In my analytics setup, I've noticed a pattern of requests for pages that correspond to control panel URLs of popular content management systems (CMSs). It's likely that these are script kiddies or black hats attempting to exploit known vulnerabilities in these systems. They probably have a playbook for hacking a specific CMS, and if they manage to find an entry point, they know how to escalate privileges.

This raises the question: is it worthwhile to use unconventional naming conventions for files and folders to throw them off the scent?

For instance, instead of using default names like index.php, config.php, templates, profile, and admin folders, could we use more obscure names to avoid attracting unwanted attention? Or is this just security through obscurity, providing a false sense of security and not actually improving our defenses?

If you're relying on attackers not being able to find your admin folder because you named it "flumplenook", you're in for a world of hurt. Any decent attacker will use tools like dirbuster or burpsuite to scan for files and folders, and they won't be fooled by your cute naming conventions.
Instead of wasting time on security theater, focus on implementing proper security measures like input validation, secure protocols, and regular security audits.

To keep your site's admin panel secure and user-friendly, it's a smart move to customize the login page. Simultaneously, ensure you're handling 400 and 500 error codes like a pro, while keeping the rest of your site's pages simple.
Don't forget to implement clean URL routing - no one needs to see your hosting folder names, use URL rewriting to keep it tidy.

Renaming the file or login page may yield a marginal benefit in terms of reducing the attack surface, but let's not get caught up in security theater. This tactic, often referred to as 'security through obscurity,' is a mere smokescreen that doesn't provide any tangible security benefits.

If you're concerned that your admin panel is vulnerable to hacking at its default location, then you have a serious security misconfiguration on your hands that needs to be addressed. Simply obfuscating the login path is not a viable solution. It's a classic case of treating the symptoms rather than the root cause.