How to Create a Custom WordPress Login URL

Last Updated on December 22, 2022 by 35 Comments

Editorial Note: We may earn a commission when you visit links on our website.
How to Create a Custom WordPress Login URL
Blog / Tips & Tricks / How to Create a Custom WordPress Login URL
Play Button
Divi

Want To Build Better WordPress Websites? Start Here! 👇

Take the first step towards a better website.

Get Started
Divi
Premade Layouts

Check Out These Related Posts

Splice Video Editor: An Overview and Review

Splice Video Editor: An Overview and Review

Updated on March 10, 2023 in Tips & Tricks

Video is a valuable form of content for social media. Unfortunately, creating quality videos is usually a long process that involves moving mobile footage to a desktop app for editing. However, mobile editing is on the rise. Apps such as Splice Video Editor make it possible to efficiently create...

View Full Post
How to Use Font Awesome On Your WordPress Website

How to Use Font Awesome On Your WordPress Website

Updated on September 16, 2022 in Tips & Tricks

When given the choice between using a vector icon or a static image, it’s a good idea to go with the vector. They’re small and fast to load, and they can scale to any size without a loss of resolution. Font Awesome is a superb library of vector icons that you can use on your websites,...

View Full Post

35 Comments

  1. I’m still new on PHP and I know I’m gonna hate myself for asking this…when I read up on creating a login page on the WordPress codex it said

    Set the ID name for the form: id=”loginform-custom”.
    Is this verbatim or does this mean form: id=”loginform-mynewloginpage”.

  2. Hello,

    I was looking for this kind of something and finally got this article. actually, I have installed Sucuri on WordPress website so when anyone tries to attempt to log in I get an email. So this plugin is very helpful to be safe from login attempt.

    Thank you so much for sharing this great info with us.

  3. The correct article. It is very important to protect the login page in the admin panel. It is also recommended to install additional authentication to access the login page.

  4. nice blog thanks for sharing…

  5. Security through obscurity is not worth the time.

  6. I used the plugin on all my sites until I switched to iThemes security, which has this functionality as an option. I went from getting tons of attempted brute force attacks to zero on all sites. I realize that this is only one small part of the security plan, but it stops that element.

    When the plugin goes haywire and you can’t get into your site, simply FTP into your file structure and temporarily rename the plugin. Then you can log in using /wp-admin again while you fix it.

    If you use wp remote for site maintenance, you won’t be able to get into your site by using their “admin” link, which will only take you to the /wp-admin login location – which of course is disabled.

    • I need to do just that! …and, when logged in to my host via ftp, the plugin does NOT appear to be in the “plugin” directory. Is there somewhere else that I should be looking?

  7. So, did this a while ago and everything was fine.
    However, today I tried to log into my site after a long period of neglect, and discovered I had forgotten my password.
    Clicked the “lost your password?” link and WP sent me an email with a link to reset my password.
    Problem is that link goes to the wp-admin page, so I just get redirected to the main page of my blog.

    • This is why everyone should use LastPass

  8. I installed the WPS Hide Login plugin tonight on one of my sites to give it a whirl. Ready for this….within 15 minutes after installing and making my custom login URL I receive a notice in my email from my sucuri security that I had a failed login attempt. How would that even be possible?

    On my other sites the hackers go right around my htpsswd and htaccess files. I have no idea how they manage that as well.

    Any thoughts???

    • I had the same problem when I first installed it. I found out that if you keep their suggested name of “login”, the hackers can still easily find it by just using the term “login” in a site’s search box.

      I use something completely different for the new page name and don’t get any more Wordfence warnings about bad logins. That’s not saying that the hackers aren’t trying to hit my site, it’s just that it’s more work now to find the login so probably not worth the effort.

    • When I first used this plugin, I found out that if you keep the default “login” as the new name, all the hackers have to do is search your site for the word “login” and it will show up in the search results.

      So I now change the new login page name to something that doesn’t contain the word “login” or even “signin”.

      It has cut down the daily login hack attempts on all my sites to zero. Well, they may still be attempting, but they aren’t finding the page so the actual login attempts have stopped.

      Hope that helps.

      BTW, for anyone that’s interested, I also use MainWP for my website manager and everything still works.

  9. I love the idea of increased security by simple means, thanks for the great post. I opted to use the WP Hide Login plugin and had it setup in 30 seconds. When I logged out and tried to log back in I found myself unable to get to the login page because I was also using the ET Anticipate plugin. I thought about it for a few seconds and then logged into the server via SSH, downloaded the anticipate-maintenance-plugin.php file and added my new login page to the var $_exception_urls = array on line 18. Once I uploaded the updated php file and refreshed the login page everything worked as it should. So…

    If you are using the ET Anticipate plugin and want to use the WP Hide Login plugin do this –
    1. Remote login to your server via SSH
    2. Navigate through the following folders to download the php file:
    www >> html >> wp-content >> plugins >> Anticipate >> anticipate-maintenance-plugin.php
    (Your server may have a slightly different hierarchy, but the wp-content and forward should be the same)
    3. Open the php file locally in your editor of choice and add your new custom login page to line 18, it should look something like this:

    var $_exception_urls = array( ‘wp-login.php’, ‘yournewloginpage/’,’async-upload.php’, …

    you need to add the ‘yournewloginpage/’ to say whatever your chosen login page really is

    4. Save and upload the updated php file back to your server (replace the old file).
    5. Refresh your browser on your new login url and it should work for you.

    Maybe my example is a bit obvious, but I know a lot of people don’t have a clue where to find files on their server or how/where to update the code…like me.

  10. I used to do this for all the sites I created but I don’t anymore. It should be said that in regards to security changing your login URL really just creates a minor inconvenience for an amateur hacker. However, I guess every bit helps. Just realize that there’s a lot more to protecting your WordPress site.

  11. Hello,

    I just tried WPS Hide Login, but while ‘ET Anticipate’ maintenance page was turned on, it did not let me access the new login URL.

    I assume that somehow maintenance plugin’s htaccess doesn’t consider the new URL to be accessible.

    Any way to fix that?

    • Hi Thomas, check out alglOseL’s comment above ☝️he provides an answer for you.

  12. Hi,
    I’m using iThemes Security Lite plugin.It’s a very useful plugin for wordpress user.i just love it.before installing any plugin we should backup our database first.i will try other plugin asap! thanks for your useful post

  13. “it’s somewhat surprising that WordPress doesn’t give users the option to create a custom login URL, don’t you think?”

    Yes!

    Would using WPS-hide-login and Wordfence plugins together work like this…
    Make a custom login address with WPS and then set the wp-admin address in Wordfence to block any IPs that access that ‘old’ address?.

    and Happy New Years 🙂

  14. A few nitpicks in this article:

    > From #1: When you change your login URL, you are making the bad guys work significantly harder.

    Significantly harder? A determined hacker will probably find your login page but most drive-by script kiddies usually won’t put up the effort. If you block all IP Addresses except ones you login at and return a 404 instead, that works well. And it requires no other plugins.

    If you use nginx, you can also slow the attacks down as well by rate limiting how often someone can hit the login. If someone can only login 4 times per minute (say once every 15 seconds which is perfectly reasonable), that’ll reduce your server resources too.

    > From #2: Hides WordPress Vulnerabilities
    This is just plain misinformation. WP’s default folder structure easily gives it away (wp-content, etc), as does pinging for common WP files, like wp-blog-header.php, xmlrpc.php, etc. Even if you change all that, make sure you use some code to block user enumeration since that’s what a lot of attacks start with too.

    It’s unfortunate that the WP core developers are vehemently against basic security features like being able to change the default admin entry point or limiting login attempts. These features will never be in core.

    They see the former as security by obscurity (not true, it’s obfuscation) and the latter as being useless against DOS attempts (only half true IMO, since DDOS really needs to be mitigated on the hardware/network level—it’s the script kiddies that jam up your resources are what bug me).

    WP security is almost an oxymoron; I do most of my work in other CMS like Craft which have these features built in. But I do host a few other clients on WP yet and these are these are a few things I’ve found to help.

    • “If you block all IP Addresses except ones you login at and return a 404 instead, that works well. And it requires no other plugins.”

      What is the best method to do this? I am using one htaccess whitelist method but I have noticed there are other similar ways.

  15. I prefer adding a .htaccess password to the wp-admin folder and then install the Limit Login Attempts to block brute force attacks 😉

  16. Great resource. You can also hide the login area using htaccess and some rules. Once done, the login path will require a key to be displayed.

  17. whenever somebody tries to login with username and passwords whatsoever, the database is read and returns success or “wrong credentials”
    this will also happen when the login-URL is changed and some bad guys find that new URL

    I had a lot of hacking attempts where the server went down because of database overload and in my mind, the best way to protect is to protect with .htpsswd, by that the access is denied before database is called

    any thoughts on this?

    • That is exactly what I did on 4 of my sites ConnieM. I set an .htpsswd on the login page through my .htaccess file. It worked for about 4-5 months and then I started getting attempted login notices again in my email from sucuri. The bad guys have managed to go right around it somehow which I cannot figure out. There is no way they could guess the username and password of the login so they must have found a loop. I would like to know how the hackers do this?

  18. Why link to plugins that hasn’t been updated for two years?

    HC Custom WP-admin URL, is only compatible up to WordPress 3.7.11.

    Using old plugins is not safe.

  19. Hi Shaun, I’ve been looking for something exactly like this, so thanks. I have a question though. I’m not smart with this sort of thing, so you lose me where you say–for WPS Hide login:

    ‘But when I try to visit my chosen login URL, I see the familiar old login screen. And that took, how long to configure? All of 30 seconds?’

    My question is: how do I find my chosen URL login page? I’ve tried typing it into the search box but I get the Page not found message. I have no idea how else to find it.

    Consequently I’ve deactivated the plug.

    • Disregard this query as I discovered it pretty quickly. Again, thank you for this information. I joined WordPress a couple of months ago and have been harassed with dozens of false login attempts a day. It’s early days, but since activating WPS hide login 24 hours ago I haven’t had one.

  20. Hello everyone,

    I’m trying to redirect the wp-login.php to a custom URL using the 301 redirect via htaaccess. The redirection works however now my custom login URL is also being redirected. Does anyone know why this happens?

    I’m doing this because I have kiddie hackers trying to access wp-login.php all the time, and I want to troll them by redirecting them to another site.

  21. Fix the first mention: wp-admin.php to wp-admin

    /wp-admin/ will redirect to wp-login.php when not logged in. This will turn into a 404 error if using an htaccess hide login method like the one used by iThemes’. Which, unless it’s cached by a cache plugin, will also consume bandwidth.

  22. Is there a way to change the login URL without a plugin?

    • Yes, and I am surprised it wasn’t mentioned. All you have to do is to rename “wp-login.php” to whatever you want. A few caveats though…you will need to enter in the “.php” at the end unless you make some changes to your htaccess file. You would also need to fix the redirect in wp-admin if you still wanted to use that. That is a bit more complicated though.

      For various reasons, I would recommend just using the plugin mentioned in the article.

    • I would like to know that also…basically manually. I am trying to set up my own guide on WP installs and best practices out of the box and this I would like to have part of it…plus it eliminates another plugin I have to keep up to speed with.

  23. Is there any downsides to doing this? Will it break with a WordPress upgrade?

    • Hi Seth! I am using this trick in most of my sites for a while now and never had an issue. It certainly does not change WordPress behaviour in any way.

      Happy 2016!

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

Get Started With Divi