By default every WordPress installation has two login URLs: yourdomain.com/wp-admin.php and yourdomain.com/wp-login.php. While perfectly functional, there are two very good reasons you may want to change these URLs. The first and most important is security. The second is that it gives you the ability to rebrand every element of the login experience for your site users. In this article we’ll begin by expanding on these two points and then show you step-by-step how to create a custom WordPress login URL.
Why Change the WordPress Login URL?
Like I mentioned above, there are a lot of security issues that can come from having your login page open to the public. Most specifically, brute force attacks. Because of the ubiquity of WordPress, these kinds of attacks are becoming more and more common. One of the reasons is because the vast majority of WP users keep /wp-admin for signing in.
And you know what? They will probably get in. Because people (and I am not saying you), but people generally don’t take security seriously and use the same usernames and passwords over and over again. Not only that, they use the same bad usernames and passwords over and over again. Behold the list of top usernames and passwords of 2017 and weep.
- 123456
- Password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
- admin
And what’s worse…most of these are used in conjunction with the most cliche of cliches, the default username admin. If you’ve inherited a site with admin as the username, I’m sorry. I’ve been there. Honestly, I’ve even done it because it’s easy and quick. But it’s massively insecure. Luckily, you can actually change a WordPress username after it’s created even though the documentation says you can’t.
But that’s neither here nor there. No matter what your username is, if the bad guys can’t get to the entry fields in the first place, the point is (nearly) moot. If that’s not enough reason to change your WordPress login URL (or change a username, at least), I don’t know what is.
Maybe custom branding and a totally new login experience is? Customers love login screens customized to their business and brand, by the way. No matter the reason behind the change, here’s how you do it.
How to Create a Custom WordPress Login URL
Subscribe To Our Youtube Channel
How to Change Your WordPress Login URL without a Plugin
Don’t. Use a plugin.
It may sound blunt, but changing your WordPress login URL without a plugin may not be the best idea. You can do it. But you shouldn’t. When you completely change the WordPress login URL without a plugin, you’re getting into messing with the WP Core files, and that’s kind of a big no-no. There is documentation in the WP.org Codex on creating an entirely new login page using hooks to put login fields in isolation. But there’s a reason that they don’t include one to change it completely.
Now, normally, I suggest doing anything you can without a plugin. It tends to save a bit of server memory, processes, bandwidth, and eventual troubleshooting. Plus it can teach you a lot about how the CMS works. This time, however, it’s plugins all the way down.
How to Change the WordPress Login URL with a Plugin
The safer and better way to change the WordPress login URL is to use a plugin. There are quite a few out there (iThemes Security works as a login obfuscator as well as a full security suite), but the lighter option is WPS Hide Login. It’s by far the gold standard for the process. It does one thing, and it does it well.
Once installed and activated, you will have a new option under your general settings in which you can simply enter the new slug you want the login fields to live. Go to either Settings > General or Settings > WPS Hide Login to change it. Both of them take you to the same place.
All you have to do is type in your new login URL and hit the Save Changes button. Note that it says it also prevents access to the wp-login.php and the wp-admin directory to non-connected people. In other words, you can access them if you’re logged in. Otherwise, you get a 404 Error.
When you are logged in, you just see your dashboard.
However, when you head to your newly changed WordPress login URL, you should see a familiar site (pun intended).
Two Things to Keep in Mind
The first is that the moment you activate this plugin, you will not have access to the old login screens. By default, WPS Hide Login will take you to /login for entry. This will take place immediately upon activation, even before you head into your settings to customize it yourself. Please remember that. And if you have changed the URL, please remember that, too. Otherwise, you’re going to have a couple of issues logging in, I think.
After all, you’re trying to make things easier for your team/clients and harder for hackers. You don’t want to lock yourself out of your own site.
The second thing is that when and if you deactivate the plugin, your site will immediately go back to using wp-admin and wp-login.php as the entry point for users. So you won’t mess up the database or lock anyone out if you do choose that you don’t want to go this route.
Final Thoughts
While the entire concept of changing one of the most fundamental elements of WordPress may be daunting, hopefully you’ve seen that all it takes is a few clicks thanks to the effort of some really fantastic developers out there. Like I said above, it is entirely possible to change the WordPress login URL without a plugin, but it’s really not a best practice. There are just too many factors from within the Core files to take into consideration, and whenever you have to get into changing those as well as the database, relying on a plugin is definitely the safer bet.
After all, you want to change this URL for security and to keep your site up and running the best it can.
What have your experiences been when you’ve changed the WordPress login URL?
Article featured image by BarsRsind / shutterstock.com
I’m still new on PHP and I know I’m gonna hate myself for asking this…when I read up on creating a login page on the WordPress codex it said
Set the ID name for the form: id=”loginform-custom”.
Is this verbatim or does this mean form: id=”loginform-mynewloginpage”.
Hello,
I was looking for this kind of something and finally got this article. actually, I have installed Sucuri on WordPress website so when anyone tries to attempt to log in I get an email. So this plugin is very helpful to be safe from login attempt.
Thank you so much for sharing this great info with us.
You guys have got amazing post banners using icons and vectors.. for example: https://www.elegantthemes.com/blog/wp-content/uploads/2015/12/Customize-the-WordPress-Login-URL.jpg
How do you guys create these? Whats the software you would use? Do you guys make special icons for each post? Thx
The correct article. It is very important to protect the login page in the admin panel. It is also recommended to install additional authentication to access the login page.
nice blog thanks for sharing…
Security through obscurity is not worth the time.
I used the plugin on all my sites until I switched to iThemes security, which has this functionality as an option. I went from getting tons of attempted brute force attacks to zero on all sites. I realize that this is only one small part of the security plan, but it stops that element.
When the plugin goes haywire and you can’t get into your site, simply FTP into your file structure and temporarily rename the plugin. Then you can log in using /wp-admin again while you fix it.
If you use wp remote for site maintenance, you won’t be able to get into your site by using their “admin” link, which will only take you to the /wp-admin login location – which of course is disabled.
I need to do just that! …and, when logged in to my host via ftp, the plugin does NOT appear to be in the “plugin” directory. Is there somewhere else that I should be looking?
So, did this a while ago and everything was fine.
However, today I tried to log into my site after a long period of neglect, and discovered I had forgotten my password.
Clicked the “lost your password?” link and WP sent me an email with a link to reset my password.
Problem is that link goes to the wp-admin page, so I just get redirected to the main page of my blog.
This is why everyone should use LastPass
I installed the WPS Hide Login plugin tonight on one of my sites to give it a whirl. Ready for this….within 15 minutes after installing and making my custom login URL I receive a notice in my email from my sucuri security that I had a failed login attempt. How would that even be possible?
On my other sites the hackers go right around my htpsswd and htaccess files. I have no idea how they manage that as well.
Any thoughts???
I had the same problem when I first installed it. I found out that if you keep their suggested name of “login”, the hackers can still easily find it by just using the term “login” in a site’s search box.
I use something completely different for the new page name and don’t get any more Wordfence warnings about bad logins. That’s not saying that the hackers aren’t trying to hit my site, it’s just that it’s more work now to find the login so probably not worth the effort.
When I first used this plugin, I found out that if you keep the default “login” as the new name, all the hackers have to do is search your site for the word “login” and it will show up in the search results.
So I now change the new login page name to something that doesn’t contain the word “login” or even “signin”.
It has cut down the daily login hack attempts on all my sites to zero. Well, they may still be attempting, but they aren’t finding the page so the actual login attempts have stopped.
Hope that helps.
BTW, for anyone that’s interested, I also use MainWP for my website manager and everything still works.
I love the idea of increased security by simple means, thanks for the great post. I opted to use the WP Hide Login plugin and had it setup in 30 seconds. When I logged out and tried to log back in I found myself unable to get to the login page because I was also using the ET Anticipate plugin. I thought about it for a few seconds and then logged into the server via SSH, downloaded the anticipate-maintenance-plugin.php file and added my new login page to the var $_exception_urls = array on line 18. Once I uploaded the updated php file and refreshed the login page everything worked as it should. So…
If you are using the ET Anticipate plugin and want to use the WP Hide Login plugin do this –
1. Remote login to your server via SSH
2. Navigate through the following folders to download the php file:
www >> html >> wp-content >> plugins >> Anticipate >> anticipate-maintenance-plugin.php
(Your server may have a slightly different hierarchy, but the wp-content and forward should be the same)
3. Open the php file locally in your editor of choice and add your new custom login page to line 18, it should look something like this:
var $_exception_urls = array( ‘wp-login.php’, ‘yournewloginpage/’,’async-upload.php’, …
you need to add the ‘yournewloginpage/’ to say whatever your chosen login page really is
4. Save and upload the updated php file back to your server (replace the old file).
5. Refresh your browser on your new login url and it should work for you.
Maybe my example is a bit obvious, but I know a lot of people don’t have a clue where to find files on their server or how/where to update the code…like me.
I used to do this for all the sites I created but I don’t anymore. It should be said that in regards to security changing your login URL really just creates a minor inconvenience for an amateur hacker. However, I guess every bit helps. Just realize that there’s a lot more to protecting your WordPress site.
Hello,
I just tried WPS Hide Login, but while ‘ET Anticipate’ maintenance page was turned on, it did not let me access the new login URL.
I assume that somehow maintenance plugin’s htaccess doesn’t consider the new URL to be accessible.
Any way to fix that?
Hi Thomas, check out alglOseL’s comment above ☝️he provides an answer for you.
Hi,
I’m using iThemes Security Lite plugin.It’s a very useful plugin for wordpress user.i just love it.before installing any plugin we should backup our database first.i will try other plugin asap! thanks for your useful post
“it’s somewhat surprising that WordPress doesn’t give users the option to create a custom login URL, don’t you think?”
Yes!
Would using WPS-hide-login and Wordfence plugins together work like this…
Make a custom login address with WPS and then set the wp-admin address in Wordfence to block any IPs that access that ‘old’ address?.
and Happy New Years 🙂
A few nitpicks in this article:
> From #1: When you change your login URL, you are making the bad guys work significantly harder.
Significantly harder? A determined hacker will probably find your login page but most drive-by script kiddies usually won’t put up the effort. If you block all IP Addresses except ones you login at and return a 404 instead, that works well. And it requires no other plugins.
If you use nginx, you can also slow the attacks down as well by rate limiting how often someone can hit the login. If someone can only login 4 times per minute (say once every 15 seconds which is perfectly reasonable), that’ll reduce your server resources too.
> From #2: Hides WordPress Vulnerabilities
This is just plain misinformation. WP’s default folder structure easily gives it away (wp-content, etc), as does pinging for common WP files, like wp-blog-header.php, xmlrpc.php, etc. Even if you change all that, make sure you use some code to block user enumeration since that’s what a lot of attacks start with too.
It’s unfortunate that the WP core developers are vehemently against basic security features like being able to change the default admin entry point or limiting login attempts. These features will never be in core.
They see the former as security by obscurity (not true, it’s obfuscation) and the latter as being useless against DOS attempts (only half true IMO, since DDOS really needs to be mitigated on the hardware/network level—it’s the script kiddies that jam up your resources are what bug me).
WP security is almost an oxymoron; I do most of my work in other CMS like Craft which have these features built in. But I do host a few other clients on WP yet and these are these are a few things I’ve found to help.
“If you block all IP Addresses except ones you login at and return a 404 instead, that works well. And it requires no other plugins.”
What is the best method to do this? I am using one htaccess whitelist method but I have noticed there are other similar ways.
I prefer adding a .htaccess password to the wp-admin folder and then install the Limit Login Attempts to block brute force attacks 😉
Great resource. You can also hide the login area using htaccess and some rules. Once done, the login path will require a key to be displayed.
whenever somebody tries to login with username and passwords whatsoever, the database is read and returns success or “wrong credentials”
this will also happen when the login-URL is changed and some bad guys find that new URL
I had a lot of hacking attempts where the server went down because of database overload and in my mind, the best way to protect is to protect with .htpsswd, by that the access is denied before database is called
any thoughts on this?
That is exactly what I did on 4 of my sites ConnieM. I set an .htpsswd on the login page through my .htaccess file. It worked for about 4-5 months and then I started getting attempted login notices again in my email from sucuri. The bad guys have managed to go right around it somehow which I cannot figure out. There is no way they could guess the username and password of the login so they must have found a loop. I would like to know how the hackers do this?
Why link to plugins that hasn’t been updated for two years?
HC Custom WP-admin URL, is only compatible up to WordPress 3.7.11.
Using old plugins is not safe.
Hi Shaun, I’ve been looking for something exactly like this, so thanks. I have a question though. I’m not smart with this sort of thing, so you lose me where you say–for WPS Hide login:
‘But when I try to visit my chosen login URL, I see the familiar old login screen. And that took, how long to configure? All of 30 seconds?’
My question is: how do I find my chosen URL login page? I’ve tried typing it into the search box but I get the Page not found message. I have no idea how else to find it.
Consequently I’ve deactivated the plug.
Disregard this query as I discovered it pretty quickly. Again, thank you for this information. I joined WordPress a couple of months ago and have been harassed with dozens of false login attempts a day. It’s early days, but since activating WPS hide login 24 hours ago I haven’t had one.
Hello everyone,
I’m trying to redirect the wp-login.php to a custom URL using the 301 redirect via htaaccess. The redirection works however now my custom login URL is also being redirected. Does anyone know why this happens?
I’m doing this because I have kiddie hackers trying to access wp-login.php all the time, and I want to troll them by redirecting them to another site.
Fix the first mention: wp-admin.php to wp-admin
/wp-admin/ will redirect to wp-login.php when not logged in. This will turn into a 404 error if using an htaccess hide login method like the one used by iThemes’. Which, unless it’s cached by a cache plugin, will also consume bandwidth.
Is there a way to change the login URL without a plugin?
Yes, and I am surprised it wasn’t mentioned. All you have to do is to rename “wp-login.php” to whatever you want. A few caveats though…you will need to enter in the “.php” at the end unless you make some changes to your htaccess file. You would also need to fix the redirect in wp-admin if you still wanted to use that. That is a bit more complicated though.
For various reasons, I would recommend just using the plugin mentioned in the article.
I would like to know that also…basically manually. I am trying to set up my own guide on WP installs and best practices out of the box and this I would like to have part of it…plus it eliminates another plugin I have to keep up to speed with.
Is there any downsides to doing this? Will it break with a WordPress upgrade?
Hi Seth! I am using this trick in most of my sites for a while now and never had an issue. It certainly does not change WordPress behaviour in any way.
Happy 2016!