Your Admin Door is Right on the Street
Last month I was revising a proposal in a coffee shop, casually searched my own site's backend, and found the /admin page opened right up. I broke into a cold sweat—my client quotes and payment records were all behind there. I got stuck here too: I used the default settings when building the site, thinking "who'd attack my tiny shop?" But automated scan scripts don't care who you are; they scan the whole web and hit whoever is vulnerable.
Hiding Isn't Foolproof, But It Works
In the industry, this is called "security through obscurity"—it doesn't sound fancy, but it's an effective extra line of defense. My friend Xiaochen, a freelance designer in Hangzhou, had her WordPress site hacked last year precisely because her login page was still the default /wp-admin. Later, she changed the entry to /chen-studio-go (a path only she understood), and she hasn't been scanned in six months. Big companies do this too: Google's internal tool URLs are never public; if you can't find it, you can't get in. The key logic is—this isn't your only security measure, but it makes 90% of indiscriminate scans skip right past you.
Replicate This Today
Money: $0. Time: 10 minutes. Technical barrier: Just changing one setting in your site builder, no coding required. First step: Open your site builder (WordPress/Shopify/Notion all work), find the "Login Address" or "Backend Path" setting, and change /admin or /login to a phrase only you know. If you use WordPress, install the free WPS Hide Login plugin, save the change, and the old address automatically becomes invalid. If you're not sure how to change it, ask whoever built your site—it takes 3 sentences to explain.
Advice by Stage
If you're just starting without a site yet—change it from the default path as the very first step when building. It takes 5 minutes; make it a habit. If you have 1-2 clients and just launched your site—spend 10 minutes changing it today, and while you're at it, swap your password to a 16+ character random string (just use your browser's auto-generate). If you're scaling up with a team—just changing the path isn't enough anymore. You need to add two-factor authentication (where you enter a phone code besides your password) and restrict backend access to fixed IPs. This tool isn't for everyone; if your site only hosts a portfolio with no client data, you can skip it for now. But if you store sensitive info, stop going bare.