Change your WordPress login URL and hide your wp-admin to outsmart hackers and prevent brute-force attacks… it’s easier to make your site harder to crack than you think!
Let’s not kid ourselves. Even script kiddies know that all they have to do to make a WordPress site owner’s life miserable is to find the WordPress login page and guess the username and password.
Guessing passwords, by the way, is not hard to do, especially if you use the same passwords for most of your logins and share your whole life on social media.
WordPress is the most popular CMS platform in the world and this makes it an irresistible magnet for hackers and malicious login attempts. Even the best of the best can be brought down by a stealthy maverick with access to brute-force tools that will automatically try to guess your username and password by hitting your WordPress login page over and over and over again.
Hide Your WordPress Login Page with 4 Different Ways:
1. Hide wp-login.php Using a Plugin
2. Hide WordPress Login Page Without A Plugin
3. Hide WP Login page with .htaccess
4. Hide WP Login with Code
The Best Way To Fight Against Brute-Force Attacks… Hide!
Brute force attempts to log into WordPress are so common, there’s even a page in the Codex dedicated to the topic.
But… why give hackers and malicious bots the opportunity to even try and guess your login details? Just hide your WordPress login page and most bots and automated software won’t even know that your site exists.
In this article, you will learn how to implement one of the simplest and easiest strategies to protect your site from hackers and malicious bots: change your WordPress login URL, hide your wp-admin and wp-login page and redirect unwanted visitors away from your login page.
Why Change The WordPress Login URL?
I have a standard WordPress site that I installed a few years ago. To get to the login page all you have to do is go to /wp-admin or /wp-login.php.
This site doesn’t see a ton of traffic. In a typical month, it generates about 5,000 pageviews. However, the site’s login page sees malicious login attempts on a startlingly regular basis. I have the Defender plugin activated on this site, and it tracks the number of blocked malicious login attempts. Since I’ve started tracking the number of blocked malicious login attempts, I can see that my site handles hundreds of malicious login attempts each month, averaging about 24 per day, or one malicious login attempt every 60 minutes.
Login attempts don’t happen at a regular pace of one per hour. Weeks can go by without a single malicious login attempt being logged. Then, suddenly, a few hundred or even a couple of thousand login attempts will be logged in a short period of time.
Most WordPress sites set up as standard installations periodically experience brute force attacks attempting to log into the WordPress dashboard. Yours probably does too, whether you know it or not.
WordPress Security Through Obscurity
You may think that using canny logins will keep your site safe.
Hackers can easily tell if a site is powered by WordPress or not (often just by looking at the page source).
Once a hacker knows that your site runs on WordPress, they also know how to find your WordPress login URL (spoiler alert: the default WordPress login URL is found by entering your domain name, followed by /wp-login.php).
Default WordPress behavior loads the login page when you access wp-login.php. Type in wp-admin instead, and you’ll be automatically redirected to wp-login.php.
Unless you know how to change your admin username, your friendly neighborhood motherf hacker will also know that your username is most likely something like admin.
All the hacker has to do now is guess the password. Even if they can’t guess the password but keep trying to, this can use up your server’s resources and possibly end up taking your site down.
If They Can’t See It, They Can’t Crack It
Many hackers are opportunistic and look for low hanging fruit that’s ripe and easy pickings.
If you don’t want people to steal your fruit, hide your tree.
Continuing with this really poor analogy (when life gives you lemons…), your WordPress login page gives admin users access to the whole orchard, so as part of our strategy of creating ‘security through obscurity,’ let’s hide your login page URL from everyone else but the admin.
Optional Step: Install WordPress In Its Own Directory
Whether you’re dealing with a brand new WordPress installation or an existing WordPress website, whenever possible consider installing WordPress in a subdirectory. While this won’t prevent hackers from finding your WordPress login page if they deliberately choose to target your site, it will discourage many random bots and malicious users looking for easy targets to start hitting up your site and shaking your tree to see what falls out.
Having your WordPress site installed in a subdirectory, then, is a good first step toward creating ‘security through obscurity.’
As always, before you do anything else, as always, if you’re moving an existing WordPress installation, create a complete backup of your site and store it someplace where you won’t accidentally delete or modify it. (Related: How to Back Up Your Backups For Bulletproof Protection)
One more thing. When creating a subdirectory, choose a name that’s not too predictable like http://example.com/wordpress or http://example.com/wp. Instead, choose something unique that no one will ever be able to guess like http://example.com/dwiiw (an acronym for directory where I installed WordPress.)
Whether you choose to install WordPress in a subdirectory or not as an added security precaution is up to you.
The next step is to hide your login page URL (and optionally redirect wp-login.php visitors to another page on your site).
There are a few ways you can hide your WP login page from other users:
- Use a plugin to mask your login URL (the easiest way)
- Mask your WordPress login URL without a plugin (the geek way)
- Modify your .htaccess file (the “I need to code everything from scratch” way)
Hide Your Site Login Page – Disclaimer
Before we get started, the strategy shared below isn’t recommended if your site requires a login page that needs to remain easy for other users to find (like a membership site).
If your site is not a membership site and login attempts are limited to a dozen or fewer admins, authors, editors, and contributors, then hiding your login page will help protect your site against malicious login attempts.
1. Hide wp-login.php Using a Plugin
There are a number of free WordPress plugins that will let you hide the login page URL. Some of these plugins will also let you redirect wp-login.php visitors to another page of your website. Just visit the WordPress.org plugins directory and search for “Hide WP Login” to see a list of security plugins that you can use.
For this tutorial, we’ll use WPMU DEV’s own Defender plugin.
Defender lets you hide and redirect wp-login.php, and includes many other top gun security features.
You can download Defender for free from the WordPress plugin repository or if you’re a WPMU DEV member, go ahead and install Defender Pro from your WordPress site management hub.
Note: For full installation and configuration instructions, see the Defender plugin documentation section.
After installing and activating the plugin, navigate to your main WordPress dashboard menu and go to Defender > Dashboard.
Locate the ‘Mask Login Area’ section and click on the ‘Active’ button to turn on the feature.
Click the ‘Finish Setup’ button to bring up the URL masking options screen.
This brings up the Advanced Tools screen.
In the Masking URL section, enter a new URL slug where your site users will go to log in or register on your site. Once again, I recommend choosing something that you can easily remember, but everyone else will be unable to randomly guess.
For this example, let’s use the same acronym method used earlier to come up with the directory name dwiiw and let’s name our new WordPress login URL something unique like:
http://example.com/dwiiw/gli
In this case, gli stands for get logged in, and it accomplishes the goal of being simultaneously easy to remember and hard to guess.
Save your changes and log out of your WordPress site.
Now, try to log back in via the default login page at yourdomain.com/wp-login.php.
Normally, typing wp-admin into a web browser automatically redirects users to wp-login.php. Defender also disables this feature.
Only users with access to the masked URL will now see the WordPress login page.
Tip: As an extra nice touch for your users, you may also want to customize your WordPress login page, install plugins for improved user login and registration, or let users login to WordPress using an email address. If only certain users are allowed to access your admin section, however, then you can limit access to the login page for specific users by IP addresses.
Optional Step: Redirect wp-login.php
Using the method shown above, anyone that tries to visit the default WordPress login page (i.e. wp-login.php) will be greeted with an error message (“This feature is disabled”).
If you want to send visitors and users (or even hackers) to a different page (e.g. your store page, contact page, FAQ section, or any other page on your site), you can redirect the default wp-login.php URL using Defender’s Redirect traffic feature.
To redirect the wp-login.php page, go to the WP dashboard menu and select Defender > Advanced Tools > Mask Login Area.
Enable 404 Redirection in the Redirect traffic section, enter the slug of the page you want to send visitors to, and click Save Changes to update your settings.
Now, anyone who tries to visit the default login URL will be redirected to the post or page you have specified.
Notes:
- You can use any combination of a-z and 0-9 in your slug.
- You can’t add full URLs (this prevents sending out your 404 errors to another domain).
2. Hide WordPress Login Page Without A Plugin
If you want to hide your login page without using a plugin, all you need is a text editor, access to your WordPress installation files (FTP, cPanel File Manager, etc), and then do the following:
1 – Make a backup of your wp-login.php file.
While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!
Note: If you’re looking for a great plugin to backup and restore your files and WordPress site, we recommend using our very own Snapshot.
Next, open your wp-login.php file. Select and copy all the code to your clipboard.
2 – Create a new PHP login file.
Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).
Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.
3 – Search and replace the ‘wp-login.php’ string in your new file code.
Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.
Resave the file with the modified code.
4 – Upload your new login file to your server.
Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.
5 – Update the default login and logout URLs.
The last step is to hook into the login_url and logout_url filters to update our file.
Add the following code to your theme’s functions.php (preferably in your child theme):
add_filter( 'logout_url', 'custom_logout_url' );
function custom_logout_url( $default )
{
return str_replace( 'wp-login', 'danger-zone', $default );
}
add_filter( 'login_url', 'custom_login_url' );
function custom_login_url( $default )
{
return str_replace( 'wp-login', 'danger-zone', $default );
}
6 – Test your new login URL
Test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.
To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.
3. WordPress Login URL .htaccess File Hacks
There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.
For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.
WordPress Login Page Obscurity With URL Redirection
You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.
To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):
RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]
In this example, we’ll add an alias called ‘dancekevindance’ and reupload the .htaccess file to our server:
Now, go back to the site and enter the new URL.
As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than https://yourexample.com/wp-login.php.
4. Hide Your WordPress Login Page With Code
Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.
If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.
Don’t Let Them Gonna Take You Right Into The Danger Zone
WordPress is a magnet for hackers and malicious bots, so it’s important to understand WordPress security best practices and implement multiple WordPress security strategies to protect your site from hackers and brute-force attacks. This includes security through obscurity.
When used as part of a more comprehensive security strategy, obscurity can be helpful. As we’ve just seen, however, simply hiding the WordPress login page is not enough to guarantee that you will see zero malicious login attempts.
Unless you actually change the WordPress login URL of your site and redirect unwanted visitors away from pages like wp-login.php and wp-admin, hackers and bots will still be able to find your login page and attempt to guess your login details.
Messing with code can cause compatibility issues, slow down your site, and create other problems. Using a plugin like Defender is the easiest way to hide your WordPress login page from hackers and make it all but invisible to the vast majority of low-flying malicious login attempts.
To protect your site against the worst of the worst, you need help from the best of the best. If you’re not a member of WPMU DEV yet, join our elite group of top gun WordPress developers and website owners with our no-risk free trial and get access to all the security tools, protection features, and support your site needs to fly high and free out of the danger zone.