Hiding WordPress login URL is one of the first lines of defense against brute force attacks. This can help a website owner protect against automated bots and unauthorized access attempts by changing the standard WordPress login page (/wp-admin or /wp-login.php).
Security is about layers. The more layers you build, the harder it will be for an attacker to penetrate. In this article we’ll discuss various ways to hide WordPress login URL to add a security layer to your website. This is the first post in a series of posts about securing WordPress in layers.
So subscribe for more!
Table of Contents
Why hide WordPress login URL?
WordPress is the most popular CMS software. It powers almost 40% of the Internet sites. It is open-source. This is why WordPress is targeted by hackers because most website owners keep WordPress settings to default, making it more vulnerable to all types of attacks.
I can think of four major reasons to hide a WordPress login URL:
- Prevent brute force attacks
- Reduce exposure to vulnerabilities
- Conceal admin access
- Protect user information
All in all, hiding WordPress login URL will add an additional security layer to your website.
Hide WordPress login URL manually
Although there are many plugins to hide WordPress login URL but we’ll first look at the manual method. It is very easy to follow and safe. Let’s start with the steps:
WordPress authenticates users with the help of a file wp-login.php. Basically, we’ll need to rename/replace this file with our custom name file.
-
Open your WordPress installation folder and look for the file name wp-login.php. Make a copy of the file and rename it to anything you like. I renamed my file to hidden-admin.php.
-
Open the file hidden-admin.php and replace all instances of wp-login.php to hidden-admin.php. I renamed 14 occurrences in the file.
-
Delete wp-login.php file.
Now when you open https://yourdomain.com/wp-login.php, it will take you to the 404-Not Found error page.
To open the login page, you will need to go to https://yourdomain.com/hidden-admin.php.
Hide WordPress Login URL using plugins
Although you can easily hide WordPress login URL using the custom method given above, plugins add more functionality and features than just hiding the URL.
Most security plugins come with their own implementation to hide the login URL, we will discuss the ones that are dedicated to this purpose only.
The disadvantage of plugins is that they are prone to vulnerabilities, especially if they are not regularly maintained. Make sure to keep an eye on WordPress plugin vulnerabilities and keep them up to date.
WPS Hide Login
WPS Hide Login is one of the most popular and simplest plugins to hide wp-login.php URL. It won’t change the default WordPress files but will intercept login page requests. The default login page wp-login.php will become inaccessible.
The new custom login URL can be changed from Settings –> General options page. The URL can be in the form of a directory e.g., https://domain.com/custom-login-url/.
Easy Hide Login
Similar to WPS Hide Login, Easy Hide Login is a lightweight plugin that does one thing: hides WordPress login URL. It creates a URL structure like this: https://domain.com?slug_text.
The new custom login URL can be changed from Settings –> Easy Hide Login.
Rename wp-admin login
Rename wp-admin login plugin works very similar to WPS Hide Login. It intercepts login page requests and makes them inaccessible to users while activating a hidden URL for login.
When you activate the plugin, you will get to change the login URL option in the Settings –> Permalinks page. It also let’s you specify a redirect page where users will be taken if they open the default wp-login.php page.
The login URL is in the form of a directory e.g., https://domain.com/hidden-login/.
If you forget the login URL, simply disable the plugin and everything will be reset.
Login Rebuilder
There are times when you only want to change the login URL for administrators only. Login Rebuilder lets you define separate login URLs for administrators and other users.
The URLs can be changed from Settings –> Login Rebuilder.
Conclusion
Login Rebuilder is my personal favorite. I have listed a few useful dedicated plugins to protect your WordPress login. Only one plugin should be active at a time. If there are compatibility issues with one plugin, you can use another.
There are all in one security plugins that also include a custom admin login URL feature, but I prefer not to have heavy plugins installed on my sites. These plugins can be vulnerable to security issues in many ways. What is your preferred way to prevent unauthorized access to your WordPress site or prevent brute force attacks?