How To Change WordPress Login URL?

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

The WordPress login form is the access point to the world of WordPress. This simple form allows authorized users who successfully enter their account details to enter the WordPress admin area.

By default, the WordPress login page can be accessed by appending /wp-login.php or /wp-admin/, to your main WordPress URL.

  • www.site.com/wp-login.php
  • www.site.com/wp-admin/ (Redirects to wp-login.php)

The login paths are similar if you have installed WordPress in a sub-domain or sub-directory. So your WordPress login URL may be located at wordpress.site.com/wp-login.php and your admin area may be at www.site.com/wordpress/wp-admin/.

WordPress Login Form
The WordPress login form.

You will be pleased to hear that the WordPress login URL can be changed if you wish. This can be done easily using a WordPress plugin, though the steps to change WordPress login URL manually are simple to follow too.

Let’s take a closer look at how to change WordPress Login URL on your own website.

How to Change the WordPress Login URL Using a Plugin

Popular WordPress security plugins such as All In One WP Security & Firewall and iThemes Security let you use a custom WordPress login URL so that others cannot see the WordPress login form at /wp-login.php and /wp-admin/.

In iThemes Security, for example, the default WordPress login URL can be customized in the Hide Backend section of the Advanced Settings area.

Hiding Backend in iThemes Security
Hiding the WordPress login URL in iThemes Security.

If you don’t need all the bells and whistles that all-in-one security plugins offer, you may want to consider using a dedicated WordPress login solution. You’ll find many great login solutions within the official WordPress plugin directory, such as WP Hide & Security Enhancer, Change wp-admin login, and LoginPress.

The solution that I use on my personal blog is called WPS Hide Login. As you can see from the steps below, the plugin is incredibly easy to use.

Step 1 – Install & Activate WPS Hide Login

WPS Hide Login can be downloaded from the official WordPress plugin directly or installed from the plugin section of your WordPress admin area. Once WPS Hide Login has been installed, be sure to activate the plugin.

WPS Hide Login
WPS Hide Login is installed on over one million WordPress websites.

Step 2 – Enter Your Login URL

Once WPS Hide Login has been activated, you will see a new area at the bottom of the WordPress general settings page. In the Login URL field, enter the new URL path for your login page.

WPS Hide Login URL Change
Defining a custom login URL in WPS Hide Login.

Step 3 – Enter Your Redirection URL

In the Redirection URL field, enter the URL path you want to redirect people to who attempt to log in to your website using wp-login.php and /wp-admin/.

That’s all you need to do to use WPS Hide Login.

How to Change the WordPress Login URL Without a Plugin (Manually)

The WordPress login URL can be changed by creating a variation of the wp-login.php file.

To adopt this method:

  • You will need to use a text editor to follow this process as you will be making changes to a core WordPress file
  • It may be worthwhile disabling automatic updates to the WordPress core so the original wp-login.php file is not reinstalled without your knowledge

Change the Login URL Using the WP-Login.php File

In the steps below, I will show you how to change the login URL from www.site.com/wp-login.php to www.site.com/my-secret-login.php. You should, of course, use your own unique path for your login URL.

Step 1 – Ensure You Have a Backup of WP-Login.php

We will be modifying the wp-login.php file, so it is important to have a backup of the file in case you need to revert the changes you made, especially if you have modified wp-login.php previously.

The wp-login.php file can be found at the top level of a WordPress installation. If you have never modified wp-login.php before, you can easily retrieve this file from the latest version of WordPress. Older versions of WordPress can also be downloaded if your website is not using the latest version.

WordPress Backup Folder
Storing a backup of important WordPress files.

Step 2 – Rename the WP-Login.php File

Once you have a backup of wp-login.php, I recommend renaming the original file. This new file name will be registered with WordPress later using a WordPress hook.

You can rename the file to anything you want, whether it be something simple like my-secret-login.php or something obscure like aD6qq8Q83.php. For simplicity, many WordPress users choose to rename the login file with the same name they are using for the login URL, but it is important to note that they do not have to be the same.

Renaming the WordPress Login File
wp-login.php can be renamed with any name you wish.

Step 3 – Replace All References of wp-login

Find and Replace allows us to easily replace all references of wp-login with a new login URL path.

All text editors and IDEs offer Find & Replace functionality. In Visual Studio, for example, you will see the option to find and replace in the edit menu.

Find & Replace
Using Find and Replace in Microsoft Visual Studio.

In the Find field, enter wp-login. In the Replace field, enter your new URL path e.g. my-secret-login.

Updating the WordPress Login File
Updating the WordPress login file with your new URL path.

Once you click Replace All, you should see a confirmation that the find and replace went through successfully. Be sure to save these changes before exiting the editor.

Successful Replacement
All occurrences were replaced.

Step 4 – Upload Your New WordPress Login File

You should now upload your new WordPress login file to your website. You can do this using an FTP client or using a file manager that is available through your hosting control panel.

Once the new login file has been uploaded, change its file permissions to 644 or 640. If you fail to do this step, you will not be able to access your login page later.

Uploading the New Login File
Upload the new WordPress login file to your website server.

Step 5 – Add Logout & Lost Password Filter Hooks to Functions.php

By default, WordPress uses the wp-login.php file for logging users out. This means that even if you change the file you are using to log into your website, WordPress will still attempt to use the wp-login.php file to log you out.

The best way to resolve this problem is to use the logout_url filter hook as it lets you change the URL that users are redirected to after logging out. You can also use the lostpassword_url to ensure the lost password URL on the WordPress login form is correct.

To use these hooks, all you have to do is copy and paste the code below into your theme’s functions.php file, making sure to change my-secret-login to the login path that you are using. This code will correctly log out users and send them back to your new login page.

// Filter & Function to rename the WordPress logout URL
add_filter( 'logout_url', 'my_logout_page', 10, 2 );
function my_logout_page( $logout_url) {
    return home_url( '/my-secret-login.php');   // The name of your new login file
}
// Filter & Function to rename Lost Password URL
add_filter( 'lostpassword_url', 'my_lost_password_page', 10, 2 );
function my_lost_password_page( $lostpassword_url ) {
    return home_url( '/my-secret-login.php?action=lostpassword');   // The name of your new login file
}

The WordPress functions.php file is normally located at the top level of a theme. For example, the location of the functions.php file in Twenty Twenty-Two is www.site.com/wp-content/themes/twentytwentytwo/functions.php.

Whilst you can edit themes in the WordPress admin area, it is recommended you disable this functionality for security reasons. One way to update the functions.php file is to update the file offline and update the live file using FTP or a file manager. A practical alternative is to use a snippets plugin such as Code Snippets as it will insert the code you enter into any theme.

Code Snippets
Snippet plugins simplify the task of inserting hooks into WordPress.

Step 6 – Test Your New Login URL

If you have followed all steps correctly, you should now be able to log in correctly at your new login URL e.g. www.site.com/my-secret-login.php. You should also be sent back to your new login URL when you log out.

Be sure to test this before progressing to the next step.

WordPress Login Form
Make sure your new login page is working correctly.

Step 7 – Delete the Old wp-login File From Your Website

Once you have tested that your new login URL is working correctly, delete the original wp-login.php from your website using FTP or a file manager. This ensures that no one can access your website by entering www.site.com/wp-login.php.

The WordPress admin area redirects users to wp-login.php for logging in, so anyone who visits /wp-admin/ or wp-login.php should see a 404 error page.

The Not Found Error Page
Those who attempt to log in at wp-login.php will see a 404 error message.

Login_URL Filter Hook

If you are not looking to hide the location of your WordPress login URL (i.e. your goal is just to change its name), you may want to consider using the login_url filter hook.

The code below shows how this hook can be used to change the login URL.

// Filter & Function to rename the WordPress login URL
add_filter( 'login_url', 'my_login_page', 10, 3 );
function my_login_page( $login_url, $redirect, $force_reauth ) {
    $login_page = home_url( '/my-secret-login.php' );   // The name of your new login file
    $login_url = add_query_arg( 'redirect_to', $redirect, $login_page );
    return $login_url;
}

The login_url filter hook changes:

  • The login file that users are redirected to when logging in
  • The URL users are redirected to when trying to access /wp-admin/

As such, if I used the login_url filter hook with the my-secret-login.php file, anyone who accessed /wp-admin/ would be automatically redirected to my new login page.

From a security point of view, it defeats the point of hiding the wp-login.php file if you are going to redirect users to the new login file. There are ways to resolve this issue using additional hooks and edits, but I believe the method I showed above is easier to implement.

Change the Login URL Using the .htaccess File

Website servers that use Apache allow you to modify key configuration settings using .htaccess files. Using .htaccess files, you can set up URL redirections, enhance security and define the WordPress permalink structure. You can also use .htaccess to change the WordPress login URL (and the process is straightforward!).

You can add .htaccess files to any directory on your website, but the most important .htaccess file is typically stored in the root directory of your website.

Be warned, however, that placing a character in the wrong place in an .htaccess file can be enough to take your website down. So even if you are an experienced website owner, I strongly encourage you to take a backup of your existing .htaccess file before you make any modifications. This will let you revert back to a safe version of .htaccess if you experience any issues.

There are a few ways to change the WordPress login URL using .htaccess, but I believe Chris Coyier’s method is the best as it’s easy to implement and effective too.

In his tutorial “Simpler Login URL“, Chris shows how you can log in to your WordPress website at www.site.com/login by simply adding this rewrite code to .htaccess before the default code WordPress adds.

RewriteRule ^login$ https://www.site.com/wp-login.php [NC,L]

All this code does is ensure that when someone enters /login as the path, they are redirected to wp-login.php.

Of course, if you want to prevent someone from accessing your website using wp-login.php, you can amend this code so that it redirects to your new login file.

For example, if you deleted wp-login.php and wanted to set the login page as www.site.com/secretlogin456, you could use this code.

RewriteRule ^secretlogin456$ https://www.site.com/my-secret-login.php [NC,L]

Your login path can be viewed at any time by opening .htaccess in a text editor, but it may be worthwhile bookmarking your login URL if it is difficult to remember.

Why Changing the WordPress Login URL May Be a Bad Idea

Being able to change WordPress login URL lets you set up user-friendly login pages such as www.site.com/access and www.site.com/login. This can be useful, but if your main goal is to change the WordPress deafult login URL to reduce brute-force attacks, hiding the login URL may not be as effective as you think.

The security plugin Wordfence, for example, does not include a feature for changing the login URL as they do not believe it is effective. iThemes Security does include an option for hiding the backend of WordPress but also makes a point of stressing that this strategy isn’t bulletproof.

* Please check out our article “iThemes Security vs Wordfence: Which Security Plugin Should You Choose?” for a comparison of these two WordPress plugins.

The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks?

The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bullet-proof security strategy.

While hiding your backend wp-admin URL can help to mitigate some of the attacks on your login, this approach won’t stop all of them.

iThemes Security

In their video “Changing Your WordPress Login URL (And Why It’s a Bad Idea)“, they strongly recommend not changing your WordPress login URL.

Wordfence notes that changing the login URL may prevent WordPress themes and plugins from working correctly. Whilst I can understand that this could potentially happen, it is not something I have ever experienced myself and I have used a different login URL on my WordPress blog for over ten years.

Additionally, login plugins such as WPS Hide Login will bring your website back to the exact state it was before when you deactivated, so changing things back is not a major inconvenience if you do experience problems.

What Wordfence and iThemes security are 100% correct about is that Security Through Obscurity is not the most effective way to tackle hackers. If an attacker cannot find your login page to perform a brute force attack, they will look for vulnerabilities in your installed WordPress plugins and themes.

The majority of login attempts on WordPress websites are also executed using XML-RPC or the REST API. As such, a change of the WordPress login URL or admin URL would not prevent these attacks.

To read more about this subject, I encourage you to read “The Ultimate WordPress Security Guide“.

Final Thoughts

The WordPress login URL can be changed using a number of methods, but I believe a WordPress plugin is the most practical way to change WordPress login URL as it’s simple and effective.

The big question is whether it is worthwhile to change your WordPress default login URL. From a website security point of view, hiding your login URL will not prevent persistent hackers from attacking your website. Despite this, it remains a common feature of WordPress security plugins, possibly because this technique could help reduce low-level attacks.

Thanks for reading.

Kevin

Frequently Asked Questions

Does WordPress Let You Change the Login URL?

WordPress does not natively let you change the login URL, though you can make this adjustment yourself by editing files, adding hooks, using .htaccess or utilising a security WordPress plugin.

What is the Best Method?

Each method that has been referenced in this article can be used to change the WordPress login URL, so the best method will depend on how you approach WordPress customisations.

Personally, I try and avoid modifying core WordPress files where possible, which is why prefer using plugins to tackle problems like this.

Will it Break My Plugins & Themes?

There is a small chance that some WordPress plugins and themes will not function correctly, though the risk is low. This problem can occur if a developer hard-coded the login URL to www.site.com/wp-login.php, but it is rare to see this and I’ve never experienced any compatibility issues myself.

What if I Forget My New Login URL?

You should store your new login URL somewhere safe, though it is easy to retrieve the URL if you do forget it. You simply need to check your main WordPress directory for the new file name or reference the changes you made in your .htaccess file.

If you are changing WP login URL using a plugin, you can deactivate the plugin temporarily by renaming its associated plugin directory. This will reset the login URL until it’s activated again. An alternative option is to reference your WordPress database as plugins will typically store your new login URL there.

Is it Worthwhile Changing the WordPress Login URL?

In comparison to other security steps, such as disabling XML-RPC, changing the WordPress login URL is not as effective as preventing attacks and unauthorised website access.

For many people, this makes changing the WordPress login URL a pointless endeavor. For others, performing this additional step is worthwhile if it slows would-be attackers down.

Category:

,

You may also like


WordPress Site Not Loading: 7 Easy Fixes
WordPress Site Not Loading: 7 Easy Fixes

You’ve probably experienced a small business’s website crashing during a Black Friday sale. Eager shoppers flood the site all at once causing it to become unresponsive. This is one of…

Solve: The Site Is Experiencing Technical Difficulties
Solve: The Site Is Experiencing Technical Difficulties

“The site is experiencing technical difficulties” error can feel frustrating. Just when you’re about to update a plugin or upgrade your PHP, this pesky problem appears. And sometimes, it locks…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.