How to Obscure Your Site’s Login Page Without a Plugin

Last Updated on March 9, 2023 by 55 Comments

How to Obscure Your Site’s Login Page Without a Plugin
Blog / Resources / How to Obscure Your Site’s Login Page Without a Plugin

Want To Build Better WordPress Websites? Start Here! 👇

Take the first step towards a better website.

Get Started
Premade Layouts

Check Out These Related Posts

WordPress vs Medium (2024) — Where Should You Blog?

WordPress vs Medium (2024) — Where Should You Blog?

Updated on February 14, 2024 in Resources

If there is one question that goes back to the very beginning of blogging, it’s “what blogging platform should I use?” Everyone asks this question (to Google, most likely), and everyone gets bombarded with a thousand different answers. That’s primarily because there are so...

View Full Post
9 Non-Profit Child Themes for Divi

9 Non-Profit Child Themes for Divi

Updated on January 23, 2023 in Resources

There are lots of nonprofit organizations across the globe. Just about every one of them needs a well-designed website to tell their story and receive donations to help their causes. Divi is an excellent theme for nonprofits such as charities. Fortunately, you don’t have to start from scratch for...

View Full Post


  1. One thing that I noticed which still leave a vulnerability to the login page, when I have a new affiliate/client wanting to register as they hoover over the login button, the login address shows up. I’ve put certain restrictions before they get to this page so I’ve fixed that but again, when they log out, the login address is displayed. Is there anyway to hide those instances?

  2. I use WP Hide Login plugin and Wordfence. Now that WF premium offers active IP blocking that is updated every hour, I don’t get as many bots scanning my WP. All this and strong password enforcement has made my clients site nearly bomb proof. 🙂

  3. Hi,
    Thanks for such a great workout for most of the wordpress developers,
    i have a question, When hover over the user that is logged in, the logout link is not changed as we did in the file

  4. I have a question
    if I upgrade wordpress, does the file wp-admin appear again with the solution “Manually Create a New PHP Login File”?

  5. Long ago I learned that changing Admin to something different like boss52, or whatever, (can be done easily at time of WP page creation,) creates excellent protection with a good password too. You can display Admin to all via a setting for users to see, so nobody knows you’re using a different login name.

    I’ve never had a problem with upgrades messing with this method.

    • Can this be done after the fact, or does it have to be done when creating the site?

      • Once set, user names cannot be changed.

        • But, you can create a new user and assign everything from the old admin/username as you’re deleting it.

  6. Great post! I agree with your assessment that you should use a good plugin most of the time. However I want to emphasize: if you’re going to obscure your /wp-login, you need to change your /wp-admin to something obscure as well. Because if not logged in, /wp-admin will just redirect to the login page.

  7. Fantastic design the blog post.

  8. Please, please, please, never encourage people to change Core files! Never ever!

    Also, as you’ve pointed out, now when you try to login using, which is how most people login, you end up with a 404 Error because you’ve removed a core file.

    This is not the right way to do things.

  9. What about updates of WordPress adding wp-login.php again? Is that the case?

    • yes

  10. Hey Brenda,

    Great article there, as we know some WP hosting services like Flywheel, provides in-core firewall login attempts with efficient features protecting wp-admin and wp-login string.

    How surprising to see that ET doesn’t publish (not yet) an article about its fresh side-wide website redesign. Too many material design shadow everywhere (don’t get me wrong: I love material design principles 😉 ). The front and backend redesign is very good, simple and very fresh.

    So, I think it is time to re-brand the logotype that now appears totally disconnected into its new ecosystem. Maybe ET is working on it?… I suppose. I hope…


  11. One issue with the approach “Manually Create a New PHP Login File”: Logout from the Dashboard does not work anymore.

    Great looking new site but it does not seem to be made in WordPress 😉

    • You would need to login with the new .php file name you created. e.g you changed wp-login.php to yourname.php, to login you need to use to login.

      • I did, but clicking on username->logout in the top right corner of the Dashboard still goes to wp-login.php?action=logout which leads to a 404 error and logout does not happen.

        • Same problem for me, logout links to wp-login.php. I still haven’t found where is the logout string link, maybe it’s coded in a js file.

  12. I would like to share a piece of code for htaccess which has put to an end most of my headaches with rogue accesses:

    AuthUserFile /home/your_host_username/.htpasswds/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user CHANGE_USER_NAME

    You only need to add to .htpasswd some easy user/password (maybe from ) and you’re done.

    Apache will block ANY login attempt without even touching your WP (best performance ever :”) If you build sites to clients, just put something they will ease remember ( like your email???? )

    Seriously, for me it’s working like magic.

    Maybe not useful for sites with lots of (valid) user accesses.

  13. I use WPS Hide Login and have found it to be quite effective. I had one client website that was getting about 80,000 login attempts per hour. (And, yes, it slowed the server down considerably, occasionally making it impossible to load pages.) I already used Wordfence, which helped, but using a plugin to hide the login page changed everything.

    For awhile, the attempts to hit wp-login.php continued but after awhile the hackers seemed to learn that it wasn’t there (even though it really is, but is obscured).

  14. Amazing design! You the best!

  15. WP Cerber is an excellent plugin that among other things can customize your login address. It can block direct access to wp-login.php and return HTTP 404 Not Found Error. It also can immediately block a hacker’s access to all of your site after any request to wp-login.php

    Yes it’s free. I’m just a happy user.

  16. OK, you’ve left me confused. You show us how to change the login page through PHP, and then you tell us that using a plugin is better.

    Sorry, this is truly interesting, but your advice is very confusing.

  17. Nice article.

    But rounded buttons and drop shadows… 2006 called and they want their internet back!

  18. Thank you! Good to know this. What with plugins? Are they not less complicated to use? I mean plugins like Wordfence Security or iThemes Security. Maybe they are not so safe to use.
    Thanks in advance.

    • And ManageWP? Do we still need to do this?

  19. Great article Brenda! Thank you for the tips!

  20. Is your redesign done with Divi guys ? If yes, I really want to know how you achieve the Blog Part ?

  21. I use a plugin (I think it’s the one in the article) and while it works great in general I found a problem recently.
    If using a maintenance screen the maintenance plugin will override the login redirect. This means that when you log out, you can’t get back to the login page.
    Unless I’ve missed something really obvious.
    Anyone else had this experience or know how to solve it?

  22. Good points. But I have further concerns. I have tested wp-hide as well as login limit to avoid brute force. Attack. Thankfully login limit always help but WPS hide does not work for longer time. Some how the bots find my new hidden URL as well as admin user ID. So far I have not found solution for this. This difficulty I m facing on all WordPress installs. Any help would be appreciated.

  23. Digging the new website design, well over due 🙂
    As for the hidden login options above, I would like to add that there is a plugin I use on almost every website we build for clients, the plugin is called Shield as well as being able to change login URL, it is also a full security suite that in my opinion is one of the best.

    But even so its a fantastic tut.

  24. So much work when you can easily and simply do the same just by whitelisting your WordPress log-in to an IP address.

  25. I looked at the website’s code and saw that the style.css stylesheet is ver=4.0. Are we getting Divi 4.0 soon?

    • Whoa! I completely missed that – Nice find!

    • I looked at the code as well. The new main site isn’t WordPress from the looks of it so that style sheet isn’t a hint at Divi 4 anytime soon. It hasn’t been that long since Divi 3 dropped.

      • This website is WordPress. Just search through the code for “wp-content” and you’ll find it everywhere.

        • The blog is WP but not the main website at That’s what I was referring to.

  26. Hi,

    I actually don’t do any of that. I just protect the existing login page by only allowing it to be accessed by a single IP address. How? By adding the following to the .htaccess file

    # Protect wp-login.php

    order deny,allow
    Deny from all
    Allow from 77.777.777.777

    Ok, this is limited if multiple users require access etc … but if you do most of your development through one IP address like I do … then no one can access it unless they are in the same building 😉

    Excuse me if I’m missing something. Just wanted to share that alternative.

    Thanks Mark

    • This only works on a static IP address, something that nowadays is not so regular anymore…

    • I don’t have a static IP address so that solution is no good for me, but will be good for others.

    • Mark, that is the exact solution I have been using for several years. When I am on vacation etc and need to get in from a different IP address, it’s easy to modify the htaccess file to add an IP to the allowed IP’s. But this method blocks uninvited “guests” even before they can attempt to make an unauthorized “visit.”

      • Maybe I’m missing something or misunderstanding something, but if you use this method on a site where you have a blog that utilizes members/users who will need to be able to login to access content, like for a membership site, then you would effectively eliminate the possibility for any of them to login unless you whitelist all their IP addresses. That would defeat the purpose of a membership site, no?

        If you’re wanting to protect the login page, wouldn’t enabling Two-Factor Authentication be a much more secure method? I know that wouldn’t keep a bot from hitting the page, but it would practically eliminate the possibility of unauthorized logins from the page.

        • You are correct, this white list method is more complicated if you have many users logging-in, and you don’t know their IP addresses.

    • I agree with you, Mark, and wonder why this solution is so under rated. I posted an article that explain how to do this with multiple or revolving IP address.

    • Excuse me a coupe of lines have been excluded on publishing … maybe just google “Protect wp-login.php via htaccess” and the solution will be there

  27. Can I just rename the wp-login.php file?

    • I assume that you can. I prefer renaming myself, but be sure to backup first.

  28. Cool new design

  29. I have been doing this for a long time, the one little catch is that after each WordPress upgrade you will have a new we-login.php file that needs to be deleted.

  30. Love your new design! And this article of course 😉
    Thank you.

    • Brenda already has this beautiful design as i remember its still the same photo in her profile

  31. Unrelated to this blog post, but I must say… Wow! Your website redesign looks AMAZING!

    • I agree – Fantastic!

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

Get Started With Divi