. and is backed up in the cloud. LastPass and others work the same way.

Number 2 does not just mean update WordPress and it’s add-ons (plugins and themes). The state of your WordPress installation doesn’t matter if the host provider is insecure. Many WordPress installations are not exactly compromised; the host was compromised and a WordPress installation suffered that way.

Hardening your WordPress means making it a little more difficult to administer but that also means many scripted attacks won’t work. They can’t update the files either without special access.

https://wordpress.org/support/article/hardening-wordpress/

The last item is good but needs a WordPress admin to understand the implications. Two factor authentication lets you have your user ID, your password and a physical token that you have access to.

But it needs understanding. If you delete the app where the token lives (like Google Authenticator) you are not getting it back and will need to generate a new one.

These plugins let you do that.

https://wordpress.org/plugins/search/two+factor/

I use this one and hope it will be merged into WordPress someday.

https://wordpress.org/plugins/two-factor/

In addition to 2FA codes, such as Google Authenticator types, it supports hardware tokens such as YubiKey.

• This reply was modified 1 week ago by Jan Dembowski. Reason: Grammar

I’m just going to focus on the 2FA auth part as it is near and dear to my heart.

But at least for authentication WordPress can become more modern, I mean we have 2021 and there is still no OAuth or 2FA in core or at least as a plugin made by WordPress for WordPress

It’s an anecdotal story and this happened:

There was a certain successful WordPress hosting company that enabled the option for 2FA for it’s users to log into WordPress.

This WordPress hosting company did not offer user’s access to the CLI. File level access such as CPANEL is not offered either.

Users set up 2FA and lost their back up codes and deleted the app on their phones. They lost access to their sites and that was a support nightmare.

The users did not do this out of malice, they just were not prepared for the reality of 2FA. If a user is tech savvy enough (many are) and they have access to their WordPress installation without using WordPress such as via a CLI or even editing files then fixing a 2FA mess is not that hard to do.

That is why WordPress does not have a built in 2FA. It’s not a simple as turning it on and forgetting about it. 2FA has been discussed for WordPress since 2012. Probably before that.

When I look at WordPress I see just a bunch of missed business opportunities and mistakes automattic is doing.

See, that’s where you are making a mistake. 😉 And a common one at that.

Automattic is not WordPress.
Automattic is not WordPress.
Automattic is not WordPress.

What I tell you 3 times is true. It’s not word play and I’m not being cute. WordPress is a community project that Automattic happens to provide resources in the form of people. They are not unique that way; many companies do.

The example above about the support nightmare? That was WordPress.COM. Other WordPress host providers have similar tales about 2FA.

If you, the user, understand and can handle scenarios where 2FA can be fixed if something goes awry then cool. That’s why those add-ons (plugins) exist.

But the majority of WordPress users expect to be able to install and start producing content and that’s why it is not built in. It would cause many users to needlessly lock themselves out of their installations when they do something innocuous like get a new smart phone and forget to transfer their authentication app.

• This reply was modified 6 days, 2 hours ago by Jan Dembowski. Reason: Clarity