/wp-admin redirect was removed in
I’ll add a few notes on this for context, and because there’s been some silly statements and confusion around it:
/wp-admin redirect was long over due to be removed and existed to aid the transition of many WP users’ ingrained typing habits when Ghost launched in 2013, it just doesn’t serve a real purpose anymore - simple as that.
This is not, and has never been, a security issue. What’s a bot which stumbles across Ghost whilst in search for WordPress sites going to accomplish exactly? Exploit our PHP targeting a non-existent wp-login DOM element?
The previous PR was closed because it was opened without any discussion and removed multiple other reserved redirects and reserved words. That is not how we work here. And we certainly don’t want to remove the reserved words.
There’s no sense in removing any of the other redirects, which are also not a security issue. It’s just as easy to scan for
/ghost as it is for
/admin as it is for anything else. If someone wants to target Ghost sites then they will figure out how to identify Ghost sites. It isn’t hard. And obscuring an admin route doesn’t make it any harder.
If you want to serve admin on a complete different separate host/domain, that has been possible for a long time and is a config option that means no admin route will ever be available on the front end of your site:
You can also decouple your entire from end from your back end and simply serve your whole site as static HTML which cannot be hacked by anyone in any way. If you’re really interested in security, then these are good options to look at - not little automatic redirects.