Hackers are getting smarter and smarter with the methods they use to try and hack through your WordPress admin page’s.
The most common way is to use a script and try and login from the wp-login page.
It’s no secret that all login pages for WordPress users look like this:
http://yourdomain.com/wp-login.php, so hackers know exactly which URL to use to run the script.
Consider this: What would happen if someone hacked your site and deleted all your content or injected a malicious program to ruin your databases?
The solution to this security issue is to change the default login address to a custom login link so only you know what it is.
Another method is to limit login attempts.
Caution. Always create a full backup of your WordPress files & Databases before making changes.
Create a Custom Login URL Using Code
One way to change your login address is to add some code to your .htaccess file
If you wanted to change your login link from http://yourdomain.com/wp-login.php
Add this code to your .htaccess file just above the WordPress rewrite rule
RewriteRule ^login$ http://yourdomain.com/wp-login.php [NC, L]
Login URL Example: Your login url will now be http://yourdomain.com/login
You can customize your url to anything you want by changing login in code above in your .htaccess file.
Place the code on line 1 of your .htaccess file before the rewrite rules start.
This solution doesn’t hide the default login url. It only adds an easier to remember url which redirects to the default being wp-admin. The next section of this posts deals with creating the secret url and disabling the default.
How to Easily Hide Your WordPress Login Page From Hackers
Hide WordPress Login Page Without A Plugin
If you want to hide your login page without using a plugin, all you need is a text editor, access to your WordPress installation files (FTP, cPanel File Manager, etc), and then do the following:
1 – Make a backup of your wp-login.php file.
While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!
Note: If you’re looking for a great plugin to backup and restore your files and WordPress site, we recommend using our very own Snapshot.
Next, open your wp-login.php file. Select and copy all the code to your clipboard.
2 – Create a new PHP login file.
Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).
Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.
3 – Search and replace the ‘wp-login.php’ string in your new file code.
Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.
Resave the file with the modified code.
4 – Upload your new login file to your server.
Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.
5 – Update the default login and logout URLs.
The last step is to hook into the
logout_url filters to update our file.
Add the following code to your theme’s
functions.php (preferably in your child theme):
6 – Test your new login URL
Test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.
To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.
WordPress Login URL .htaccess File Hacks
There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.
For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.
WordPress Login Page Obscurity With URL Redirection
You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.
To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):
RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]
In this example, we’ll add an alias called ‘dancekevindance’ and reupload the .htaccess file to our server:
Now, go back to the site and enter the new URL.
As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than
Hide Your WordPress Login Page With Code
Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.
If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.
Don’t Let Them Gonna Take You Right Into The Danger Zone
WordPress is a magnet for hackers and malicious bots, so it’s important to understand WordPress security best practices and implement multiple WordPress security strategies to protect your site from hackers and brute-force attacks. This includes security through obscurity.
When used as part of a more comprehensive security strategy, obscurity can be helpful. As we’ve just seen, however, simply hiding the WordPress login page is not enough to guarantee that you will see zero malicious login attempts.
Unless you actually change the WordPress login URL of your site and redirect unwanted visitors away from pages like wp-login.php and wp-admin, hackers and bots will still be able to find your login page and attempt to guess your login details.
Messing with code can cause compatibility issues, slow down your site, and create other problems. Using a plugin like Defender is the easiest way to hide your WordPress login page from hackers and make it all but invisible to the vast majority of low-flying malicious login attempts.
To protect your site against the worst of the worst, you need help from the best of the best. If you’re not a member of WPMU DEV yet, join our elite group of top gun WordPress developers and website owners with our no-risk free 7-day trial and get access to all the security tools, protection features, and support your site needs to fly high and free out of the danger zone.