How to Easily Hide Your WordPress Login Page From Hackers

Martin Aranovitch – November 5, 2019

How to Easily Hide Your WordPress Login Page From Hackers

Change your WordPress login URL and hide your wp-admin to outsmart hackers and prevent brute-force attacks… it’s easier to make your site harder to crack than you think!

Let’s not kid ourselves. Even script kiddies know that all they have to do to make a WordPress site owner’s life miserable is to find the WordPress login page and guess the username and password.

Guessing passwords, by the way, is not hard to do, especially if you use the same passwords for most of your logins and share your whole life on social media.

WordPress is the most popular CMS platform in the world and this makes it an irresistible magnet for hackers and malicious login attempts. Even the best of the best can be brought down by a stealthy maverick with access to brute-force tools that will automatically try to guess your username and password by hitting your WordPress login page over and over and over again.

The Best Way To Fight Against Brute-Force Attacks… Hide!

Brute force attempts to log into WordPress are so common, there’s even a page in the Codex dedicated to the topic.

But… why give hackers and malicious bots the opportunity to even try and guess your login details? Just hide your WordPress login page and most bots and automated software won’t even know that your site exists.

In this article, you will learn how to implement one of the simplest and easiest strategies to protect your site from hackers and malicious bots: change your WordPress login URL, hide your wp-admin and wp-login page and redirect unwanted visitors away from your login page.

WordPress hide login page — Leave it open a crack and hackers will hack. Hide the WordPress login page… no malicious attack!

Why Change The WordPress Login URL?

I have a standard WordPress site that I installed a few years ago. To get to the login page all you have to do is go to /wp-admin or /wp-login.php.

This site doesn’t see a ton of traffic. In a typical month, it generates about 5,000 pageviews. However, the site’s login page sees malicious login attempts on a startlingly regular basis. I have the Defender plugin activated on this site, and it tracks the number of blocked malicious login attempts. Since I’ve started tracking the number of blocked malicious login attempts, I can see that my site handles hundreds of malicious login attempts each month, averaging about 24 per day, or one malicious login attempt every 60 minutes.

Login attempts don’t happen at a regular pace of one per hour. Weeks can go by without a single malicious login attempt being logged. Then, suddenly, a few hundred or even a couple of thousand login attempts will be logged in a short period of time.

Most WordPress sites set up as standard installations periodically experience brute force attacks attempting to log into the WordPress dashboard. Yours probably does too, whether you know it or not.

Defender IP Lockout logs. — Brute-force attack bots are constantly looking to break into your WordPress site, whether you know it or not.

WordPress Security Through Obscurity

You may think that using canny logins will keep your site safe.

Hackers can easily tell if a site is powered by WordPress or not (often just by looking at the page source).

Google Chrome browser - View page source option — Hackers can easily tell if your site runs on WordPress, work out your canny logins, and deliver you even greater hits.

Once a hacker knows that your site runs on WordPress, they also know how to find your WordPress login URL (spoiler alert: the default WordPress login URL is found by entering your domain name, followed by /wp-login.php).

Default WordPress behavior loads the login page when you access wp-login.php. Type in wp-admin instead, and you’ll be automatically redirected to wp-login.php.

Unless you know how to change your admin username, your friendly neighborhood ~~motherf~~ hacker will also know that your username is most likely something like admin.

All the hacker has to do now is guess the password. Even if they can’t guess the password but keep trying to, this can use up your server’s resources and possibly end up taking your site down.

WP login page username admin — If hackers dance illegally around your canny logins long enough, they’ll probably generate enough hits to guess your password.

If They Can’t See It, They Can’t Crack It

Many hackers are opportunistic and look for low hanging fruit that’s ripe and easy pickings.

If you don’t want people to steal your fruit, hide your tree.

Continuing with this really poor analogy (when life gives you lemons…), your WordPress login page gives admin users access to the whole orchard, so as part of our strategy of creating ‘security through obscurity,’ let’s hide your login page URL from everyone else but the admin.

Optional Step: Install WordPress In Its Own Directory

Whether you’re dealing with a brand new WordPress installation or an existing WordPress website, whenever possible consider installing WordPress in a subdirectory. While this won’t prevent hackers from finding your WordPress login page if they deliberately choose to target your site, it will discourage many random bots and malicious users looking for easy targets to start hitting up your site and shaking your tree to see what falls out.

Having your WordPress site installed in a subdirectory, then, is a good first step toward creating ‘security through obscurity.’

As always, before you do anything else, as always, if you’re moving an existing WordPress installation, create a complete backup of your site and store it someplace where you won’t accidentally delete or modify it. (Related: How to Back Up Your Backups For Bulletproof Protection)

One more thing. When creating a subdirectory, choose a name that’s not too predictable like http://example.com/wordpress or http://example.com/wp. Instead, choose something unique that no one will ever be able to guess like http://example.com/dwiiw (an acronym for directory where I installed WordPress.)

WordPress login screen. — Tip: Install WordPress in its own directory with a hard to find subdirectory name.

Whether you choose to install WordPress in a subdirectory or not as an added security precaution is up to you.

The next step is to hide your login page URL (and optionally redirect wp-login.php visitors to another page on your site).

There are a few ways you can hide your WP login page from other users:

Use a plugin to mask your login URL (the easiest way)
Mask your WordPress login URL without a plugin (the geek way)
Modify your .htaccess file (the “I need to code everything from scratch” way)

Hide Your Site Login Page – Disclaimer

Before we get started, the strategy shared below isn’t recommended if your site requires a login page that needs to remain easy for other users to find (like a membership site).

If your site is not a membership site and login attempts are limited to a dozen or fewer admins, authors, editors, and contributors, then hiding your login page will help protect your site against malicious login attempts.

Hide wp-login.php Using a Plugin

There are a number of free WordPress plugins that will let you hide the login page URL. Some of these plugins will also let you redirect wp-login.php visitors to another page of your website. Just visit the WordPress.org plugins directory and search for “Hide WP Login” to see a list of security plugins that you can use.

For this tutorial, we’ll use WPMU DEV’s own Defender plugin.

Defender lets you hide and redirect wp-login.php, and includes many other top gun security features.

Defender WordPress security plugin — Defender protects your site from hackers and brute-force attacks.

You can download Defender for free from the WordPress plugin repository or if you’re a WPMU DEV member, go ahead and install Defender Pro from your WordPress site management hub.

Defender Pro WordPress security plugin installation screen. — Install Defender WordPress security plugin and make your WordPress login page invisible to hackers.

Note: For full installation and configuration instructions, see the Defender plugin documentation section.

After installing and activating the plugin, navigate to your main WordPress dashboard menu and go to Defender > Dashboard.

Locate the ‘Mask Login Area’ section and click on the ‘Active’ button to turn on the feature.

Activate Mask Login Area - Defender WordPress Security Plugin — Activate Defender’s ‘Mask Login Area’ to hide your WP login URL.

Click the ‘Finish Setup’ button to bring up the URL masking options screen.

Defender Mask Login Area Finish Setup screen. — Click the button and let’s activate the WordPress move login page feature.

This brings up the Advanced Tools screen.

Defender - Advanced Tools screen. — Defender ‘Advanced Tools’ screen.

In the Masking URL section, enter a new URL slug where your site users will go to log in or register on your site. Once again, I recommend choosing something that you can easily remember, but everyone else will be unable to randomly guess.

For this example, let’s use the same acronym method used earlier to come up with the directory name dwiiw and let’s name our new WordPress login URL something unique like:

http://example.com/dwiiw/gli

In this case, gli stands for get logged in, and it accomplishes the goal of being simultaneously easy to remember and hard to guess.

Make your new WordPress login URL slug difficult for hackers to guess.

Save your changes and log out of your WordPress site.

Now, try to log back in via the default login page at yourdomain.com/wp-login.php.

Masked WordPress login page URL. — Wait… what? Where’s the WordPress login box?

Normally, typing wp-admin into a web browser automatically redirects users to wp-login.php. Defender also disables this feature.

Masked WordPress wp-admin page. — Help… I’m a hacker, let me in!

Only users with access to the masked URL will now see the WordPress login page.

Your WordPress login page URL is now masked.

Tip: As an extra nice touch for your users, you may also want to customize your WordPress login page, install plugins for improved user login and registration, or let users login to WordPress using an email address. If only certain users are allowed to access your admin section, however, then you can limit access to the login page for specific users by IP addresses.

WordPress custom login page. — A customized WordPress login page. No security benefits whatsoever, but niiiice!

Optional Step: Redirect wp-login.php

Using the method shown above, anyone that tries to visit the default WordPress login page (i.e. wp-login.php) will be greeted with an error message (“This feature is disabled”).

If you want to send visitors and users (or even hackers) to a different page (e.g. your store page, contact page, FAQ section, or any other page on your site), you can redirect the default wp-login.php URL using Defender’s Redirect traffic feature.

To redirect the wp-login.php page, go to the WP dashboard menu and select Defender > Advanced Tools > Mask Login Area.

Enable 404 Redirection in the Redirect traffic section, enter the slug of the page you want to send visitors to, and click Save Changes to update your settings.

Defender Redirect Traffic URL — Ok hackers, time to see if crime really pays…

Now, anyone who tries to visit the default login URL will be redirected to the post or page you have specified.

C'mon hackers... give 'till it hurts!

Notes:

You can use any combination of a-z and 0-9 in your slug.
You can’t add full URLs (this prevents sending out your 404 errors to another domain).

Hide WordPress Login Page Without A Plugin

If you want to hide your login page without using a plugin, all you need is a text editor, access to your WordPress installation files (FTP, cPanel File Manager, etc), and then do the following:

1 – Make a backup of your wp-login.php file.

While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!

wp-login.php file code — Back up your wp-login.php file and copy all the code to your clipboard.

Note: If you’re looking for a great plugin to backup and restore your files and WordPress site, we recommend using our very own Snapshot.

Next, open your wp-login.php file. Select and copy all the code to your clipboard.

2 – Create a new PHP login file.

Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).

Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.

wp-login.php file code renamed. — Your renamed wp-login file. Same code, edgy filename.

3 – Search and replace the ‘wp-login.php’ string in your new file code.

Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.

Search and replace wp-login.php string — Search and replace all instances of ‘wp-login.php’ with your new login filename.

Resave the file with the modified code.

4 – Upload your new login file to your server.

Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.

Replace wp-login.php in your server with your new login file.

5 – Test your new login URL

All that’s left to do now is test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.

No canny logins for stealthy hackers here unless they know how to cruise on the highway to the danger zone.

To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.

WordPress Login URL .htaccess File Hacks

There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.

For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.

WordPress Login Page Obscurity With URL Redirection

You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.

To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):

RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]

In this example, we’ll add an alias called ‘dancekevindance’ and reupload the .htaccess file to our server:

URL forwarding htaccess file — Let’s rewrite the rules and see if we can hide our canny logins.

Now, go back to the site and enter the new URL.

URL forwarding doesn't hide the WP login URL, it just dances around the issue.

As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than https://yourexample.com/wp-login.php.

Hide Your WordPress Login Page With Code

Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.

If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.

Don’t Let Them Gonna Take You Right Into The Danger Zone

WordPress is a magnet for hackers and malicious bots, so it’s important to understand WordPress security best practices and implement multiple WordPress security strategies to protect your site from hackers and brute-force attacks. This includes security through obscurity.

When used as part of a more comprehensive security strategy, obscurity can be helpful. As we’ve just seen, however, simply hiding the WordPress login page is not enough to guarantee that you will see zero malicious login attempts.

Unless you actually change the WordPress login URL of your site and redirect unwanted visitors away from pages like wp-login.php and wp-admin, hackers and bots will still be able to find your login page and attempt to guess your login details.

Messing with code can cause compatibility issues, slow down your site, and create other problems. Using a plugin like Defender is the easiest way to hide your WordPress login page from hackers and make it all but invisible to the vast majority of low-flying malicious login attempts.

To protect your site against the worst of the worst, you need help from the best of the best. If you’re not a member of WPMU DEV yet, join our elite group of top gun WordPress developers and website owners with our no-risk free 30-day trial and get access to all the security tools, protection features, and support your site needs to fly high and free out of the danger zone.

Martin Aranovitch Martin believes that we can all live sustainably in a WordPress-centric digital universe and spends most of his time taking copious notes and creating epic tutorials to prove his theory. Before joining WPMU DEV, Martin authored many WordPress guides and courses for beginners.

Have you hidden your WordPress login URL or do you use the standard wp-login.php login URL? Are bots hitting your site? If you've hidden your login URL, did you notice a quantifiable drop-off in malicious login attempts after making the change? Share your thoughts and suggestions in the comments below.