Skip to main content
WPMU DEV Logo
  • Products & Services
    Close Products and Services Submenu
    Everything WPMU DEV
    Personal

    Manage 1 Site, All 11 Pro plugins, services & much more

    Freelancer

    Manage 10 Sites, All 11 Pro plugins, services & much more

    Agency

    Manage Unlimited Sites, All 11 Pro plugins, services & much more

    Compare Plans
    Featured Plugins
    Smush Pro

    Optimize unlimited images

    Hummingbird Pro

    Build a faster website

    Defender Pro

    Keep your site safe from hackers

    Smartcrawl Pro

    Boost your website PageRank

    View all plugins
    Services & Add-ons
    The Hub

    Manage all your sites in one simple place

    The Hub Client

    Have your own client facing Hub

    Hosting

    Fastest, easiest, best-supported WP Hosting

    White Label our plugins

    Make our plugins, your plugins.

    White Label Reports

    Customize your client monthly reports

    Discover
    • Cloning
    • Email
    • Migration
    • Multisite
    • Automated Updates
    • Forms & Quizzes
    • Backups
    • Monitor
    • DNS
    • WAF
    • Security
    • Translations
    • CDN
    • Opt-ins & Popups
    • Documentation
    • Support
    • Community
    • Roadmap
    • Partners
  • Plugins Plugins Submenu
    Close Plugins Submenu All Plugins
    Featured Plugins
    Smush Pro

    Image optimizer

    Hummingbird Pro

    Page Speed optimizer

    Defender Pro

    Security

    Smartcrawl Pro

    SEO optimization

    Snapshot Pro

    Schedule backups

    Forminator Pro

    Forms builder

    Hustle Pro

    Opt-ins & Popups

    Branda Pro

    White label WordPress

    Plugins
    WPMU DEV Dashboard

    Instant access to support and installation

    Shipper Pro

    Move WP websites with one-click

    Beehive Pro

    Customizable Google Analytics

    Integrated Video Tutorials

    Unbranded training videos

  • Hosting Hosting Submenu
    Close Hosting Submenu
    Hosting
    Hosting

    Fastest WP Hosting

    WAF

    First layer of defence

    DNS

    Simple Domain & DNS

    Email

    Offer email for clients

    Hosting Comparison

    Which is right for you?

    Cloning

    Duplicate your websites

    Migration

    Move your WP Sites

  • The Hub
  • Blog
Pricing
Log In
WPMU DEV Logo
Log in
Products & Services
Everything WPMU DEV
Personal
Freelancer
Agency
Feature Plugins
Smush Pro
Hummingbird Pro
Defender Pro
Smarcrawl Pro
Services & Add-ons
The Hub Client
White Label our plugins
White Label reports
Discover
Cloning
Email
Migration
Multisite
Automated Updates
Forms & Quizzes
Backups
Monitor
DNS
WAF
Security
Translations
CDN
Opt-ins & Popups
Documentation
Support
Community
Roadmap
Partners
Plugins
All Plugins
Smush Pro
Hummingbird Pro
Defender Pro
Smartcrawl Pro
Snapshot Pro
Forminator Pro
Hustle Pro
Branda Pro
WPMU DEV Dashboard
Shipper Pro
Beehive Pro
Integrated Video Tutorials
Hosting
Hosting
WAF
DNS
Email
Hosting Comparison
Cloning
Migration
The Hub
Blog
Pricing
  • Blog
  • Tutorials
  • How to Easily Hide...
WPMU DEV Logo How to Easily Hide Your WordPress Login Page From Hackers
Martin Aranovitch Martin Aranovitch   – November 5, 2019
43 Comments

How to Easily Hide Your WordPress Login Page From Hackers

Change your WordPress login URL and hide your wp-admin to outsmart hackers and prevent brute-force attacks… it’s easier to make your site harder to crack than you think!

Let’s not kid ourselves. Even script kiddies know that all they have to do to make a WordPress site owner’s life miserable is to find the WordPress login page and guess the username and password.

Guessing passwords, by the way, is not hard to do, especially if you use the same passwords for most of your logins and share your whole life on social media.

WordPress is the most popular CMS platform in the world and this makes it an irresistible magnet for hackers and malicious login attempts. Even the best of the best can be brought down by a stealthy maverick with access to brute-force tools that will automatically try to guess your username and password by hitting your WordPress login page over and over and over again.

The Best Way To Fight Against Brute-Force Attacks… Hide!

Brute force attempts to log into WordPress are so common, there’s even a page in the Codex dedicated to the topic.

But… why give hackers and malicious bots the opportunity to even try and guess your login details? Just hide your WordPress login page and most bots and automated software won’t even know that your site exists.

In this article, you will learn how to implement one of the simplest and easiest strategies to protect your site from hackers and malicious bots: change your WordPress login URL, hide your wp-admin and wp-login page and redirect unwanted visitors away from your login page.

WordPress hide login page
Leave it open a crack and hackers will hack. Hide the WordPress login page… no malicious attack!

Why Change The WordPress Login URL?

I have a standard WordPress site that I installed a few years ago. To get to the login page all you have to do is go to /wp-admin or /wp-login.php.

This site doesn’t see a ton of traffic. In a typical month, it generates about 5,000 pageviews. However, the site’s login page sees malicious login attempts on a startlingly regular basis. I have the Defender plugin activated on this site, and it tracks the number of blocked malicious login attempts. Since I’ve started tracking the number of blocked malicious login attempts, I can see that my site handles hundreds of malicious login attempts each month, averaging about 24 per day, or one malicious login attempt every 60 minutes.

Login attempts don’t happen at a regular pace of one per hour. Weeks can go by without a single malicious login attempt being logged. Then, suddenly, a few hundred or even a couple of thousand login attempts will be logged in a short period of time.

Most WordPress sites set up as standard installations periodically experience brute force attacks attempting to log into the WordPress dashboard. Yours probably does too, whether you know it or not.

Defender IP Lockout logs.
Brute-force attack bots are constantly looking to break into your WordPress site, whether you know it or not.

WordPress Security Through Obscurity

You may think that using canny logins will keep your site safe.

Hackers can easily tell if a site is powered by WordPress or not (often just by looking at the page source).

Google Chrome browser - View page source option
Hackers can easily tell if your site runs on WordPress, work out your canny logins, and deliver you even greater hits.

Once a hacker knows that your site runs on WordPress, they also know how to find your WordPress login URL (spoiler alert: the default WordPress login URL is found by entering your domain name, followed by /wp-login.php).

Default WordPress behavior loads the login page when you access wp-login.php. Type in wp-admin instead, and you’ll be automatically redirected to wp-login.php.

Unless you know how to change your admin username, your friendly neighborhood motherf hacker will also know that your username is most likely something like admin.

All the hacker has to do now is guess the password. Even if they can’t guess the password but keep trying to, this can use up your server’s resources and possibly end up taking your site down.

WP login page username admin
If hackers dance illegally around your canny logins long enough, they’ll probably generate enough hits to guess your password.

If They Can’t See It, They Can’t Crack It

Many hackers are opportunistic and look for low hanging fruit that’s ripe and easy pickings.

If you don’t want people to steal your fruit, hide your tree.

Continuing with this really poor analogy (when life gives you lemons…), your WordPress login page gives admin users access to the whole orchard, so as part of our strategy of creating ‘security through obscurity,’ let’s hide your login page URL from everyone else but the admin.

Optional Step: Install WordPress In Its Own Directory

Whether you’re dealing with a brand new WordPress installation or an existing WordPress website, whenever possible consider installing WordPress in a subdirectory. While this won’t prevent hackers from finding your WordPress login page if they deliberately choose to target your site, it will discourage many random bots and malicious users looking for easy targets to start hitting up your site and shaking your tree to see what falls out.

Having your WordPress site installed in a subdirectory, then, is a good first step toward creating ‘security through obscurity.’

As always, before you do anything else, as always, if you’re moving an existing WordPress installation, create a complete backup of your site and store it someplace where you won’t accidentally delete or modify it. (Related: How to Back Up Your Backups For Bulletproof Protection)

One more thing. When creating a subdirectory, choose a name that’s not too predictable like http://example.com/wordpress or http://example.com/wp. Instead, choose something unique that no one will ever be able to guess like http://example.com/dwiiw (an acronym for directory where I installed WordPress.)

WordPress login screen.
Tip: Install WordPress in its own directory with a hard to find subdirectory name.

Whether you choose to install WordPress in a subdirectory or not as an added security precaution is up to you.

The next step is to hide your login page URL (and optionally redirect wp-login.php visitors to another page on your site).

There are a few ways you can hide your WP login page from other users:

  • Use a plugin to mask your login URL (the easiest way)
  • Mask your WordPress login URL without a plugin (the geek way)
  • Modify your .htaccess file (the “I need to code everything from scratch” way)

Hide Your Site Login Page – Disclaimer

Before we get started, the strategy shared below isn’t recommended if your site requires a login page that needs to remain easy for other users to find (like a membership site).

If your site is not a membership site and login attempts are limited to a dozen or fewer admins, authors, editors, and contributors, then hiding your login page will help protect your site against malicious login attempts.

Hide wp-login.php Using a Plugin

There are a number of free WordPress plugins that will let you hide the login page URL. Some of these plugins will also let you redirect wp-login.php visitors to another page of your website. Just visit the WordPress.org plugins directory and search for “Hide WP Login” to see a list of security plugins that you can use.

For this tutorial, we’ll use WPMU DEV’s own Defender plugin.

Defender lets you hide and redirect wp-login.php, and includes many other top gun security features.

Defender WordPress security plugin
Defender protects your site from hackers and brute-force attacks.

You can download Defender for free from the WordPress plugin repository or if you’re a WPMU DEV member, go ahead and install Defender Pro from your WordPress site management hub.

Defender Pro WordPress security plugin installation screen.
Install Defender WordPress security plugin and make your WordPress login page invisible to hackers.

Note: For full installation and configuration instructions, see the Defender plugin documentation section.

After installing and activating the plugin, navigate to your main WordPress dashboard menu and go to Defender > Dashboard.

Locate the ‘Mask Login Area’ section and click on the ‘Active’ button to turn on the feature.

Activate Mask Login Area - Defender WordPress Security Plugin
Activate Defender’s ‘Mask Login Area’ to hide your WP login URL.

Click the ‘Finish Setup’ button to bring up the URL masking options screen.

Defender Mask Login Area Finish Setup screen.
Click the button and let’s activate the WordPress move login page feature.

This brings up the Advanced Tools screen.

Defender - Advanced Tools screen.
Defender ‘Advanced Tools’ screen.

In the Masking URL section, enter a new URL slug where your site users will go to log in or register on your site. Once again, I recommend choosing something that you can easily remember, but everyone else will be unable to randomly guess.

For this example, let’s use the same acronym method used earlier to come up with the directory name dwiiw and let’s name our new WordPress login URL something unique like:

http://example.com/dwiiw/gli

In this case, gli stands for get logged in, and it accomplishes the goal of being simultaneously easy to remember and hard to guess.

Make your new WordPress login URL slug difficult for hackers to guess.

Save your changes and log out of your WordPress site.

Now, try to log back in via the default login page at yourdomain.com/wp-login.php.

Masked WordPress login page URL.
Wait… what? Where’s the WordPress login box?

Normally, typing wp-admin into a web browser automatically redirects users to wp-login.php. Defender also disables this feature.

Masked WordPress wp-admin page.
Help… I’m a hacker, let me in!

Only users with access to the masked URL will now see the WordPress login page.

Your WordPress login page URL is now masked.

Tip: As an extra nice touch for your users, you may also want to customize your WordPress login page, install plugins for improved user login and registration, or let users login to WordPress using an email address. If only certain users are allowed to access your admin section, however, then you can limit access to the login page for specific users by IP addresses.

WordPress custom login page.
A customized WordPress login page. No security benefits whatsoever, but niiiice!

Optional Step: Redirect wp-login.php

Using the method shown above, anyone that tries to visit the default WordPress login page (i.e. wp-login.php) will be greeted with an error message (“This feature is disabled”).

If you want to send visitors and users (or even hackers) to a different page (e.g. your store page, contact page, FAQ section, or any other page on your site), you can redirect the default wp-login.php URL using Defender’s Redirect traffic feature.

To redirect the wp-login.php page, go to the WP dashboard menu and select Defender > Advanced Tools > Mask Login Area.

Enable 404 Redirection in the Redirect traffic section, enter the slug of the page you want to send visitors to, and click Save Changes to update your settings.

Defender Redirect Traffic URL
Ok hackers, time to see if crime really pays…

Now, anyone who tries to visit the default login URL will be redirected to the post or page you have specified.

C'mon hackers... give 'till it hurts!

Notes:

  • You can use any combination of a-z and 0-9 in your slug.
  • You can’t add full URLs (this prevents sending out your 404 errors to another domain).

Hide WordPress Login Page Without A Plugin

If you want to hide your login page without using a plugin, all you need is a text editor, access to your WordPress installation files (FTP, cPanel File Manager, etc), and then do the following:

1 – Make a backup of your wp-login.php file.

While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!

wp-login.php file code
Back up your wp-login.php file and copy all the code to your clipboard.

Note: If you’re looking for a great plugin to backup and restore your files and WordPress site, we recommend using our very own Snapshot.

Next, open your wp-login.php file. Select and copy all the code to your clipboard.

2 – Create a new PHP login file. 

Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).

Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.

wp-login.php file code renamed.
Your renamed wp-login file. Same code, edgy filename.

3 – Search and replace the ‘wp-login.php’ string in your new file code.

Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.

Search and replace wp-login.php string
Search and replace all instances of ‘wp-login.php’ with your new login filename.

Resave the file with the modified code.

4 – Upload your new login file to your server.

Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.

Replace wp-login.php in your server with your new login file.

5 – Update the default login and logout URLs.

The last step is to hook into the login_url and logout_url filters to update our file.

Add the following code to your theme’s functions.php (preferably in your child theme):

add_filter( 'logout_url', 'custom_logout_url' );
function custom_logout_url( $default )
{
return str_replace( 'wp-login', 'danger-zone', $default );
}
add_filter( 'login_url', 'custom_login_url' );
function custom_login_url( $default )
{
return str_replace( 'wp-login', 'danger-zone', $default );
}

6 – Test your new login URL

Test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.

No canny logins for stealthy hackers here unless they know how to cruise on the highway to the danger zone.

To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.

WordPress Login URL .htaccess File Hacks

There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.

For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.

WordPress Login Page Obscurity With URL Redirection

You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.

To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):

RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]

In this example, we’ll add an alias called ‘dancekevindance’ and reupload the .htaccess file to our server:

URL forwarding htaccess file
Let’s rewrite the rules and see if we can hide our canny logins.

Now, go back to the site and enter the new URL.

URL forwarding doesn't hide the WP login URL, it just dances around the issue.

As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than https://yourexample.com/wp-login.php.

Hide Your WordPress Login Page With Code

Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.

If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.

Don’t Let Them Gonna Take You Right Into The Danger Zone

WordPress is a magnet for hackers and malicious bots, so it’s important to understand WordPress security best practices and implement multiple WordPress security strategies to protect your site from hackers and brute-force attacks. This includes security through obscurity.

When used as part of a more comprehensive security strategy, obscurity can be helpful. As we’ve just seen, however, simply hiding the WordPress login page is not enough to guarantee that you will see zero malicious login attempts.

Unless you actually change the WordPress login URL of your site and redirect unwanted visitors away from pages like wp-login.php and wp-admin, hackers and bots will still be able to find your login page and attempt to guess your login details.

Messing with code can cause compatibility issues, slow down your site, and create other problems. Using a plugin like Defender is the easiest way to hide your WordPress login page from hackers and make it all but invisible to the vast majority of low-flying malicious login attempts.

To protect your site against the worst of the worst, you need help from the best of the best. If you’re not a member of WPMU DEV yet, join our elite group of top gun WordPress developers and website owners with our no-risk free 7-day trial and get access to all the security tools, protection features, and support your site needs to fly high and free out of the danger zone.

Free Video Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch) Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.
Page speed imageWatch the video
Tags:
  • defender
  • WordPress login page
  • WordPress Security
Share this article
Martin Aranovitch
Martin Aranovitch Martin is a WordPress trainer and educator who believes that most of life's problems can be solved using plugins. He also provides web developers with detailed white label WordPress client training tutorials at WPTrainingManual.com.
Have you hidden your WordPress login URL or do you use the standard wp-login.php login URL? Are bots hitting your site? If you've hidden your login URL, did you notice a quantifiable drop-off in malicious login attempts after making the change? Share your thoughts and suggestions in the comments below.

What is WPMU DEV?

Play btn
WPMU Video
Learn more

We Tested All The
Best WP Hosts!!!

View results

Find us on

Link to WPMU DEV Facebook Link to WPMU DEV Twitter Link to WPMU DEV LinkedIn Link to WPMU DEV Instagram

Related and Most Recent Posts

Customizing Front-End and Backend Login for WordPress
12 Ways to Secure Your WordPress Site You’ve Overlooked
How to Run a Security Scan on Your WordPress Site
Give Hackers the Smack-Down with Defender

Related Projects

Hummingbird Pro

Everything you need to…

Defender Pro

Regular security scans, vulnerability…

Smush Pro

User's choice, award-winning, and…

SmartCrawl Pro

Boost your PageRank and…

Newsletter art

Get fresh WP updates directly to your inbox. Whip newsletter logo.

By clicking subscribe I consent to receiving product updates, news, and future contest emails from WPMU DEV.

Your turn... Cancel reply

Create a free account to post your comment

No credit card required or any silliness like that, we’ll take you straight to your comment
  • Already a Member? Sign In

Stay in the WordPress loop!

Keep on the pulse with WPMU DEV and WordPress newsletters
The Whip
WPMU DEV

Login to post your comment

  • Create a free account
  • Trouble logging in?
 

The Best Hosting

In The WordPress

The Best Hosting in the WordPress World!

View hosting plans Find out more about Hosting
Trustpilot
Resources
  • Contact
  • Pricing
  • The Team
  • System Status
  • Documentation
  • Free Plugins
  • WordCamp Events
  • Hello, WP! Podcast
  • Hosting Comparison
Recent Blog Posts
  • Introducing...Blog XChange! Contribute Your Knowledge To Our Blog And Get Hero Points Plus Links To Your Site
    Introducing...Blog XChange! Contribute Your Knowledge To Our Blog And Get Hero Points Plus Links To Your Site

    Contribute your knowledge to our blog and get Hero Points plus links to…

  • Timed & Tested: Our New Australia Data Center Shaves Seconds Off Your Load Time!
    Timed & Tested: Our New Australia Data Center Shaves Seconds Off Your Load Time!

    We put our new Australian data center the test to see how much…

  • How to Optimize Elementor for Free Using Our Smush and Hummingbird Plugins
    How to Optimize Elementor for Free Using Our Smush and Hummingbird Plugins

    Elementor is no stranger to the WordPress community, considering it’s one of the…

© 2004-2021 Project by Incsub | Terms & Privacy

Trustpilot

The Most 5-Star Reviews

WPMU DEV has more 5-star reviews than any other WordPress company, find out why with a 7-day free trial today!

Get Started Find out more
Page speed image

Almost There!

Just enter your email address and we’ll send you a link to your free content. You’ll also be taken straight to the video after hitting the button below. Enjoy!

Something went wrong, please try again later.
* WPMU DEV respects your privacy and we’ll only use the details provided to send you relevant content. You can unsubscribe from our communications at any time. Check out our Privacy Policy for more information.
Try Free For 7 Days
Hey you! Join our mailing list for free WordPress tips and resources!
Something went wrong!

Join our weekly newsletter and get the tips and resources all the WordPress pros use - for free!

By clicking subscribe I consent to receiving product updates, news, and future contest emails from WPMU DEV.