WordPress login page is like a key which gives admin users access to the dashboard, so as part of our strategy of creating ‘security through obscurity,’ let’s hide your login page URL from everyone else but the admin.
Whether you’re dealing with a brand new WordPress installation or an existing WordPress website, whenever possible consider installing WordPress in a subdirectory. While this won’t prevent hackers from finding your WordPress login page if they deliberately choose to target your site, it will discourage many random bots and malicious users looking for easy targets to start hitting up your site and shaking your tree to see what falls out.
Having your WordPress site installed in a subdirectory, then, is a good first step toward creating ‘security through obscurity.’
As always, before you do anything else, as always, if you’re moving an existing WordPress installation, create a complete backup of your site and store it someplace where you won’t accidentally delete or modify it.predictable
Whether you choose to install WordPress in a subdirectory or not as an added security precaution is up to you.
The next step is to hide your login page URL and optionally redirect wp-login.php visitors to another page on your site.
There are a few ways you can hide your WP login page from other users:
Use a plugin to mask your login URL (easiest way)
Mask your WordPress login URL without a plugin.
Modify your .htaccess file.
Before we get started, the strategy shared below isn’t recommended if your site requires a login page that needs to remain easy for other users to find (like a membership site).
If your site is not a membership site and login attempts are limited to a dozen or fewer admins, authors, editors, and contributors, then hiding your login page will help protect your site against malicious login attempts.
There are a number of free WordPress plugins that will let you hide the login page URL. Some of these plugins will also let you redirect wp-login.php visitors to another page of your website. Just visit the WordPress.org plugins directory and search for “Hide WP Login” to see a list of security plugins that you can use.
If you want to hide your login page without using a plugin, all you need is a text editor, access to your WordPress installation files (FTP, cPanel File Manager, etc), and then do the following:
1. Make a backup of your wp-login.php file.
While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!
2. Create a new PHP login file.
Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).
Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.
3. Search and replace the ‘wp-login.php’ string in your new file code.
Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.
Resave the file with the modified code.
4. Upload your new login file to your server.
Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.
5. Test your new login URL
All that’s left to do now is test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.
To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.
There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.
For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.
You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.
To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):
RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]
In this example, we’ll add an alias and reupload the .htaccess file to your server.
As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than
Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.
If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.