By default, the WordPress login URL will be example.com/wp-admin. But at times, you may want to change this because of uncontrollable hack attempts or numerous bots trying to guess your password by constantly trying different credentials. So, once you decide to change the WordPress login page, most of these problems could be resolved by returning a 404 error on the default WordPress backend login URL. If they cannot access the page, it will be hard to guess the current login page, so they cannot try to hack your website or guess your passwords by brute force attacks.
Change WordPress Login Page with Plugin
So, we are going to change the default login URL of your website to something that you want it to be using a plugin called WP Hide Login which is a free plugin available in the WordPress plugin repository.
- Install the plugin on your WordPress website.
- Go to Settings > General from the left sidebar.
- Scroll down to the bottom.
- In the WPS Hide Login section, input the new details.
- Save the changes.
That’s it, you can set the redirect URL to 404 page on your website so anyone who tries to access the login page from the default address will be redirected to a 404 page. If you want them to see some other pages on your website, you can also do that.
The plugin is known to cause some issues in rare cases coupled with some specific plugins. If you cannot access your WordPress backend either from the wp-admin page blocked by the plugin or from the new address you just typed in, you might want to disable the plugin manually to get the website working again. But this is extremely rare. If it ever happens, just disable the plugin and diagnose the issue further.
Change the WordPress Login URL manually
You can also change the WordPress login URL without a plugin. Follow these steps –
In this example, we are changing the login URL from “wp-login.php” to “wp-new-login.php”. You can use any URL you prefer.
Step 1: Download wp-login.php found in the WordPress root directory using an FTP software to your local machine.
Step 2: Change its file name to wp-new-login.php (only on the local machine).
Step 3: Open the file in a code editor (which makes it easier) or a normal text editor.
Step 4: Open the find and replace feature, search and replace all the instances of “wp-login” with “wp-new-login“.
Step 5: Save the file.
Step 6: Upload the wp-new-login.php file to the root directory of your WordPress installation.
Step 7: Delete the wp-login.php to remove the default login URL (you may also take a backup of the file).
Step 8: Add the following code to your functions.php. The “login_url” hook is a great way to customize the WordPress login page.
add_filter( 'login_url', 'custom_login_url', PHP_INT_MAX );
function custom_login_url( $login_url ) {
$login_url = site_url( 'wp-new-login.php', 'login' );
return $login_url;
}
That’s it. Try visiting “yourwebsite.com/wp-new-login.php“. You will see a login page just like before but with a different URL. The old URL will be inaccessible.
When should you change the WordPress login URL?
Whenever you think that you are under attack, usually reported by the security plugins such as Wordfence. Or when you think that you should protect your website without exposing the login page to hackers or bots that might cause issues in the future.
In these scenarios, you can change your WordPress login URL to something that is less obvious. This will help you to not even give a chance for the hackers to get access to your website. They won’t even be able to input the username and password without a page that has those fields. So the WordPress login URL change is a pretty easy and dope way to block such attempts and secure your website from WordPress vulnerabilities.
But this doesn’t mean that you should do it all the time and on all of your websites. As the latest WordPress security patches are extremely capable of blocking such brute force attacks with the help of the functions included in plugins like Jetpack that most WordPress installations have.
You shouldn’t be worrying about losing access to your website as long as you chose a pretty strong, less-obvious password for your WordPress backend access. If the password is very weak or similar to the username you have put, make sure to change it right now and note it down somewhere safe.