How to Easily Hide Your WordPress Login Page From Hackers

Hackers are getting smarter and smarter with the methods they use to try and hack through your WordPress admin page’s.

The most common way is to use a script and try and login from the wp-login page.

It’s no secret that all login pages for WordPress users look like this:

http://yourdomain.com/wp-login.php,  so hackers know exactly which URL to use to run the script.

Consider this: What would happen if someone hacked your site and deleted all your content or injected a malicious program to ruin your databases?

The solution to this security issue is to change the default login address to a custom login link so only you know what it is.

Another method is to limit login attempts.

Caution. Always create a full backup of your WordPress files & Databases before making changes.

Create a Custom Login URL Using Code

One way to change your login address is to add some code to your .htaccess file

If you wanted to change your login link from http://yourdomain.com/wp-login.php

to

http://yourdomain.com/login

Add this code to your .htaccess file just above the WordPress rewrite rule

RewriteRule ^login$ http://yourdomain.com/wp-login.php [NC, L]

Login URL Example: Your login url will now be http://yourdomain.com/login

You can customize your url to anything you want by changing login in code above in your .htaccess file.

Place the code on line 1 of your .htaccess file before the rewrite rules start.

This solution doesn’t hide the default login url. It only adds an easier to remember url which redirects to the default being wp-admin. The next section of this posts deals with creating the secret url and disabling the default.

How to Easily Hide Your WordPress Login Page From Hackers

Hide WordPress Login Page Without A Plugin

If you want to hide your login page without using a plugin, all you need is a text editor, access to your WordPress installation files (FTP, cPanel File Manager, etc), and then do the following:

1 – Make a backup of your wp-login.php file.

While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!

Note: If you’re looking for a great plugin to backup and restore your files and WordPress site, we recommend using our very own Snapshot.

Next, open your wp-login.php file. Select and copy all the code to your clipboard.

2 – Create a new PHP login file. 

Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).

Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.

3 – Search and replace the ‘wp-login.php’ string in your new file code.

Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.

Resave the file with the modified code.

4 – Upload your new login file to your server.

Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.

5 – Update the default login and logout URLs.

The last step is to hook into the login_url and logout_url filters to update our file.

Add the following code to your theme’s functions.php (preferably in your child theme):

12345678910add_filter( 'logout_url', 'custom_logout_url' );function custom_logout_url( $default ){return str_replace( 'wp-login', 'danger-zone', $default );}add_filter( 'login_url', 'custom_login_url' );function custom_login_url( $default ){return str_replace( 'wp-login', 'danger-zone', $default );}

6 – Test your new login URL

Test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.

To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.

WordPress Login URL .htaccess File Hacks

There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.

For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.

WordPress Login Page Obscurity With URL Redirection

You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.

To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):

RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]

In this example, we’ll add an alias called ‘dancekevindance’ and reupload the .htaccess file to our server:

Now, go back to the site and enter the new URL.

As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than https://yourexample.com/wp-login.php.

Hide Your WordPress Login Page With Code

Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.

If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.

Don’t Let Them Gonna Take You Right Into The Danger Zone

WordPress is a magnet for hackers and malicious bots, so it’s important to understand WordPress security best practices and implement multiple WordPress security strategies to protect your site from hackers and brute-force attacks. This includes security through obscurity.

When used as part of a more comprehensive security strategy, obscurity can be helpful. As we’ve just seen, however, simply hiding the WordPress login page is not enough to guarantee that you will see zero malicious login attempts.

Unless you actually change the WordPress login URL of your site and redirect unwanted visitors away from pages like wp-login.php and wp-admin, hackers and bots will still be able to find your login page and attempt to guess your login details.

Messing with code can cause compatibility issues, slow down your site, and create other problems. Using a plugin like Defender is the easiest way to hide your WordPress login page from hackers and make it all but invisible to the vast majority of low-flying malicious login attempts.

To protect your site against the worst of the worst, you need help from the best of the best. If you’re not a member of WPMU DEV yet, join our elite group of top gun WordPress developers and website owners with our no-risk free 7-day trial and get access to all the security tools, protection features, and support your site needs to fly high and free out of the danger zone.

Leave a Reply

Your email address will not be published. Required fields are marked *