How to Obscure Your Site’s Login Page Without a Plugin

Posted on March 1, 2017 by in Resources | 55 comments

How to Obscure Your Site’s Login Page Without a Plugin

55 Comments

  1. Unrelated to this blog post, but I must say… Wow! Your website redesign looks AMAZING!

    • I agree – Fantastic!

  2. Love your new design! And this article of course 😉
    Thank you.

    • Brenda already has this beautiful design as i remember its still the same photo in her profile

  3. I have been doing this for a long time, the one little catch is that after each WordPress upgrade you will have a new we-login.php file that needs to be deleted.

  4. Cool new design

    • I assume that you can. I prefer renaming myself, but be sure to backup first.

  5. Hi,

    I actually don’t do any of that. I just protect the existing login page by only allowing it to be accessed by a single IP address. How? By adding the following to the .htaccess file

    # Protect wp-login.php

    order deny,allow
    Deny from all
    Allow from 77.777.777.777

    Ok, this is limited if multiple users require access etc … but if you do most of your development through one IP address like I do … then no one can access it unless they are in the same building 😉

    Excuse me if I’m missing something. Just wanted to share that alternative.

    Thanks Mark

    • Excuse me a coupe of lines have been excluded on publishing … maybe just google “Protect wp-login.php via htaccess” and the solution will be there

    • I agree with you, Mark, and wonder why this solution is so under rated. I posted an article that explain how to do this with multiple or revolving IP address.

    • Mark, that is the exact solution I have been using for several years. When I am on vacation etc and need to get in from a different IP address, it’s easy to modify the htaccess file to add an IP to the allowed IP’s. But this method blocks uninvited “guests” even before they can attempt to make an unauthorized “visit.”

      • Maybe I’m missing something or misunderstanding something, but if you use this method on a site where you have a blog that utilizes members/users who will need to be able to login to access content, like for a membership site, then you would effectively eliminate the possibility for any of them to login unless you whitelist all their IP addresses. That would defeat the purpose of a membership site, no?

        If you’re wanting to protect the login page, wouldn’t enabling Two-Factor Authentication be a much more secure method? I know that wouldn’t keep a bot from hitting the page, but it would practically eliminate the possibility of unauthorized logins from the page.

        • You are correct, this white list method is more complicated if you have many users logging-in, and you don’t know their IP addresses.

    • I don’t have a static IP address so that solution is no good for me, but will be good for others.

    • This only works on a static IP address, something that nowadays is not so regular anymore…

  6. I looked at the website’s code and saw that the style.css stylesheet is ver=4.0. Are we getting Divi 4.0 soon?

    • I looked at the code as well. The new main site isn’t WordPress from the looks of it so that style sheet isn’t a hint at Divi 4 anytime soon. It hasn’t been that long since Divi 3 dropped.

      • This website is WordPress. Just search through the code for “wp-content” and you’ll find it everywhere.

        • The blog is WP but not the main website at eleganthemes.com. That’s what I was referring to.

    • Whoa! I completely missed that – Nice find!

  7. So much work when you can easily and simply do the same just by whitelisting your WordPress log-in to an IP address.

  8. Digging the new website design, well over due 🙂
    As for the hidden login options above, I would like to add that there is a plugin I use on almost every website we build for clients, the plugin is called Shield as well as being able to change login URL, it is also a full security suite that in my opinion is one of the best.

    But even so its a fantastic tut.

  9. Good points. But I have further concerns. I have tested wp-hide as well as login limit to avoid brute force. Attack. Thankfully login limit always help but WPS hide does not work for longer time. Some how the bots find my new hidden URL as well as admin user ID. So far I have not found solution for this. This difficulty I m facing on all WordPress installs. Any help would be appreciated.

  10. I use a plugin (I think it’s the one in the article) and while it works great in general I found a problem recently.
    If using a maintenance screen the maintenance plugin will override the login redirect. This means that when you log out, you can’t get back to the login page.
    Unless I’ve missed something really obvious.
    Anyone else had this experience or know how to solve it?

  11. Is your redesign done with Divi guys ? If yes, I really want to know how you achieve the Blog Part ?

  12. Great article Brenda! Thank you for the tips!

  13. Thank you! Good to know this. What with plugins? Are they not less complicated to use? I mean plugins like Wordfence Security or iThemes Security. Maybe they are not so safe to use.
    Thanks in advance.

    • And ManageWP? Do we still need to do this?

  14. Nice article.

    But rounded buttons and drop shadows… 2006 called and they want their internet back!

  15. OK, you’ve left me confused. You show us how to change the login page through PHP, and then you tell us that using a plugin is better.

    Sorry, this is truly interesting, but your advice is very confusing.

  16. WP Cerber is an excellent plugin that among other things can customize your login address. It can block direct access to wp-login.php and return HTTP 404 Not Found Error. It also can immediately block a hacker’s access to all of your site after any request to wp-login.php

    Yes it’s free. I’m just a happy user.

  17. Amazing design! You the best!

  18. I use WPS Hide Login and have found it to be quite effective. I had one client website that was getting about 80,000 login attempts per hour. (And, yes, it slowed the server down considerably, occasionally making it impossible to load pages.) I already used Wordfence, which helped, but using a plugin to hide the login page changed everything.

    For awhile, the attempts to hit wp-login.php continued but after awhile the hackers seemed to learn that it wasn’t there (even though it really is, but is obscured).

  19. I would like to share a piece of code for htaccess which has put to an end most of my headaches with rogue accesses:

    AuthUserFile /home/your_host_username/.htpasswds/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user CHANGE_USER_NAME

    You only need to add to .htpasswd some easy user/password (maybe from http://www.htaccesstools.com/htpasswd-generator/ ) and you’re done.

    Apache will block ANY login attempt without even touching your WP (best performance ever :”) If you build sites to clients, just put something they will ease remember ( like your email???? )

    Seriously, for me it’s working like magic.

    Maybe not useful for sites with lots of (valid) user accesses.

  20. One issue with the approach “Manually Create a New PHP Login File”: Logout from the Dashboard does not work anymore.

    Great looking new site but it does not seem to be made in WordPress 😉

      • I did, but clicking on username->logout in the top right corner of the Dashboard still goes to wp-login.php?action=logout which leads to a 404 error and logout does not happen.

        • Same problem for me, logout links to wp-login.php. I still haven’t found where is the logout string link, maybe it’s coded in a js file.

  21. Hey Brenda,

    Great article there, as we know some WP hosting services like Flywheel, provides in-core firewall login attempts with efficient features protecting wp-admin and wp-login string.

    How surprising to see that ET doesn’t publish (not yet) an article about its fresh side-wide website redesign. Too many material design shadow everywhere (don’t get me wrong: I love material design principles 😉 ). The front and backend redesign is very good, simple and very fresh.

    So, I think it is time to re-brand the logotype that now appears totally disconnected into its new ecosystem. Maybe ET is working on it?… I suppose. I hope…

    Cheers!

  22. What about updates of WordPress adding wp-login.php again? Is that the case?

  23. Please, please, please, never encourage people to change Core files! Never ever!

    Also, as you’ve pointed out, now when you try to login using yoursitename.com/wp-admin, which is how most people login, you end up with a 404 Error because you’ve removed a core file.

    This is not the right way to do things.

  24. Great post! I agree with your assessment that you should use a good plugin most of the time. However I want to emphasize: if you’re going to obscure your /wp-login, you need to change your /wp-admin to something obscure as well. Because if not logged in, /wp-admin will just redirect to the login page.

  25. Long ago I learned that changing Admin to something different like boss52, or whatever, (can be done easily at time of WP page creation,) creates excellent protection with a good password too. You can display Admin to all via a setting for users to see, so nobody knows you’re using a different login name.

    I’ve never had a problem with upgrades messing with this method.

        • But, you can create a new user and assign everything from the old admin/username as you’re deleting it.

  26. I have a question
    if I upgrade wordpress, does the file wp-admin appear again with the solution “Manually Create a New PHP Login File”?

  27. Hi,
    Thanks for such a great workout for most of the wordpress developers,
    i have a question, When hover over the user that is logged in, the logout link is not changed as we did in the file

  28. I use WP Hide Login plugin and Wordfence. Now that WF premium offers active IP blocking that is updated every hour, I don’t get as many bots scanning my WP. All this and strong password enforcement has made my clients site nearly bomb proof. 🙂

  29. One thing that I noticed which still leave a vulnerability to the login page, when I have a new affiliate/client wanting to register as they hoover over the login button, the login address shows up. I’ve put certain restrictions before they get to this page so I’ve fixed that but again, when they log out, the login address is displayed. Is there anyway to hide those instances?

  30. WPS Hide Login doesn’t work effectively…

    Read the ‘1 star’ negative reviews for the plugin.

    Type in

    http://www.mywordpresssite.com/wp-register.php

    and voila – the supposedly hidden Admin folder is revealed!

401,632 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest