WordPress’ default login URL is /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example: http://www.example.com/wp-login.php.
You may think to yourself, “OK. Who cares?” There are 3 reasons you should care:
- I can tell you’re using WordPress. It’s pretty easy for a hacker to tell if any given website is a WordPress website. You can look at the page’s source and see things like /wp-content/themes/style.css or /wp-content/plugins/…, etc. Once I know your site is a WP site, I now know your login URL is /wp-login.php.
- So now I know your login URL. I also know that WordPress creates an “admin” username by default. Now Mr. or Ms. Hacker has your login URL and possibly your login username. Now it’s a matter of guessing your password.
- And I’ll try the default username and try to guess your password. Even if you don’t have an “admin” username and you have a strong password (and preferably use a password manager to login so your keyboard’s keystrokes aren’t being logged), the hackers are not aware of this so they’ll just keep trying forever and ever, wasting your server’s resources and possibly taking down your site. (P.S. I hope you’re logging in with HTTPS or through a secure login method like from the ManageWP Dashboard so your password isn’t sent “in the clear” when logging in.)
Did any of that sound like fun? I bet not, but it’s important stuff. At the very least, I hope I’ve scared you into reading the rest of this how-to post because the solution is quick, easy, and painless, and anyone who can install and activate a plugin can do it.
How To Change Your WordPress Login URL
The short answer is to install, activate, and configure the Better WP Security WordPress plugin.
What We’re Doing
With Better WP Security, you’ll be able to change:
- /wp-login.php to /login/
- /wp-admin/ to /admin/
- /wp-login.php?action=register to /register/
- Or to whatever slugs you choose in the plugin settings
Compatibility might be an issue. Make sure to read and understand all the Better WP Security options before changing any settings. Talk to your web host or developer before continuing if you know you have an unusual setup but aren’t sure how it may be affected by this plugin. I tested with WP Engine and didn’t have any issues. Follow the plugin author’s recommendation and read the Better WP Security Installation Tips and FAQs.
If you already have the site added to ManageWP Dashboard, you’ll need to update your ManageWP options, but it’s quick and easy. Also, please read the ManageWP “Known Issues”, which mentions one of features of the Better WP Security plugin.
Continue reading for all the step-by-step instructions for Better WP Security and updating the ManageWP Dashboard options.
Step By Step Instructions
You really should change your login URL (and by login URL I mean the URLs for logging in, registering, and administration). Here’s how to do it:
Step 1: Take a Full Backup
Duh. Do it with ManageWP. Take a full backup, not just a database backup. Like all backups, verify it’s completed and in your desired location before proceeding to the next step.
Step 2: Install and Activate the Better WP Security plugin
I’ve looked long and hard for a “hide login” plugin and there weren’t many quality choices. And the aptly named Hide Login plugin did not work for me (thank God I was on a WP Engine staging site because I got totally locked out). And there used to be a plugin called Stealth Login which no longer exists.
At the recommendation of several WordPress gurus, I tried Better WP Security for this purpose alone (although it has a bunch of great features), and it worked like a charm right from the start.
Step 3: Setup the Better WP Security Plugin
Once the Better WP Security plugin is installed, follow these steps:
- Open the plugin’s wp-admin options page.
- Follow the first 3 setup steps as shown in the screenshots below:
- Make your backup selection.
- Allow the plugin to change WordPress core files (read the warning first).
- Click the “Secure My Site From Basic Attacks” button.
- Click the “Hide” tab.
- Check the “Enable Hide Backend” box.
- Enter your desired login, register, and admin slugs or leave them at the plugin’s defaults of “login”, “register”, and “admin”.
- Click “Save Changes”.
- Don’t forget your new URLs, especially the login URL! You might want to write them down somewhere until you get used to them. Or never need to remember the login URL if you use an auto-login tool like ManageWP (additional steps follow).
Screenshots of each step above are shown below:
Step 4: Add (or Re-Add) your Site to the ManageWP Dashboard
If you use ManageWP for the site you’ve changed the login URL for, follow these steps:
- Login to your ManageWP Dashboard.
- In the left navigation menu, click on the site you changed the login URL for.
- Click “Options”.
- Change the “Website Admin URL” option from …/wp-admin/ to …/login/ (or whatever you changed it to).
- Click “Save Changes” and the window will auto-close after a green “Options Updated” message is displayed for a second or two.
- Click on the site again and click the “Site Admin” (or the icon next to it to open it in a new window) to make sure ManageWP can auto-login for you at the new URL.
- If you were able to login via ManageWP Dashboard, you’re all done.
Screenshots of each step are below:
How the Better WP Security Plugin Changes the Login URL
For some, you might not care how it works; for others, you may want to know all the details. Let’s just say it’s the magic of the .htaccess file.
Without getting too technical, the plugin adds about 30 lines to the top of your main WordPress .htaccess file. That’s really all the magic that’s needed to change the login URLs.
Note: Neither the wp-login.php file nor the wp-config.php file is modified, moved, or renamed.
If you’re a developer looking to learn all the ins and outs of .htaccess files and rules, consider purchasing the .htaccess made easy eBook. To be clear, no knowledge of .htaccess is needed to use the Better WP Security plugin.
More About Better WP Security
The Better WP Security plugin has a lot of features, just one of which is the ability to hide the WordPress login, register, and admin URLs. Here are a few of the additional features included in this free plugin:
- Additional “security through obscurity” options
- Change the current WordPress database prefix
- Rename the default “admin” username
- Change the ID for the user with ID 1
- Removes login error messages (so bad login attempts don’t get a hint whether it was the username or the password that was incorrect)
- Logs 404 errors, bad login attempts, and changes to files
There are many more benefits of using the Better WP Security plugin, and it even works on single sites and Multisite.
Read more about its features at its WordPress plugin page and give it a good rating if it worked well for you.
Change your WordPress login URL today.
Feel free to post a comment below once you’ve done it or if you run into any problems.
Blog post updated on July 17, 2014
Image courtesy of Saxon.