Security: Hide The WordPress Login and Admin Pages (wp-login.php)

By 15th January 2015 April 11th, 2018 WordPress News and Updates

For the past 2 years the Shield Security plugin for WordPress has been demonstrating its ability to thwart attempts to compromise websites, with its many layers of protection.

One the most important of these layers is the user login protection system. Shield locks down your WordPress login against automated bots and brute force login attacks.

It does this using simple techniques. Rather that use complex analyses of IP addresses and the like, it takes advantage of how humans use websites versus automated bots.

The result is a highly effective system that protects WordPress websites like no other.

Hide The WordPress Login URL – wp-login.php

One of the core tenants of Shield is to never make file system changes – never touch WordPress core files, or write to the .htaccess.

This feature is no different.  We don’t touch your wp-login.php, nor do we block it using .htaccess rules.  We simply prevent it from being loaded directly using the standard WordPress login url – wp-login.php

Simply the Shield plugin with the URL you want to use as your login, and that’s what you”’ use thereafter.

You will of course need to remember that login URL, because if you forget it, you’ll not being able to login. WordPress will never tell you what it is.  In fact, it’ll deny all knowledge of its existence and you’ll reach a 404 page, as if it doesn’t exist.

The same is true for your WordPress Admin (wp-admin).  If you attempt to access this and you’re not logged in, you’ll be shown a 404 error. It wont automatically redirect you to the WordPress login screen (which is standard WordPress behavior).

How exactly do we rename the WordPress login page?

It’s a fairly simple process, but basically involves hooking into wherever WordPress normally loads wp-login.php.  The wp-login.php is the only file within the WordPress core that handles the WordPress user sign-on process.

Therefore, without direct access to that file, no-one can log into your WordPress sites.

What better way to prevent login to your WordPress site than to hide your WordPress login page altogether.

Rename Hide WordPress Login URL Option

Rename Hide Login URL

The new plugin option can be found under the “Login Guard” section of the Shield Security plugin.

Simply supply a string of text (letters and numbers are supported) and this will immediately become your new login URL.

Please note: We do not rename or touch the original wp-login.php file.

How to change your WordPress Login URL

Take this website for example.  The address is www.icontrolwp.com

If I put “mysecreturl” into the option to rename the WordPress login page, then my new login url will be:

www.icontrolwp.com/mysecreturl

This option only permits letters and numbers, and only when Permalinks are enabled for your site.

Important points to note about your hidden login URL

Simply supplying anything in this option will enable your secret login URL. When you do this, you need to understand that a few things will change in the behavior of your website:

  • Normally when you try access your WordPress admin area you are automatically forwarded to the login page. To ensure your login page remains hidden, you will receive a 404 page not found error instead. It will appear as if your WordPress admin doesn’t exist!  But it does – you must log in to your site to see it.
  • If you try to access your old wp-login.php page, you will also receive a 404 page not found error. Again, this is used to mask the fact that the file exists.
  • If you have plugins that use hard-coded redirects to your wp-login.php, these will fail to redirect you correctly.  Please contact the author to explain that they should use the native “site_url()” function within WordPress.
  • This feature is not tested with WordPress Multisite – if you have issues, please provide feedback to help.

Please provide suggestions!

This plugin feature was only implemented upon the repeated requests from several users of the plugin.  You make this plugin what it is, and any ideas, feedback, or suggestions you may have are necessary to keep this plugin up-to-date and relevant.

Thank you to everyone who has made suggestions and helped with testing of this plugin.

Join the discussion 31 Comments

  • George L says:

    Hi, I’d like to be able to use the change-login-url-to-something-else feature, and I have permalinks enabled, but when I try to enable the feature it says I need to have permalinks enabled. Now, although I do have permalinks enabled, I am using the default (ugly) style. Do I need to select a particular style of permalink before this feature will work?

    View Comment
    • Paul G. says:

      The “ugly” style doesn’t work – this means in-fact you’re not using Permalinks.

      I may release an update to support “ugly” links, but for the 1st release I opted to not support because it adds a bit more complexity.

      Thanks,
      Paul.

      View Comment
  • MikeAA says:

    When I try to use the redirect login on my test site, I get a 404. How I find out what is going wrong? Is there a conflict with another plugin?

    View Comment
  • Daniel says:

    The WP installation is not in the domain/web root, but in its “/wp” subfolder

    The WP directory and the start page settings on the WP config page are both configured as “https://domain/w”p (no trailing slash)

    The name of the login page in the firewall plugin is set to “sitelogin”

    The WP installation works without problems, but the https://domain/wp/sitelogin URL that is displayed on the firewall page now doesn’t work (404)

    I’m glad I tested the login URL in a second browser before logging out in the first one; because apparently I have no way left to log in 🙂

    When I reset the login page name in the firewall settings to blank, everything is fine again

    View Comment
  • Tommy L Neel says:

    Under “Login Protection”, I changed the Login Page from “wp-admin” to a name that only I would know and now, “wp-admin” AND my custom name does not work.

    There are no subdomains or subfolders. This works on another site that I am using this plugin on, but not this one.

    Any thoughts?

    Thanks!

    View Comment
  • talal.mansoor says:

    Hi,
    If I rename the login page , the new name is shown in emails sent to users during 2 factors authentication! so the new name is public..
    is there any solution for that?
    Thanks
    Talal

    View Comment
    • Paul G. says:

      Hi,

      I just checked this and I can’t see what you’re seeing. That email doesn’t send out the new login URL.

      And, if it was, it would be sending it to a user that already new the URL… I’m not sure how this is “public”.

      Thanks,
      Paul.

      View Comment
  • Rob B says:

    Hi Paul,

    Presumably this won’t work for sites which require login to post a comment?

    I see you have comments enabled here. Could you share your thoughts on preventing comment spam without login being required? On the only site I manage with comments enabled we currently have it set so people have to be logged in to leave a comment and we are using the CleanTalk plugin to prevent comment spam (which does a great job), but the site is experiencing frequent hacking attempts and it would be good to be able to rename the wp-login page and allow comments without opening up to a massive comment spam problem.

    Thanks

    Rob

    View Comment
  • Kevin Benefield says:

    Haha. I hate to be ‘that guy’, but there’s a website that I haven’t accessed in quite a while now, and…………. I’ve forgotten my custom login page url. 😀

    So question is: Can one determine what the current login page is via some research with an FTP? Or, is there some way to revert the login page to the default WP login url without logging in or removing the entire WP Simple Firewall plugin?

    Thanks in advance!

    View Comment
  • Trent Goodbaudy says:

    I seem to have done the same thing as the previous comment. I have my username and password, but I can’t for the life of me find a record or notation of where I put my custom URL. This is driving me crazy, is there any way that I can find the info or temporarily change it from my server or MySQL database to regain access?

    View Comment
  • Max says:

    Hi Paul,

    I’m not sure comments here will still receive replies, but it’s worth a try. For two days now I encounter that bots occasionally attack the renamed login page of my site. I’ve changed the url after I’ve noticed it first, but within the next 24 hours attempts to register a user (which is disabled) will move to the new url (/mysecreturl?action=register). My question: How is it possible that they even detect this “secret” url, which doesn’t seem to be so secret anymore? My concern: could that be related to the latest release since I’ve never encountered that problem before?

    Thanks in advance
    Max

    View Comment
    • Paul G. says:

      There are couple of way this can happen. If you have private pages/posts, they will link to the login page. Or if you have any plugin that somehow exposes the login page, or forwards to the login page. Every site is different, but if you probably have something, somewhere that’s exposing the URL somehow either explicitly, or through a redirect.

      Hope this helps.

      View Comment
  • Max says:

    Thanks, Paul. There are no private pages or posts and I haven’t installed any new plugins over the past few months and only encountered the problem for the last two days, that’s why I thought it might have to do with your recent update. Renaming the login page felt better before, but I guess I will learn to live with it. 😉

    View Comment
  • Gerhard says:

    Hi, Paul, I’m sure this has aleady been addressed, but when I try to set my wp-loging url, I get “Warning: Can not use the Rename WP Login feature because you have the “Theme My Login” plugin installed and it is active.”

    I have been battling to activate the Login Protection module without success (get a login error 500) and have eliminated the culprit to be My Theme Login, so i tried to rename the wp-login to “login”,as per the Theme My Login plugin.

    Is there any way that I can fix this issue without removing Theme My Login?

    View Comment
  • How can I reset a renamed login back to wp-login.php. ?

    View Comment

Leave a Reply