WordPress’ default login URL is /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example: http://www.example.com/wp-login.php.
You may think to yourself, “OK. Who cares?” There are 3 reasons you should care:
- I can tell you’re using WordPress. It’s pretty easy for a hacker to tell if any given website is a WordPress website. You can look at the page’s source and see things like /wp-content/themes/style.css or /wp-content/plugins/…, etc. Once I know your site is a WP site, I now know your login URL is /wp-login.php.
- So now I know your login URL. I also know that WordPress creates an “admin” username by default. Now Mr. or Ms. Hacker has your login URL and possibly your login username. Now it’s a matter of guessing your password.
- And I’ll try the default username and try to guess your password. Even if you don’t have an “admin” username and you have a strong password (and preferably use a password manager to login so your keyboard’s keystrokes aren’t being logged), the hackers are not aware of this so they’ll just keep trying forever and ever, wasting your server’s resources and possibly taking down your site. (P.S. I hope you’re logging in with HTTPS or through a secure login method like from the ManageWP Dashboard so your password isn’t sent “in the clear” when logging in.)
Did any of that sound like fun? I bet not, but it’s important stuff. At the very least, I hope I’ve scared you into reading the rest of this how-to post because the solution is quick, easy, and painless, and anyone who can install and activate a plugin can do it.
How To Change Your WordPress Login URL
The short answer is to install, activate, and configure the Better WP Security WordPress plugin.
What We’re Doing
With Better WP Security, you’ll be able to change:
- /wp-login.php to /login/
- /wp-admin/ to /admin/
- /wp-login.php?action=register to /register/
- Or to whatever slugs you choose in the plugin settings
Warnings
Compatibility might be an issue. Make sure to read and understand all the Better WP Security options before changing any settings. Talk to your web host or developer before continuing if you know you have an unusual setup but aren’t sure how it may be affected by this plugin. I tested with WP Engine and didn’t have any issues. Follow the plugin author’s recommendation and read the Better WP Security Installation Tips and FAQs.
If you already have the site added to ManageWP Dashboard, you’ll need to update your ManageWP options, but it’s quick and easy. Also, please read the ManageWP “Known Issues”, which mentions one of features of the Better WP Security plugin.
Continue reading for all the step-by-step instructions for Better WP Security and updating the ManageWP Dashboard options.
Step By Step Instructions
You really should change your login URL (and by login URL I mean the URLs for logging in, registering, and administration). Here’s how to do it:
Step 1: Take a Full Backup
Duh. Do it with ManageWP. Take a full backup, not just a database backup. Like all backups, verify it’s completed and in your desired location before proceeding to the next step.
Step 2: Install and Activate the Better WP Security plugin
I’ve looked long and hard for a “hide login” plugin and there weren’t many quality choices. And the aptly named Hide Login plugin did not work for me (thank God I was on a WP Engine staging site because I got totally locked out). And there used to be a plugin called Stealth Login which no longer exists.
At the recommendation of several WordPress gurus, I tried Better WP Security for this purpose alone (although it has a bunch of great features), and it worked like a charm right from the start.
Step 3: Setup the Better WP Security Plugin
Once the Better WP Security plugin is installed, follow these steps:
- Open the plugin’s wp-admin options page.
- Follow the first 3 setup steps as shown in the screenshots below:
- Make your backup selection.
- Allow the plugin to change WordPress core files (read the warning first).
- Click the “Secure My Site From Basic Attacks” button.
- Click the “Hide” tab.
- Check the “Enable Hide Backend” box.
- Enter your desired login, register, and admin slugs or leave them at the plugin’s defaults of “login”, “register”, and “admin”.
- Click “Save Changes”.
- Don’t forget your new URLs, especially the login URL! You might want to write them down somewhere until you get used to them. Or never need to remember the login URL if you use an auto-login tool like ManageWP (additional steps follow).
Screenshots of each step above are shown below:
Step 4: Add (or Re-Add) your Site to the ManageWP Dashboard
If you use ManageWP for the site you’ve changed the login URL for, follow these steps:
- Login to your ManageWP Dashboard.
- In the left navigation menu, click on the site you changed the login URL for.
- Click “Options”.
- Change the “Website Admin URL” option from …/wp-admin/ to …/login/ (or whatever you changed it to).
- Click “Save Changes” and the window will auto-close after a green “Options Updated” message is displayed for a second or two.
- Click on the site again and click the “Site Admin” (or the icon next to it to open it in a new window) to make sure ManageWP can auto-login for you at the new URL.
- If you were able to login via ManageWP Dashboard, you’re all done.
Screenshots of each step are below:
How the Better WP Security Plugin Changes the Login URL
For some, you might not care how it works; for others, you may want to know all the details. Let’s just say it’s the magic of the .htaccess file.
Without getting too technical, the plugin adds about 30 lines to the top of your main WordPress .htaccess file. That’s really all the magic that’s needed to change the login URLs.
Note: Neither the wp-login.php file nor the wp-config.php file is modified, moved, or renamed.
If you’re a developer looking to learn all the ins and outs of .htaccess files and rules, consider purchasing the .htaccess made easy eBook. To be clear, no knowledge of .htaccess is needed to use the Better WP Security plugin.
More About Better WP Security
The Better WP Security plugin has a lot of features, just one of which is the ability to hide the WordPress login, register, and admin URLs. Here are a few of the additional features included in this free plugin:
- Additional “security through obscurity” options
- Change the current WordPress database prefix
- Rename the default “admin” username
- Change the ID for the user with ID 1
- Removes login error messages (so bad login attempts don’t get a hint whether it was the username or the password that was incorrect)
- Logs 404 errors, bad login attempts, and changes to files
There are many more benefits of using the Better WP Security plugin, and it even works on single sites and Multisite.
Read more about its features at its WordPress plugin page and give it a good rating if it worked well for you.
Change your WordPress login URL today.
Feel free to post a comment below once you’ve done it or if you run into any problems.
Blog post updated on July 17, 2014
Image courtesy of Saxon.
Shane
I’m a big fan of WordPress but their standard wp-admin login page I agree leaves a lot to be desired in terms of security. Much better to change the URL so plugins like this are a welcome addition to the functionality of the CMS.
Laretue
I changed my sites’ login url to decrease uninvited logins but the plugin i used recently stopped working so it got turned to default any good plugin you can suggest?
Muideen Samuel
Thanks for taking your time to write this article, I installed the plugin but it’s not activating on my blog.
any solution to that?
Nirmal Kumar
Thanks for the tutorial, Clifford. I will have to change my login URL. I am receiving too many login attempts from bots. It’s my Jetpack plugin blocking all these so far.
Bryan
But the default way to find the login page for WP developments for attacking purposes is not to try wp-login.php, it’s to try /login. For a while now using /login or /register will redirect you to the appropriate WP pages. If you want to beat the hackers, you should really get up-to-date on how they break into WP sites. The only way to really keep your wp-admin dash secure is to whitelist your IP address, https://www.wpoptimus.com/912/ban-ip-addresses-login-wordpress-dashboard/
Jan Atsma
This article had run out of time. But WHERE in the current interface of ManageWP one change the login url?
Nemanja Aleksic
Changing the login URL is essentially hacking the core, and could pose problems with other plugins. That’s why ManageWP does not have this option.
Check out my mens club
Hi there this is somewhat of off topic but I was wanting to know if blogs use WYSIWYG editors or if you have to manually code with HTML.
I’m starting a blog soon but have no coding skills so I wanted to get guidance from someone with experience.
Any help would be greatly appreciated!
dating
Hey very cool blog!! Guy .. Excellent .. Amazing ..
I’ll bookmark your blog and take the feeds also?
I’m happy to find a lot of helpful information here within the
publish, we’d like work out more strategies on this regard,
thanks for sharing. . . . . .
nikhil davasam
how is wordpress.com login different from /wp-login/
Abhishek K R
thank you
Obtenir-plus-prospects-referencement
For me, All in one WP Security display a “page not available” error when I try to log in to the new admin url. I tried to change .htaccess name to deactivate it without success, same after reloading a complete ftp backup and it is just after having restored the DB that I have been able to log in again to the admin. Now I activate the cookie based brute force protection but the /wp-admin/ is still available. :/
jer
One thing i realized recently was that , if you want to see if a site is wordpress you can just type http://www.example.com/robots.txt
So is it possible to change that also
Thabiso
Hi used this plug-in on my site to change the wp-admin url, now nun of my logins work…please help.
Aysad Kozanoglu
Change the following line in files to your changed custom renamed login php file
for example XXADM.php
wp-includes/general-template.php
:line 307
$logout_url = add_query_arg($args, site_url(‘XXADM.php’, ‘login’));
wp-login.php
:line 473
$redirect_to = ‘XXADM.php?loggedout=true’;
:line 897
<form name="loginform" id="loginform" action="” method=”post”>
travel umroh
nice article.
i have try it in my wp site. send me email if you have another like this.
good lucky
daryl farahi
Thanks for sharing such important information. It will help me and my clients as well.
Many Thanks-Daryl
Robert
Hi there,
This seems what I am looking for.
I’m already using Ninjafirewall. Is this plugin compatible or will they bite each other?
Cheers,
Robert
Mike piter
Thank you Clifford Paulick. I am following your posts for some time and every time i get great tips. i already change my admin url but how to change now using my database?
blog teknologi
Hello, your antispam plugin eated my comment, don’t wanna write it again : /
Abhishek Kumawat
Thanks for sharing this plugin.. Its Awesome 🙂
Sandip Maji
Thanks Clifford, it’s really so simple and helpful.
tekinfom
This very complete and straightforward to become practiced in the least, but I‘d like to question, if there will be free tools available which will tell us wordpress login URL? I fear that in case for instance there will be such tools, hackers can easily certainly determines the login URL.
aamir saleh
Hi Clifford Thanks for such an easy explanation, you are great 🙂
Peter
to all guys who post their website here. Much better you don’t do this because so everyone knows you website now and that you use such kind of plugin.
Kat Rostova
I locked myself out of my site and started to freak out a bit. I deleted the plugin folder in my control panel through my host and was still locked out. Then I remembered that the plugin asked to modify the htaccess file and so I went in there and found the code it added and removed it. All better again. Maybe I should read this entire article before I mess around with it again. ps. I whitelisted my ip but it just kept saying that the page was not found.
Dean
Thanks for your great article. For those who search a bit more, see the WP Hide & Security Enhancer https://wordpress.org/plugins/wp-hide-security-enhancer/ This one completely hide old login urls, all other solutions appear to redirect to a 404 error page which indicate the initial url existence.
Aman
Thanks guys!
John
I was looking for something to simply change my register and wp-admin links and fell on your article. It’s a very interesting article and enjoyed reading it. I think the plugin is ineterting as well, however the steps that you explain to take after installing fail to mention that the plugin needs the pro version which is a minimum of $80/year and up. So I was a little disspointed to find this out only at the end of reading and installing the plugin simply to change 3 links. So I simply uninstalled it. Would just be nice to mention that beforehand. Otherwise, as I stated above, great article on security.
Wishing you a great day!
Larry
Recently, I`ve been looking in to adding additional layers of security to my wife`s website (it got pharma hacked) & one of the plugins I looked into was Stealth Login, which is apparently still in business, periodically updated (it was last updated 12 months ago & currently is listed as compatible with WP ver. 3.4.5 or higher), & being used on WP ver. 4.4.10 with no complaints about incompatibility so far. You can go look at “https://wordpress.org/plugins/stealth-login-page/”.
danifin
Yes allright
menganti
superrr. definitely try on my wp blog
Mohit Chauhan
This article was indeed very useful as nobody wants to get there WordPress hacked! I have changed my URL , thanks for letting us know about this wonderful plugin.
Clifford Paulick
Glad to help!
Giovanni
Great article but now is call ithemes security and in free version only one login access can change.
Baguz
This is a good idea to change wp-admin and wp-login url. Because i get many brute force attack in my wp site
Vikas Mehra
Thanks by using this method i will secure blog
prince mehra
Thanks for sharing this valuable information…
I definitely try on my wp blogs
Asad Hanif
Hey clifford, is there any method to change the whole wp login page code with our custom made code? because someone told me that every wp developers knows the complete structure of wordpress so its very easy to them to hack any wp website. what do u think about this scenario?
Clifford Paulick
Hi Asad. Thanks for your question. This is a common statement regarding all open source software, which is outside the scope of this blog article so I won’t reply to that question. Regarding the code, you can view all the actual wp-login screen code at https://github.com/WordPress/WordPress/blob/master/wp-login.php
I hope this information helps you.
Mokamula 2016
Thanks, now i can login to my wordpress 😀
Mushroomali
in this way , my blog more secure
Khairul Anwar
thank you, this is very helpful and reduce my worries to my web-site
tempat Wisata
thankyou for tutorial, I never think about it before…. before I use wp-admin and now I was succes change it… nice information,, I like this post 🙂 Im from indonesia, sorry about spelling..
cira
nice one! i would try this to my personel website.. is the plugin free?
Michael
Thanks. I wonder if this will cause issues for further updates? i.e. WP core and plugins?
Clifford Paulick
Hi Michael. It shouldn’t. However, this post was written prior to iThemes acquiring the plugin, rebranding it, and making significant changes. However, I’d guess this functionality remains and wouldn’t cause issues for future updates. It’s been a couple years since I looked at it, but I believe it’s accomplished via HTACCESS… but don’t quote me on that.
mallkota
nice trick
harga honda mobilio
are this plugin its free…
harga mobil honda
its helping to me to secure my site.
Jual mebel jepara
i have not to acces login
Rio
I finally found a tutorial that I was looking for this .. thanks
t.abrahams001
thank you thank you thank you both for manageWP plugin AND for this super helpful solution to redirecting my login to a custom url!!!
Ade
This plugin I was looking for, thank you for writing a very helpful awakening my wordpress blog securely.
Firman Kehilangan
i think this tutorial is amazing. I’ve been looking for a way change the name of the admin and this time I found. I’am wordpress user. I will try on my website. Thank you so much.
corvusmile
Thanks for making clear how itheme security (former better wp security) changes the log-in URL.
You just save my day.
Thanks.
obat pembesar penis
You can change the login URL using a one-liner in the
Imtiaz Ahmed
Can you please tell me, will it work on Arvixe VPS? Really amazing post.
Clifford Paulick
Hi Imtiaz. I don’t know of any reason why it would not. However, this plugin has gone through significant changes since this post.
Abinash Mohanty
Thanks for the tips! It worked 🙂
Clifford Paulick
Thanks for letting us know. Glad to hear! I’m sure it’s even better now that iThemes took it over.
Khairul Nizam
hope it works as it mentioned…thumbs up buddy.
Jasa seo
its amazing. definitely try on my wp blogs.. hope it works as it mentioned…
Gregg
I use this plugin on my WP multisite installation. However when I hide the back end, that bit works fine and relocates the login page to the slug I have chosen. Its after that is the problem… I enter my user / pwd and then rather than get to the wp-admin backend instead I just get a 404 page not found error?
Tried googling the issue but cant find anything that helps. Spent 4 hours today trying to work it out (fyi my coding knowledge and htaccess knowledge is very basic)
Any suggestions?
Clifford Paulick
As this post was written over a year ago and has since become iThemes Security plugin ( http://ithemes.com/2014/03/17/better-wp-security-plugin-changing-ithemes-security-need-know/ ), I’d say the best solution is to contact official support. Hope you get it worked out.
Arpit Vimal
Sounds good…that we can change the login address of WordPress blogs.
sutopo sasuke
This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more … good luck
Venus
I will definitely change my login url, that’s the reason why im reading this post right now. i have wordfence installed on my wordpress site and keep emailing me that there was someone who tried to login using my admin username for 20 times nad then, BAM! my site is down with a database error i takes an hour before it went back really frustrating.
Rudi Nazar
This very complete and easy to be practiced at all, but I want to ask, if there are free tools out there that can tell us wordpress login URL? I fear that if for example there are such tools, hackers can easily certainly determines the login URL.
M
Better WP Security completely locked me out of my site and made some HORRIBLE changes to my databases that I did not authorise. I would avoid this plugin like the plague!
Clifford Paulick
Sorry to hear that, M. I haven’t used BWPS recently, but I have had experiences where it didn’t do something right, I restored a backup, tried again, and then it worked. Always take backups. Hope you don’t have any long-term damage. Need backups for the future? Consider https://managewp.com/user-guide/how-to-use-managewp/backup ManageWP’s backup solution.
Lone
Similar results here. It was a disaster.
Hemant Aggarwal
Can’t we just add
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]to our htaccess file to do this ?Clifford Paulick
The goal is not to redirect wp-login.php. Instead, we want wp-login.php to not work.
Robinsh
Yesterday I enabled my WP site for anyone to register as a subscriber but what I saw there was more than 100 fake accounts created by the bots and that’s why I was searching and found your post to help myself .
Gene
Definitely NOT awesome. Installed and setup without a problem but hours later when I went to log in to my admin panel I’m redirected to a 404 page not not found. Great. Now I can’t get in my site and have no clue how to fix what this crap broke.
Clifford Paulick
Hi Gene. Sorry that you’ve experienced troubles. Assuming your hosting isn’t a conflicting factor here, just SFTP into your site and edit your main .htaccess file. You can delete the lines added by BWP and you should be able to use /wp-login.php again. Once in wp-admin, you can disable the BWP plugin and try another (see previous comments) or just try to setup BWP again. Hope you get it figured out soon.
Gene
First and foremost, I apologize for having used horrible manners and not asking for help properly. No excuse for that.
I did go in to the .htaccess and it was simple enough to fix, have gained full access once again, thank you. Now I wonder, can I completely uninstall the plugin or do I need to restore the backup made just prior to executing Better WP Security?
Clifford Paulick
Once you un-do all the BWP settings, you can simply deactivate the plugin instead of needing to revert to a previous restore point.
Ukraina
Its actual problem to change defaul wp-login.
If plugin will do something wrong – i just may clean up htaccess manually.
Clifford Paulick
I don’t exactly understand your point, but I agree it’s bad to change WP core files, if that’s what you’re pointing out (which this plugin does not do).
marco
I got the plugin working, but when I go the site.nl/login it just redirects me to .nl/wp-login.php.
What did I do wrong?
Clifford Paulick
Hi Marco. I’m not sure without seeing your setup, but I’d follow the steps closely just to double-check if you missed something.
Mat Riexinger
I’m confused as to why the developers of WordPress don’t implement a system to eliminate more of the threats they’ve been plagued with for a few years now.
Mat Riexinger
White Label Branding plugin on Codecanyon also allows you to make this change. There’s since been a few others that have come along as well.
Hide my wordpress is pretty sensitive though because if you do the wrong thing, or another plugin blocks it’s full functionality due to a conflict from their code, you can be locked out of your site.
Clifford Paulick
Thanks for sharing your experiences.
Oleh
Hello, your antispam plugin eated my comment, don’t wanna write it again:/
Tom Ewer
Sorry Oleh 🙁 I don’t see the comments in the spam folder so it must have already been deleted.
Mohit
wow that really impressive, now i can change my WP site login url.
thanks for the tips.
Akash Deep Satpathi
Thanks for sharing this Clifford! I want to know, is there any other plugin available which can help me to change the login URL? As Better WP Security plugin was not working on my site when I was first time tried it. So, any idea?
Clifford Paulick
Hi Akash. I’ve never had a problem with Better WP Security on my hosting setups, but I’ve seen quite a few people mention this. The only issue I’ve had with BWP is on multisite when trying to create a new site with BWP active (didn’t work).
Your question has good timing because Stealth Login Page just released an update with full multisite support, which makes it my new #1 if it works as I hope it will… I’m planning to try it out soon.
There’s another plugin to consider from CodeCanyon called Hide My WP (see other comment for the link).
Let me know if Stealth Login Page works for you and if its on single or multi.
Akash Deep Satpathi
Okay, recently I get Better WP Security in work. There was some problem between Wordfense and in it. And going to try the plugin you suggested, thanks! 🙂
Clifford Paulick
Let me know if Stealth Login Page works for you.
Tim
After installing Better WP Security everything works well except now my green box doesn’t pop up when a client uses my contact form 7. The green box used to confirm that the email was sent successfully. Any thoughts on this? I am receiving the emails.
Clifford Paulick
I don’t use CF7 personally so I haven’t experienced this (and I don’t know what green box pop up you’re referring to — the submission text?), but a quick Google search indicated to me several reports of the reCAPTCHA possibly having an issue with both of these installed. Have you tried CF7 + BWP active without reCAPTCHA on CF7?
Virtual Web Solutions
Thanks for sharing such important information. It will help me and my clients as well.
Many Thanks.
Clifford Paulick
Glad to hear it!
Sudeep Acharya
Hi Clifford,
Actually I had to leave this amazing plugin because it shows ‘internal server error’ after some hours of installation,I checked with some of the experts like you,they told me that the plugin is not updated which is creating the issue.
If you can help me on this,I will give another try to this plugin.
Having said that my host is awardspace.(paid basic shared hosting plan)
Clifford Paulick
Sorry it didn’t work for your server setup. There are several “LAMP Checker” plugins out there and maybe double-check some permissions. Maybe your server setup doesn’t have some common PHP extensions enabled; I don’t know. But you can see the WordPress Support history and know that the BWP team has a lot of users and support threads. Keeping in mind it’s a free plugin, I think less than 100% support is understandable. However, they did recently start offering premium installation and support if that interests you. I haven’t downloaded it, but I’ve heard good things about this CodeCanyon product that has a similar feature and additional features: Hide My WP.
Almaare
its amazing. definitely try on my wp blogs.. hope it works as it mentioned…
thumbs up buddy.
Derrick
I did this but it just redirects.
Is there another step involved or is this method already outdated?
Thnx
Clifford Paulick
Derrick, if you tell me what you input as your settings, what is redirecting, and where it’s redirecting to, I might be able to help. However, it’s all pretty straight forward since it’s all done via the main WordPress installation’s .htaccess file. If you ever get “locked out”, you could always delete the #BETTER WP SECURITY lines in the file via FTP/SFTP and then the /wp-login.php will work again via direct access. If you figure it out yourself, great. If you need help, comment here, post in the Better WP Security plugin’s support forum, or email me from http://tourkick.com/contact/
Toby Brommerich
Installing WordPress from scratch actually allows you to set the username of the first Admin user. It has for several versions.
Clifford Paulick
Yup. Still good not to have a user with ID #1, especially not an administrator. Both can be resolved by the Better WP Security plugin if not done at initial installation. 🙂
webmaster
You can change the login URL using a one-liner in the .htaccess file:
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Changing mywebsite.com with your own domain name.
You would then login at http://www.mywebsite.com/login
Cheerz,
Wil.
Clifford Paulick
Hi Wil. Directly editing the .htaccess file is possible, but not everyone’s comfortable doing that. Plus, the Better WP Security plugin does a lot of other good stuff. Additionally, the goal is to get the login to “move” not just be “redirected to” because that doesn’t hide wp-login.php from being directly accessed. For those that wish to use it, though, thanks for the sharing.
Darnell Jackson
Excellent post I’ll save this for my wordpress security round up post.
I think there are a few holes that you mentioned that most webmasters have.
However, the best security is a good recent backup.
Clifford Paulick
Great to hear, Darnell. There’s a lot more to the Better WP Security plugin.