Change Your WordPress Login URL

Change Your WordPress Login URL

WordPress’ default login URL is /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example: http://www.example.com/wp-login.php.

You may think to yourself, “OK. Who cares?” There are 3 reasons you should care:

  1. I can tell you’re using WordPress. It’s pretty easy for a hacker to tell if any given website is a WordPress website. You can look at the page’s source and see things like /wp-content/themes/style.css or /wp-content/plugins/…, etc. Once I know your site is a WP site, I now know your login URL is /wp-login.php.
  2. So now I know your login URL. I also know that WordPress creates an “admin” username by default. Now Mr. or Ms. Hacker has your login URL and possibly your login username. Now it’s a matter of guessing your password.
  3. And I’ll try the default username and try to guess your password. Even if you don’t have an “admin” username and you have a strong password (and preferably use a password manager to login so your keyboard’s keystrokes aren’t being logged), the hackers are not aware of this so they’ll just keep trying forever and ever, wasting your server’s resources and possibly taking down your site. (P.S. I hope you’re logging in with HTTPS or through a secure login method like from the ManageWP Dashboard so your password isn’t sent “in the clear” when logging in.)

Did any of that sound like fun? I bet not, but it’s important stuff. At the very least, I hope I’ve scared you into reading the rest of this how-to post because the solution is quick, easy, and painless, and anyone who can install and activate a plugin can do it.

How To Change Your WordPress Login URL

The short answer is to install, activate, and configure the Better WP Security WordPress plugin.

What We’re Doing

With Better WP Security, you’ll be able to change:

Warnings

Compatibility might be an issue. Make sure to read and understand all the Better WP Security options before changing any settings. Talk to your web host or developer before continuing if you know you have an unusual setup but aren’t sure how it may be affected by this plugin. I tested with WP Engine and didn’t have any issues. Follow the plugin author’s recommendation and read the Better WP Security Installation Tips and FAQs.

If you already have the site added to ManageWP Dashboard, you’ll need to update your ManageWP options, but it’s quick and easy. Also, please read the ManageWP “Known Issues”, which mentions one of features of the Better WP Security plugin.

Continue reading for all the step-by-step instructions for Better WP Security and updating the ManageWP Dashboard options.

Step By Step Instructions

You really should change your login URL (and by login URL I mean the URLs for logging in, registering, and administration). Here’s how to do it:

Step 1: Take a Full Backup

Duh. Do it with ManageWP. Take a full backup, not just a database backup. Like all backups, verify it’s completed and in your desired location before proceeding to the next step.

Step 2: Install and Activate the Better WP Security plugin

I’ve looked long and hard for a “hide login” plugin and there weren’t many quality choices. And the aptly named Hide Login plugin did not work for me (thank God I was on a WP Engine staging site because I got totally locked out). And there used to be a plugin called Stealth Login which no longer exists.

At the recommendation of several WordPress gurus, I tried Better WP Security for this purpose alone (although it has a bunch of great features), and it worked like a charm right from the start.

Step 3: Setup the Better WP Security Plugin

Once the Better WP Security plugin is installed, follow these steps:

  1. Open the plugin’s wp-admin options page.
  2. Follow the first 3 setup steps as shown in the screenshots below:
    1. Make your backup selection.
    2. Allow the plugin to change WordPress core files (read the warning first).
    3. Click the “Secure My Site From Basic Attacks” button.
  3. Click the “Hide” tab.
    1. Check the “Enable Hide Backend” box.
    2. Enter your desired login, register, and admin slugs or leave them at the plugin’s defaults of “login”, “register”, and “admin”.
    3. Click “Save Changes”.
  4. Don’t forget your new URLs, especially the login URL! You might want to write them down somewhere until you get used to them. Or never need to remember the login URL if you use an auto-login tool like ManageWP (additional steps follow).

Screenshots of each step above are shown below:

Better WP Security 1
Initial Setup Page. Select the backup option you think best. (If you’ve already created a backup with ManageWP, you can skip this backup.)
Better WP Security 2
Setup step 2. Read the instructions and, in general, click to allow changing WordPress core files.
Better WP Security 3
Setup step 3. In general, click the option to allow the plugin to activate its default security settings, since this plugin does more than just change the login URL.
Better WP Security 4
After clicking the “Hide” tab at the top, check the box to enable the feature. Change the text boxes as you desire. Then click “Save”. (Don’t worry; you won’t get logged out upon saving.)
Better WP Security 5
After saving once, you’ll be able to uncheck the box if you want to turn the feature off, or you can leave it checked and just change the login URLs anytime you want.

Step 4: Add (or Re-Add) your Site to the ManageWP Dashboard

If you use ManageWP for the site you’ve changed the login URL for, follow these steps:

  1. Login to your ManageWP Dashboard.
  2. In the left navigation menu, click on the site you changed the login URL for.
  3. Click “Options”.
  4. Change the “Website Admin URL” option from …/wp-admin/ to …/login/ (or whatever you changed it to).
  5. Click “Save Changes” and the window will auto-close after a green “Options Updated” message is displayed for a second or two.
  6. Click on the site again and click the “Site Admin” (or the icon next to it to open it in a new window) to make sure ManageWP can auto-login for you at the new URL.
  7. If you were able to login via ManageWP Dashboard, you’re all done.

Screenshots of each step are below:

Better WP Security 6
Go to your ManageWP Dashboard, click on the site URL and click “Options”.
Better WP Security 7
At the site’s ManageWP Options pop-up, you’ll see your current login URL.
Better WP Security 8
Change the login URL to your new login URL and click “Save Changes”.
Better WP Security 9
Make sure the ManageWP Dashboard can still auto-login for you. Click on the site URL you just updated the options for and click Site Admin link to see if it works.

How the Better WP Security Plugin Changes the Login URL

For some, you might not care how it works; for others, you may want to know all the details. Let’s just say it’s the magic of the .htaccess file.

Without getting too technical, the plugin adds about 30 lines to the top of your main WordPress .htaccess file. That’s really all the magic that’s needed to change the login URLs.

Note: Neither the wp-login.php file nor the wp-config.php file is modified, moved, or renamed.

If you’re a developer looking to learn all the ins and outs of .htaccess files and rules, consider purchasing the .htaccess made easy eBook. To be clear, no knowledge of .htaccess is needed to use the Better WP Security plugin.

More About Better WP Security

The Better WP Security plugin has a lot of features, just one of which is the ability to hide the WordPress login, register, and admin URLs. Here are a few of the additional features included in this free plugin:

There are many more benefits of using the Better WP Security plugin, and it even works on single sites and Multisite.

Read more about its features at its WordPress plugin page and give it a good rating if it worked well for you.

Change your WordPress login URL today.

Feel free to post a comment below once you’ve done it or if you run into any problems.

Blog post updated on July 17, 2014

Image courtesy of Saxon.

Clifford Paulick

Clifford Paulick is @TourKick, doing cool things with WordPress, photography, and videography. He provides web and technology consulting services at TourKick.com and is a Tulsa Realtor.

88 Comments

  1. blog teknologi

    Hello, your antispam plugin eated my comment, don’t wanna write it again : /

  2. Abhishek Kumawat

    Thanks for sharing this plugin.. Its Awesome :)

  3. Sandip Maji

    Thanks Clifford, it’s really so simple and helpful.

  4. tekinfom

    This very complete and straightforward to become practiced in the least, but I‘d like to question, if there will be free tools available which will tell us wordpress login URL? I fear that in case for instance there will be such tools, hackers can easily certainly determines the login URL.

  5. aamir saleh

    Hi Clifford Thanks for such an easy explanation, you are great :)

  6. Peter

    to all guys who post their website here. Much better you don’t do this because so everyone knows you website now and that you use such kind of plugin.

  7. Kat Rostova

    I locked myself out of my site and started to freak out a bit. I deleted the plugin folder in my control panel through my host and was still locked out. Then I remembered that the plugin asked to modify the htaccess file and so I went in there and found the code it added and removed it. All better again. Maybe I should read this entire article before I mess around with it again. ps. I whitelisted my ip but it just kept saying that the page was not found.

  8. Dean

    Thanks for your great article. For those who search a bit more, see the WP Hide & Security Enhancer https://wordpress.org/plugins/wp-hide-security-enhancer/ This one completely hide old login urls, all other solutions appear to redirect to a 404 error page which indicate the initial url existence.

    1. Aman

      Thanks guys!

  9. John

    I was looking for something to simply change my register and wp-admin links and fell on your article. It’s a very interesting article and enjoyed reading it. I think the plugin is ineterting as well, however the steps that you explain to take after installing fail to mention that the plugin needs the pro version which is a minimum of $80/year and up. So I was a little disspointed to find this out only at the end of reading and installing the plugin simply to change 3 links. So I simply uninstalled it. Would just be nice to mention that beforehand. Otherwise, as I stated above, great article on security.

    Wishing you a great day!

  10. Larry

    Recently, I`ve been looking in to adding additional layers of security to my wife`s website (it got pharma hacked) & one of the plugins I looked into was Stealth Login, which is apparently still in business, periodically updated (it was last updated 12 months ago & currently is listed as compatible with WP ver. 3.4.5 or higher), & being used on WP ver. 4.4.10 with no complaints about incompatibility so far. You can go look at “https://wordpress.org/plugins/stealth-login-page/”.

  11. menganti

    superrr. definitely try on my wp blog

  12. Mohit Chauhan

    This article was indeed very useful as nobody wants to get there WordPress hacked! I have changed my URL , thanks for letting us know about this wonderful plugin.

    1. Clifford Paulick

      Glad to help!

  13. Giovanni

    Great article but now is call ithemes security and in free version only one login access can change.

  14. Baguz

    This is a good idea to change wp-admin and wp-login url. Because i get many brute force attack in my wp site

  15. Vikas Mehra

    Thanks by using this method i will secure blog

  16. prince mehra

    Thanks for sharing this valuable information…
    I definitely try on my wp blogs

  17. Asad Hanif

    Hey clifford, is there any method to change the whole wp login page code with our custom made code? because someone told me that every wp developers knows the complete structure of wordpress so its very easy to them to hack any wp website. what do u think about this scenario?

    1. Clifford Paulick

      Hi Asad. Thanks for your question. This is a common statement regarding all open source software, which is outside the scope of this blog article so I won’t reply to that question. Regarding the code, you can view all the actual wp-login screen code at https://github.com/WordPress/WordPress/blob/master/wp-login.php

      I hope this information helps you.

  18. Mokamula 2016

    Thanks, now i can login to my wordpress 😀

  19. Mushroomali

    in this way , my blog more secure

  20. Khairul Anwar

    thank you, this is very helpful and reduce my worries to my web-site

  21. tempat Wisata

    thankyou for tutorial, I never think about it before…. before I use wp-admin and now I was succes change it… nice information,, I like this post :) Im from indonesia, sorry about spelling..

  22. cira

    nice one! i would try this to my personel website.. is the plugin free?

  23. Michael

    Thanks. I wonder if this will cause issues for further updates? i.e. WP core and plugins?

    1. Clifford Paulick

      Hi Michael. It shouldn’t. However, this post was written prior to iThemes acquiring the plugin, rebranding it, and making significant changes. However, I’d guess this functionality remains and wouldn’t cause issues for future updates. It’s been a couple years since I looked at it, but I believe it’s accomplished via HTACCESS… but don’t quote me on that.

  24. mallkota

    nice trick

  25. harga honda mobilio

    are this plugin its free…

  26. harga mobil honda

    its helping to me to secure my site.

  27. Jual mebel jepara

    i have not to acces login

  28. Rio

    I finally found a tutorial that I was looking for this .. thanks

  29. t.abrahams001

    thank you thank you thank you both for manageWP plugin AND for this super helpful solution to redirecting my login to a custom url!!!

  30. Ade

    This plugin I was looking for, thank you for writing a very helpful awakening my wordpress blog securely.

  31. Firman Kehilangan

    i think this tutorial is amazing. I’ve been looking for a way change the name of the admin and this time I found. I’am wordpress user. I will try on my website. Thank you so much.

  32. corvusmile

    Thanks for making clear how itheme security (former better wp security) changes the log-in URL.
    You just save my day.
    Thanks.

  33. obat pembesar penis

    You can change the login URL using a one-liner in the

  34. Imtiaz Ahmed

    Can you please tell me, will it work on Arvixe VPS? Really amazing post.

    1. Clifford Paulick

      Hi Imtiaz. I don’t know of any reason why it would not. However, this plugin has gone through significant changes since this post.

  35. Abinash Mohanty

    Thanks for the tips! It worked :)

    1. Clifford Paulick

      Thanks for letting us know. Glad to hear! I’m sure it’s even better now that iThemes took it over.

  36. Khairul Nizam

    hope it works as it mentioned…thumbs up buddy.

  37. Jasa seo

    its amazing. definitely try on my wp blogs.. hope it works as it mentioned…

  38. Gregg

    I use this plugin on my WP multisite installation. However when I hide the back end, that bit works fine and relocates the login page to the slug I have chosen. Its after that is the problem… I enter my user / pwd and then rather than get to the wp-admin backend instead I just get a 404 page not found error?

    Tried googling the issue but cant find anything that helps. Spent 4 hours today trying to work it out (fyi my coding knowledge and htaccess knowledge is very basic)

    Any suggestions?

    1. Clifford Paulick

      As this post was written over a year ago and has since become iThemes Security plugin ( http://ithemes.com/2014/03/17/better-wp-security-plugin-changing-ithemes-security-need-know/ ), I’d say the best solution is to contact official support. Hope you get it worked out.

  39. Arpit Vimal

    Sounds good…that we can change the login address of WordPress blogs.

  40. sutopo sasuke

    This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more … good luck

  41. Venus

    I will definitely change my login url, that’s the reason why im reading this post right now. i have wordfence installed on my wordpress site and keep emailing me that there was someone who tried to login using my admin username for 20 times nad then, BAM! my site is down with a database error i takes an hour before it went back really frustrating.

  42. Rudi Nazar

    This very complete and easy to be practiced at all, but I want to ask, if there are free tools out there that can tell us wordpress login URL? I fear that if for example there are such tools, hackers can easily certainly determines the login URL.

  43. M

    Better WP Security completely locked me out of my site and made some HORRIBLE changes to my databases that I did not authorise. I would avoid this plugin like the plague!

    1. Clifford Paulick

      Sorry to hear that, M. I haven’t used BWPS recently, but I have had experiences where it didn’t do something right, I restored a backup, tried again, and then it worked. Always take backups. Hope you don’t have any long-term damage. Need backups for the future? Consider https://managewp.com/user-guide/how-to-use-managewp/backup ManageWP’s backup solution.

      1. Lone

        Similar results here. It was a disaster.

  44. Hemant Aggarwal

    Can’t we just add RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L] to our htaccess file to do this ?

    1. Clifford Paulick

      The goal is not to redirect wp-login.php. Instead, we want wp-login.php to not work.

  45. Robinsh

    Yesterday I enabled my WP site for anyone to register as a subscriber but what I saw there was more than 100 fake accounts created by the bots and that’s why I was searching and found your post to help myself .

  46. Gene

    Definitely NOT awesome. Installed and setup without a problem but hours later when I went to log in to my admin panel I’m redirected to a 404 page not not found. Great. Now I can’t get in my site and have no clue how to fix what this crap broke.

    1. Clifford Paulick

      Hi Gene. Sorry that you’ve experienced troubles. Assuming your hosting isn’t a conflicting factor here, just SFTP into your site and edit your main .htaccess file. You can delete the lines added by BWP and you should be able to use /wp-login.php again. Once in wp-admin, you can disable the BWP plugin and try another (see previous comments) or just try to setup BWP again. Hope you get it figured out soon.

      1. Gene

        First and foremost, I apologize for having used horrible manners and not asking for help properly. No excuse for that.

        I did go in to the .htaccess and it was simple enough to fix, have gained full access once again, thank you. Now I wonder, can I completely uninstall the plugin or do I need to restore the backup made just prior to executing Better WP Security?

        1. Clifford Paulick

          Once you un-do all the BWP settings, you can simply deactivate the plugin instead of needing to revert to a previous restore point.

  47. Ukraina

    Its actual problem to change defaul wp-login.
    If plugin will do something wrong – i just may clean up htaccess manually.

    1. Clifford Paulick

      I don’t exactly understand your point, but I agree it’s bad to change WP core files, if that’s what you’re pointing out (which this plugin does not do).

  48. marco

    I got the plugin working, but when I go the site.nl/login it just redirects me to .nl/wp-login.php.

    What did I do wrong?

    1. Clifford Paulick

      Hi Marco. I’m not sure without seeing your setup, but I’d follow the steps closely just to double-check if you missed something.

  49. Mat Riexinger

    I’m confused as to why the developers of WordPress don’t implement a system to eliminate more of the threats they’ve been plagued with for a few years now.

  50. Mat Riexinger

    White Label Branding plugin on Codecanyon also allows you to make this change. There’s since been a few others that have come along as well.

    Hide my wordpress is pretty sensitive though because if you do the wrong thing, or another plugin blocks it’s full functionality due to a conflict from their code, you can be locked out of your site.

    1. Clifford Paulick

      Thanks for sharing your experiences.

  51. Oleh

    Hello, your antispam plugin eated my comment, don’t wanna write it again:/

    1. Tom Ewer

      Sorry Oleh :( I don’t see the comments in the spam folder so it must have already been deleted.

  52. Mohit

    wow that really impressive, now i can change my WP site login url.
    thanks for the tips.

  53. Akash Deep Satpathi

    Thanks for sharing this Clifford! I want to know, is there any other plugin available which can help me to change the login URL? As Better WP Security plugin was not working on my site when I was first time tried it. So, any idea?

    1. Clifford Paulick

      Hi Akash. I’ve never had a problem with Better WP Security on my hosting setups, but I’ve seen quite a few people mention this. The only issue I’ve had with BWP is on multisite when trying to create a new site with BWP active (didn’t work).

      Your question has good timing because Stealth Login Page just released an update with full multisite support, which makes it my new #1 if it works as I hope it will… I’m planning to try it out soon.

      There’s another plugin to consider from CodeCanyon called Hide My WP (see other comment for the link).

      Let me know if Stealth Login Page works for you and if its on single or multi.

      1. Akash Deep Satpathi

        Okay, recently I get Better WP Security in work. There was some problem between Wordfense and in it. And going to try the plugin you suggested, thanks! :)

        1. Clifford Paulick

          Let me know if Stealth Login Page works for you.

  54. Tim

    After installing Better WP Security everything works well except now my green box doesn’t pop up when a client uses my contact form 7. The green box used to confirm that the email was sent successfully. Any thoughts on this? I am receiving the emails.

    1. Clifford Paulick

      I don’t use CF7 personally so I haven’t experienced this (and I don’t know what green box pop up you’re referring to — the submission text?), but a quick Google search indicated to me several reports of the reCAPTCHA possibly having an issue with both of these installed. Have you tried CF7 + BWP active without reCAPTCHA on CF7?

  55. Virtual Web Solutions

    Thanks for sharing such important information. It will help me and my clients as well.

    Many Thanks.

    1. Clifford Paulick

      Glad to hear it!

  56. Sudeep Acharya

    Hi Clifford,

    Actually I had to leave this amazing plugin because it shows ‘internal server error’ after some hours of installation,I checked with some of the experts like you,they told me that the plugin is not updated which is creating the issue.
    If you can help me on this,I will give another try to this plugin.
    Having said that my host is awardspace.(paid basic shared hosting plan)

    1. Clifford Paulick

      Sorry it didn’t work for your server setup. There are several “LAMP Checker” plugins out there and maybe double-check some permissions. Maybe your server setup doesn’t have some common PHP extensions enabled; I don’t know. But you can see the WordPress Support history and know that the BWP team has a lot of users and support threads. Keeping in mind it’s a free plugin, I think less than 100% support is understandable. However, they did recently start offering premium installation and support if that interests you. I haven’t downloaded it, but I’ve heard good things about this CodeCanyon product that has a similar feature and additional features: Hide My WP.

  57. Almaare

    its amazing. definitely try on my wp blogs.. hope it works as it mentioned…

    thumbs up buddy.

  58. Derrick

    I did this but it just redirects.

    Is there another step involved or is this method already outdated?

    Thnx

    1. Clifford Paulick

      Derrick, if you tell me what you input as your settings, what is redirecting, and where it’s redirecting to, I might be able to help. However, it’s all pretty straight forward since it’s all done via the main WordPress installation’s .htaccess file. If you ever get “locked out”, you could always delete the #BETTER WP SECURITY lines in the file via FTP/SFTP and then the /wp-login.php will work again via direct access. If you figure it out yourself, great. If you need help, comment here, post in the Better WP Security plugin’s support forum, or email me from http://tourkick.com/contact/

  59. Toby Brommerich

    Installing WordPress from scratch actually allows you to set the username of the first Admin user. It has for several versions.

    1. Clifford Paulick

      Yup. Still good not to have a user with ID #1, especially not an administrator. Both can be resolved by the Better WP Security plugin if not done at initial installation. :-)

  60. webmaster

    You can change the login URL using a one-liner in the .htaccess file:
    RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]

    Changing mywebsite.com with your own domain name.

    You would then login at http://www.mywebsite.com/login

    Cheerz,
    Wil.

    1. Clifford Paulick

      Hi Wil. Directly editing the .htaccess file is possible, but not everyone’s comfortable doing that. Plus, the Better WP Security plugin does a lot of other good stuff. Additionally, the goal is to get the login to “move” not just be “redirected to” because that doesn’t hide wp-login.php from being directly accessed. For those that wish to use it, though, thanks for the sharing.

  61. Darnell Jackson

    Excellent post I’ll save this for my wordpress security round up post.

    I think there are a few holes that you mentioned that most webmasters have.

    However, the best security is a good recent backup.

    1. Clifford Paulick

      Great to hear, Darnell. There’s a lot more to the Better WP Security plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>