WordPress is a popular target because it used by tens of millions of people. It’s no secret that the default login page can be found by going to wp-admin, or wp-login.php. This article shows you how to manually obscure your site’s login page without a plugin.
A brute force attack is a method hackers use to gain access to your website by guessing your login password. One way to prevent attacks, is to obscure your login page, especially if your site runs on WordPress.
There is a compelling argument to do this for performance. If you get too many http requests, like from a zombie bot army hellbent on getting into your website – your server can run out of memory. This can slow your site down considerably, and make your visitors angry.
Before you start, backup your files. Never trust a directory you can’t wipe out, and never trust a computer you can’t chuck out the window. So let’s do this!
Manually Create a New PHP Login File
By default, the wp-login.php file contains all the code that generates the login page, and handles the login sequence. We can use the code from wp-login.php in our new file.
This is a crude, yet effective way to change the name of your wp-login.php file. This will in turn change your login url. All you need is access to your site’s files, and a text editor. I am using a free text editor called Notepad++ for this example.
There are only 5 things we need to do:
- Create a new file.
- Copy the code from your wp-login.php, then paste it into your new file.
- Replace each instance of wp-login.php with the new file name. Find and replace is your friend.
- Delete the wp-login.php file.
- Login through your new URL.
1. Create a New File
Create a new file from the text editor and save it into your root folder. Name this file whatever you want your login url to be. In this case I named it new-login.php.
Click to enlarge
2. Copy and Paste the Code
Next open up the wp-login.php file, select all the code, and copy it into your new file. Make sure to save it.
Click to enlarge
3. Find and Replace the String “wp-login.php”
Now find and replace every instance of “wp-login.php” in the file – then replace it with your new file name. Notepad++ has a find and replace function I can use to hunt down every instance of “wp-login” and replace it quickly.
Click to enlarge
4. Delete the wp-login.php File
Now you can delete wp-login.php. Don’t worry, you will still have your backup in case something goes horribly wrong.
Click to enlarge
5. Test Out Your New Login URL
Now you should be able to login by navigating to your new URL. In my case, it’s localhost/test/wordpress/new-login.php. Any http requests to the /wp-login.php, or /wp-admin directories will lead visitors to a 404 not-found page.
Click to enlarge
Obscure Login Page With URL Forwarding
You can use URL redirection (also known as URL forwarding) to obscure your login page without a plugin. On an Apache server, you use the mod_rewrite module to manipulate URLs. This can get tricky, but it enables you to perform an infinite number of tasks – such as creating an alias for the wp-login.php page.
This method is less about security, and more about the way the URL appears in the address bar. Add the following code to your .htaccess file to change the name of your login URL:
RewriteRule ^mynewlogin$ http://www.yoursite.com/wp-login.php [NC,L]
You can now reach the admin url from http://www.yoursite.com/mynewlogin. Keep in mind that this will not keep people from being able to access the wp-login.php page. It simply allows people to login from a different url.
Why You Should Use a Plugin to Obscure Your Site’s Login Page
When should you use a plugin to obscure your site’s login page? Almost always. There are some darn good reasons why you are better off just using a plugin to obscure your login URL. While manually creating a new login path won’t give you issues with future updates, it’s best practice to NOT hack the core.
You may run into compatibility issues with plugins that contain code with wp-login.php. Even if it is fun, some unpredictable things can happen. Messing around too much with the core can seriously foul things up. Besides, there are lots of trustworthy plugins that can get the job done for you, for free.
As far as using .htaccess, there are a dizzying array of ways that you can use it to obscure your login. Again, this convenience is at the price of complexity. Additionally, misuse of rewrite rules can eat up memory on your server, effectively slowing down your site. Redirects can also cause problems with AJAX, which WordPress makes heavy use of.
The best way to change your login page would be to use PHP. In WordPress, if you are going to use PHP, best practice dictates that you use a plugin. There are some very well-written plugins you can get for free, or you can write your own.
WPS Hide Login
Remember earlier (last paragraph) when I said that there are plenty of free plugins? This is one of them. WPS Hide Login lets you change the login form with one click. You can set it for a single site or for your network. It’s very lightweight, it doesn’t use redirects. and it doesn’t change core files. This is much cleaner than a redirect, or hacking the core. It simply adds a form field into your dashboard settings. You can download this plugin from the official WordPress plugin repository.
Additional Security Measures
It isn’t wise to use obscurity as your only security measure. If you are obscuring your login page, you will also want to make sure that you have everything else locked down. This includes:
- Using strong passwords. There’s no excuse not to. WordPress automates this for you with a password generator.
- 2-Step authentication. You can create a user database with users or groups that are allowed to access certain pages. See Authentication and Authorization on Apache.org.
- Limit access control. Limit the amount of access to resources on your site.
For login plugins, visit wordpress.org and search the term login. Also see our post on How to Scan Your Website for Hidden Malware. We’ve also made a list of some of the most popular security plugins available for WordPress that you can use.
Wrapping Up
There are many ways to obscure your login page with WordPress to add an additional layer of security. You can easily hack your WordPress files, or use a plugin to obscure your login page. However, many argue that security through obscurity doesn’t make your site more secure, and that there are better ways to secure your login.
What do you think? Do you have any top obscurity or security tips to share?
Article thumbnail image by robuart / shutterstock.com
WPS Hide Login doesn’t work effectively…
Read the ‘1 star’ negative reviews for the plugin.
Type in
http://www.mywordpresssite.com/wp-register.php
and voila – the supposedly hidden Admin folder is revealed!
One thing that I noticed which still leave a vulnerability to the login page, when I have a new affiliate/client wanting to register as they hoover over the login button, the login address shows up. I’ve put certain restrictions before they get to this page so I’ve fixed that but again, when they log out, the login address is displayed. Is there anyway to hide those instances?
I use WP Hide Login plugin and Wordfence. Now that WF premium offers active IP blocking that is updated every hour, I don’t get as many bots scanning my WP. All this and strong password enforcement has made my clients site nearly bomb proof. 🙂
Hi,
Thanks for such a great workout for most of the wordpress developers,
i have a question, When hover over the user that is logged in, the logout link is not changed as we did in the file
I have a question
if I upgrade wordpress, does the file wp-admin appear again with the solution “Manually Create a New PHP Login File”?
Long ago I learned that changing Admin to something different like boss52, or whatever, (can be done easily at time of WP page creation,) creates excellent protection with a good password too. You can display Admin to all via a setting for users to see, so nobody knows you’re using a different login name.
I’ve never had a problem with upgrades messing with this method.
Can this be done after the fact, or does it have to be done when creating the site?
Once set, user names cannot be changed.
But, you can create a new user and assign everything from the old admin/username as you’re deleting it.
Great post! I agree with your assessment that you should use a good plugin most of the time. However I want to emphasize: if you’re going to obscure your /wp-login, you need to change your /wp-admin to something obscure as well. Because if not logged in, /wp-admin will just redirect to the login page.
Fantastic design the blog post.
Please, please, please, never encourage people to change Core files! Never ever!
Also, as you’ve pointed out, now when you try to login using yoursitename.com/wp-admin, which is how most people login, you end up with a 404 Error because you’ve removed a core file.
This is not the right way to do things.
What about updates of WordPress adding wp-login.php again? Is that the case?
yes
Hey Brenda,
Great article there, as we know some WP hosting services like Flywheel, provides in-core firewall login attempts with efficient features protecting wp-admin and wp-login string.
—
How surprising to see that ET doesn’t publish (not yet) an article about its fresh side-wide website redesign. Too many material design shadow everywhere (don’t get me wrong: I love material design principles 😉 ). The front and backend redesign is very good, simple and very fresh.
So, I think it is time to re-brand the logotype that now appears totally disconnected into its new ecosystem. Maybe ET is working on it?… I suppose. I hope…
Cheers!
One issue with the approach “Manually Create a New PHP Login File”: Logout from the Dashboard does not work anymore.
Great looking new site but it does not seem to be made in WordPress 😉
You would need to login with the new .php file name you created. e.g you changed wp-login.php to yourname.php, to login you need to use http://www.yourwebsite.com/yourname.php to login.
I did, but clicking on username->logout in the top right corner of the Dashboard still goes to wp-login.php?action=logout which leads to a 404 error and logout does not happen.
Same problem for me, logout links to wp-login.php. I still haven’t found where is the logout string link, maybe it’s coded in a js file.
I would like to share a piece of code for htaccess which has put to an end most of my headaches with rogue accesses:
AuthUserFile /home/your_host_username/.htpasswds/.htpasswd
AuthName “Private access”
AuthType Basic
require user CHANGE_USER_NAME
You only need to add to .htpasswd some easy user/password (maybe from http://www.htaccesstools.com/htpasswd-generator/ ) and you’re done.
Apache will block ANY login attempt without even touching your WP (best performance ever :”) If you build sites to clients, just put something they will ease remember ( like your email???? )
Seriously, for me it’s working like magic.
Maybe not useful for sites with lots of (valid) user accesses.
I use WPS Hide Login and have found it to be quite effective. I had one client website that was getting about 80,000 login attempts per hour. (And, yes, it slowed the server down considerably, occasionally making it impossible to load pages.) I already used Wordfence, which helped, but using a plugin to hide the login page changed everything.
For awhile, the attempts to hit wp-login.php continued but after awhile the hackers seemed to learn that it wasn’t there (even though it really is, but is obscured).
Amazing design! You the best!
WP Cerber is an excellent plugin that among other things can customize your login address. It can block direct access to wp-login.php and return HTTP 404 Not Found Error. It also can immediately block a hacker’s access to all of your site after any request to wp-login.php
Yes it’s free. I’m just a happy user.
OK, you’ve left me confused. You show us how to change the login page through PHP, and then you tell us that using a plugin is better.
Sorry, this is truly interesting, but your advice is very confusing.
Nice article.
But rounded buttons and drop shadows… 2006 called and they want their internet back!
Thank you! Good to know this. What with plugins? Are they not less complicated to use? I mean plugins like Wordfence Security or iThemes Security. Maybe they are not so safe to use.
Thanks in advance.
And ManageWP? Do we still need to do this?
Great article Brenda! Thank you for the tips!
Is your redesign done with Divi guys ? If yes, I really want to know how you achieve the Blog Part ?
I use a plugin (I think it’s the one in the article) and while it works great in general I found a problem recently.
If using a maintenance screen the maintenance plugin will override the login redirect. This means that when you log out, you can’t get back to the login page.
Unless I’ve missed something really obvious.
Anyone else had this experience or know how to solve it?
Good points. But I have further concerns. I have tested wp-hide as well as login limit to avoid brute force. Attack. Thankfully login limit always help but WPS hide does not work for longer time. Some how the bots find my new hidden URL as well as admin user ID. So far I have not found solution for this. This difficulty I m facing on all WordPress installs. Any help would be appreciated.
Digging the new website design, well over due 🙂
As for the hidden login options above, I would like to add that there is a plugin I use on almost every website we build for clients, the plugin is called Shield as well as being able to change login URL, it is also a full security suite that in my opinion is one of the best.
But even so its a fantastic tut.
So much work when you can easily and simply do the same just by whitelisting your WordPress log-in to an IP address.
I looked at the website’s code and saw that the style.css stylesheet is ver=4.0. Are we getting Divi 4.0 soon?
Whoa! I completely missed that – Nice find!
I looked at the code as well. The new main site isn’t WordPress from the looks of it so that style sheet isn’t a hint at Divi 4 anytime soon. It hasn’t been that long since Divi 3 dropped.
This website is WordPress. Just search through the code for “wp-content” and you’ll find it everywhere.
The blog is WP but not the main website at eleganthemes.com. That’s what I was referring to.
Hi,
I actually don’t do any of that. I just protect the existing login page by only allowing it to be accessed by a single IP address. How? By adding the following to the .htaccess file
# Protect wp-login.php
order deny,allow
Deny from all
Allow from 77.777.777.777
Ok, this is limited if multiple users require access etc … but if you do most of your development through one IP address like I do … then no one can access it unless they are in the same building 😉
Excuse me if I’m missing something. Just wanted to share that alternative.
Thanks Mark
This only works on a static IP address, something that nowadays is not so regular anymore…
I don’t have a static IP address so that solution is no good for me, but will be good for others.
You can set it up with a changing IP address.
Look for Dynamic IP address access, limit by referer:
http://www.inmotionhosting.com/support/website/wordpress/lock-down-wordpress-admin-login-with-htaccess
Mark, that is the exact solution I have been using for several years. When I am on vacation etc and need to get in from a different IP address, it’s easy to modify the htaccess file to add an IP to the allowed IP’s. But this method blocks uninvited “guests” even before they can attempt to make an unauthorized “visit.”
Maybe I’m missing something or misunderstanding something, but if you use this method on a site where you have a blog that utilizes members/users who will need to be able to login to access content, like for a membership site, then you would effectively eliminate the possibility for any of them to login unless you whitelist all their IP addresses. That would defeat the purpose of a membership site, no?
If you’re wanting to protect the login page, wouldn’t enabling Two-Factor Authentication be a much more secure method? I know that wouldn’t keep a bot from hitting the page, but it would practically eliminate the possibility of unauthorized logins from the page.
You are correct, this white list method is more complicated if you have many users logging-in, and you don’t know their IP addresses.
I agree with you, Mark, and wonder why this solution is so under rated. I posted an article that explain how to do this with multiple or revolving IP address.
Excuse me a coupe of lines have been excluded on publishing … maybe just google “Protect wp-login.php via htaccess” and the solution will be there
Can I just rename the wp-login.php file?
I assume that you can. I prefer renaming myself, but be sure to backup first.
Cool new design
I have been doing this for a long time, the one little catch is that after each WordPress upgrade you will have a new we-login.php file that needs to be deleted.
Love your new design! And this article of course 😉
Thank you.
Brenda already has this beautiful design as i remember its still the same photo in her profile
Unrelated to this blog post, but I must say… Wow! Your website redesign looks AMAZING!
I agree – Fantastic!