Elegant Themes Blog

Stay up to date with our most recent news and updates


  1. Is there any downsides to doing this? Will it break with a WordPress upgrade?

    • Hi Seth! I am using this trick in most of my sites for a while now and never had an issue. It certainly does not change WordPress behaviour in any way.

      Happy 2016!

  2. Is there a way to change the login URL without a plugin?

    • I would like to know that also…basically manually. I am trying to set up my own guide on WP installs and best practices out of the box and this I would like to have part of it…plus it eliminates another plugin I have to keep up to speed with.

    • Yes, and I am surprised it wasn’t mentioned. All you have to do is to rename “wp-login.php” to whatever you want. A few caveats though…you will need to enter in the “.php” at the end unless you make some changes to your htaccess file. You would also need to fix the redirect in wp-admin if you still wanted to use that. That is a bit more complicated though.

      For various reasons, I would recommend just using the plugin mentioned in the article.

  3. Fix the first mention: wp-admin.php to wp-admin

    /wp-admin/ will redirect to wp-login.php when not logged in. This will turn into a 404 error if using an htaccess hide login method like the one used by iThemes’. Which, unless it’s cached by a cache plugin, will also consume bandwidth.

  4. Hello everyone,

    I’m trying to redirect the wp-login.php to a custom URL using the 301 redirect via htaaccess. The redirection works however now my custom login URL is also being redirected. Does anyone know why this happens?

    I’m doing this because I have kiddie hackers trying to access wp-login.php all the time, and I want to troll them by redirecting them to another site.

  5. Hi Shaun, I’ve been looking for something exactly like this, so thanks. I have a question though. I’m not smart with this sort of thing, so you lose me where you say–for WPS Hide login:

    ‘But when I try to visit my chosen login URL, I see the familiar old login screen. And that took, how long to configure? All of 30 seconds?’

    My question is: how do I find my chosen URL login page? I’ve tried typing it into the search box but I get the Page not found message. I have no idea how else to find it.

    Consequently I’ve deactivated the plug.

    • Disregard this query as I discovered it pretty quickly. Again, thank you for this information. I joined WordPress a couple of months ago and have been harassed with dozens of false login attempts a day. It’s early days, but since activating WPS hide login 24 hours ago I haven’t had one.

  6. Why link to plugins that hasn’t been updated for two years?

    HC Custom WP-admin URL, is only compatible up to WordPress 3.7.11.

    Using old plugins is not safe.

  7. whenever somebody tries to login with username and passwords whatsoever, the database is read and returns success or “wrong credentials”
    this will also happen when the login-URL is changed and some bad guys find that new URL

    I had a lot of hacking attempts where the server went down because of database overload and in my mind, the best way to protect is to protect with .htpsswd, by that the access is denied before database is called

    any thoughts on this?

    • That is exactly what I did on 4 of my sites ConnieM. I set an .htpsswd on the login page through my .htaccess file. It worked for about 4-5 months and then I started getting attempted login notices again in my email from sucuri. The bad guys have managed to go right around it somehow which I cannot figure out. There is no way they could guess the username and password of the login so they must have found a loop. I would like to know how the hackers do this?

  8. Great resource. You can also hide the login area using htaccess and some rules. Once done, the login path will require a key to be displayed.

  9. I prefer adding a .htaccess password to the wp-admin folder and then install the Limit Login Attempts to block brute force attacks 😉

  10. A few nitpicks in this article:

    > From #1: When you change your login URL, you are making the bad guys work significantly harder.

    Significantly harder? A determined hacker will probably find your login page but most drive-by script kiddies usually won’t put up the effort. If you block all IP Addresses except ones you login at and return a 404 instead, that works well. And it requires no other plugins.

    If you use nginx, you can also slow the attacks down as well by rate limiting how often someone can hit the login. If someone can only login 4 times per minute (say once every 15 seconds which is perfectly reasonable), that’ll reduce your server resources too.

    > From #2: Hides WordPress Vulnerabilities
    This is just plain misinformation. WP’s default folder structure easily gives it away (wp-content, etc), as does pinging for common WP files, like wp-blog-header.php, xmlrpc.php, etc. Even if you change all that, make sure you use some code to block user enumeration since that’s what a lot of attacks start with too.

    It’s unfortunate that the WP core developers are vehemently against basic security features like being able to change the default admin entry point or limiting login attempts. These features will never be in core.

    They see the former as security by obscurity (not true, it’s obfuscation) and the latter as being useless against DOS attempts (only half true IMO, since DDOS really needs to be mitigated on the hardware/network level—it’s the script kiddies that jam up your resources are what bug me).

    WP security is almost an oxymoron; I do most of my work in other CMS like Craft which have these features built in. But I do host a few other clients on WP yet and these are these are a few things I’ve found to help.

    • “If you block all IP Addresses except ones you login at and return a 404 instead, that works well. And it requires no other plugins.”

      What is the best method to do this? I am using one htaccess whitelist method but I have noticed there are other similar ways.

  11. “it’s somewhat surprising that WordPress doesn’t give users the option to create a custom login URL, don’t you think?”


    Would using WPS-hide-login and Wordfence plugins together work like this…
    Make a custom login address with WPS and then set the wp-admin address in Wordfence to block any IPs that access that ‘old’ address?.

    and Happy New Years 🙂

  12. Hi,
    I’m using iThemes Security Lite plugin.It’s a very useful plugin for wordpress user.i just love it.before installing any plugin we should backup our database first.i will try other plugin asap! thanks for your useful post

  13. Hello,

    I just tried WPS Hide Login, but while ‘ET Anticipate’ maintenance page was turned on, it did not let me access the new login URL.

    I assume that somehow maintenance plugin’s htaccess doesn’t consider the new URL to be accessible.

    Any way to fix that?

  14. I used to do this for all the sites I created but I don’t anymore. It should be said that in regards to security changing your login URL really just creates a minor inconvenience for an amateur hacker. However, I guess every bit helps. Just realize that there’s a lot more to protecting your WordPress site.

  15. I love the idea of increased security by simple means, thanks for the great post. I opted to use the WP Hide Login plugin and had it setup in 30 seconds. When I logged out and tried to log back in I found myself unable to get to the login page because I was also using the ET Anticipate plugin. I thought about it for a few seconds and then logged into the server via SSH, downloaded the anticipate-maintenance-plugin.php file and added my new login page to the var $_exception_urls = array on line 18. Once I uploaded the updated php file and refreshed the login page everything worked as it should. So…

    If you are using the ET Anticipate plugin and want to use the WP Hide Login plugin do this –
    1. Remote login to your server via SSH
    2. Navigate through the following folders to download the php file:
    www >> html >> wp-content >> plugins >> Anticipate >> anticipate-maintenance-plugin.php
    (Your server may have a slightly different hierarchy, but the wp-content and forward should be the same)
    3. Open the php file locally in your editor of choice and add your new custom login page to line 18, it should look something like this:

    var $_exception_urls = array( ‘wp-login.php’, ‘yournewloginpage/’,’async-upload.php’, …

    you need to add the ‘yournewloginpage/’ to say whatever your chosen login page really is

    4. Save and upload the updated php file back to your server (replace the old file).
    5. Refresh your browser on your new login url and it should work for you.

    Maybe my example is a bit obvious, but I know a lot of people don’t have a clue where to find files on their server or how/where to update the code…like me.

  16. I installed the WPS Hide Login plugin tonight on one of my sites to give it a whirl. Ready for this….within 15 minutes after installing and making my custom login URL I receive a notice in my email from my sucuri security that I had a failed login attempt. How would that even be possible?

    On my other sites the hackers go right around my htpsswd and htaccess files. I have no idea how they manage that as well.

    Any thoughts???

  17. So, did this a while ago and everything was fine.
    However, today I tried to log into my site after a long period of neglect, and discovered I had forgotten my password.
    Clicked the “lost your password?” link and WP sent me an email with a link to reset my password.
    Problem is that link goes to the wp-admin page, so I just get redirected to the main page of my blog.

Join 371,133 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This