Every website’s owner knows our website’s security is our first priority with no doubt. That’s why you want to use the best web hosting services, all of which safeguard your data using the highest technology standards. There are plenty of security advice we should definitely follow including that you should probably change your wp-admin URL
Let me explain Why and How.
Why Use Custom Login URL in WordPress
As you know WordPress default login URL is /wp-login.php or you can just type in /wp-admin/ and it’ll redirect you there before logging. And It’s no secret that the default login page can be found by going to wp-admin, or wp-login.php.
Now maybe your thinking Should I care? Yes! you should and let me explain why!
What a hacker needs to steal your site? Username and password, Right?
But before entering this field they will need to know where is a login form. And as you know that WordPress default login is the same as every site. Also, it’s pretty easy to tell if any given website is a WordPress website. You can look at the page’s source and see things like /wp-content/themes/function.php or /wp-content/plugins/…, etc. Once I know your site is a WP site, Now I know your login URL is /wp-login.php.
And about Username, WordPress creates an “admin” username by default. Now she or he has your login URL and possibly your login username (admin). Now it’s a matter of guessing your password.
So Guessing a password is not an easy job. Still, assuming they keep trying and keep doing, possibly taking down your site by many HTTP requests. Or she or he could try brute force attack on your website to guess your password.
So brute force attack is performed by a software bot to trying 10000 passwords in 1 second and now maybe it’s easy for an attacker to guess your ideal password.
Now you definitely know that an easy and painless job (changing login URL WordPress) can save your investment.
How to Change WordPress Login URL without any plugin
Before teaching you how to change your WordPress login URL, we first have to take about a tool that will allow you to make any changes carefree. So, WP Reset is something you should have by your side before making any major changes or updates.
Furthermore, this tool is crucial because it provides you with tools and supplies that will allow you to revert your changes and solve any possible mistakes. Firstly, WP Reset gives you the option of taking snapshots. Snapshots are images that you will capture before altering your website, and if things don’t go as planned, you will be able to restore your website from the snapshot. It’s like going back in time without any repercussions. Neat, right?
Secondly, WP Reset provides you with several cleaning tools that you can use to remove unnecessary data or faulty plugins, all with one click. Speaking of, you can even install all your plugins with just a click, and create different collections with your favorite plugins. Also, you can store all your collections and snapshots to the cloud.
Finally, if you really mess up, there is the Nuclear Reset option, which leaves you with a squeaky clean website, ready to be worked on.
Changing the WordPress Login URL without a plugin is very easy and handy and I would personally recommend it.
First of all, To be safe than sorry take a backup of wp-login.php and store in a safe place just in case of any wrong step.
All you need is access to your site’s files and should have a text editor (I’m using Notepad++). Now choose your ideal login UR, for example, /newlogin.php
Go to your public_html directory where you can find wp-login.php. You can open it using FTP client software or File Manager in your cPanel.
Once you find, Name this file whatever you want your login URL to be. In this case, I named it newlogin.php.
Next, open up the newlogin.php and find and replace every instance of “wp-login.php” in the file – then replace it with your new file name as newlogin.php
If everything’s looks perfect then click on Replace All. And at the bottom of the text editor, you’ll see Replace All: 12 occurrences were replaced.
Now you should be able to log in by navigating to your new URL. In my case, it’s localhost/wp/newlogin.php. If any HTTP requests to the /wp-login.php, or /wp-admin directories will lead visitors to a 404 not-found page.
By mistake, if something goes wrong, you don’t have to worry you still have a backup file. Just restored the file in the root directory and everything will be the same as before.
This is an article about changing WordPress URL login to custom login without any plugin. If you still facing a problem, please comment below. I’ll demonstrate.
Just in case you have trouble with your URL redirecting, check out WP 301 Redirects, a plugin that will help you redirect your links to actual, working pages. Your visitors will never be hit with the dreaded 404 page. This plugin will scan and verify every link to assure they are leading to whatever you want it to.
Also, it will provide you with in-depth charts that will give you all the information you may need regarding your links. Finally, WP 301 Redirects ignores all bad traffic and focuses on actual visitors.
Method 2: Protect wp-login.php With a Cookie and .htaccess
Try this technique If you don’t like above one
Update: Recently I found a new technique that does the same job but in a better way.
What’s our main motive? To hide our login page, right? So without changing your login page as wp-login.php, you can still fool attackers.
One of my clients asks that this’s possible and I was curious about this. So I search for little, create many threads on many forums, and finally I got my client question’s answer.
Assume, random people trying to access login page just by going wp-login.php and he gets Forbidden page. But in your case, you can still log in from wp-login.php to your site.
Follow the below steps to figure out how:
To try this technique, you will have to do 2 steps.
Step 1: Put this code to your .htaccess file
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTP_COOKIE} !^.*wp\-connex=2917998723.*$ [NC] RewriteRule wp-login.php - [F] </IfModule>
Of course, you’re thinking that’s safe or not. But I’m telling you this is completely safe and I’m using this on my client sites too.
Let me explain the code. On the 4th line, you have to choose the login page name. I set to wp-connex (You can rename it).
Now, what this code will do? This is a little tricky still I’ll try to explain. As you can see on the 4th line we set HTTP_COOKIE to cache a cookie who knows real login page.
In simple words, If a guy goes to wp-login.php or wp-admin, he’ll get a Forbidden error because we set the cookie to access this file or directory. So he needs to first log into the area that sets the cookie before the actual login page. And we set the cookies to wp-connex.php.
Step 2: Create a new login page for cookie
Once you are done with .htaccess, you have to create a file that we had set cookie. We named it wp-connex.php, you can name whatever you want but don’t forget to change in the code too.
To create a file: Take a new page in notepad, paste this code and save it as wp-connex.php
<?php setcookie("wp-connex", 2917998723); header("Location: wp-login.php");
That’s it. We need these two files as .htaccess is already been on a server so you just need to edit, no need to create a new .htaccess file.
Now login to your server by FTP software or Cpanel to upload these files in the root directory.
From now on, people need to first go to yourdomain/wp-connex.php to access wp-login.php.
Method 3: Change your WordPress login page URL using a plugin
I’ve not intended to mention the plugin method but some of you are new to WordPress and want to change the wp-admin URL using a plugin.
Just a reminder, these plugins won’t prevent hacking completely. However, you can use WordPress security plugins to add an extra layer of security for your site.
To change the WordPress login URL, I recommend to use Easy Hide Login:
- Easy way to hide wp-login.php
- No need to rename wp-login.php or change files in core
- Lightweight plugin
If you want to change the wp-admin URL without touching wp core files, you definitely use this plugin (It’s better than WPS Hide Login for me). Also, It doesn’t literally rename wp-login.php or change files in core
And this plugin gets the job done easily and quickly. What’s more, it has 20,000+ Active Installations with 4.5 ratings and updated regularly.
So let’s see how we gonna use this plugin but before that make sure you have a backup of your site. Once you have done that install and activate the plugin.
Once you did, navigate to Settings > Easy Hide Login in your WordPress dashboard. On the next screen, you’ll get this…
Once you get there, you need to put slug text (In my case it’s mylogin) in the field and hit the submit button. What will happen that your actual login page will be shown 404 error and your new login page will /?mylogin
For example: If I need to log in, I’ll go to https://www.mediumtalk.net/?mylogin and you’ll be redirected to your actual login page as wp-login.php.
From now on, you’ll be able to use this address to log into your site. If for some reason you ever want to reverse this process, just empty slug test and hit submit or deactivate WPS Hide Login, and the URL will return to normal.
Hai.
your tutorial works fine for me.
But I have a problem. When I logged Out from admin pannel i got the error 404 not-found page.
I would like to return to the login site. How i can do this ?
tnx
Site redirecting to an old login page that’s why you getting 404 error.
So, how we can redirect to the new login page?
You better replace all instance of wp-login.php to a new path in wp-login.php
Hello Admin,
WHAT DO YOU mean by all instance?
i Have already replace all wp-login to new, but i issue in logout.
Please help me in this issue.
hi!,I really like your writing very a lot! percentage we be
in contact extra about your post on AOL? I require a specialist
on this area to resolve my problem. May be that is you! Looking
ahead to see you.
Hi,
thank you for the tutorial. It works for me
but I got a problem that why localhost/admin still works ?
I do follow all your steps and successfully change a new login url and after that localhost/login is no longer available.
Hi. I tried change my wp login url and wa ok,but when I logged out, wp doesn’t log out. What should I do? Thanks.
Hi. I tried first option and working good,but when I want to log out ,it is doesn’t work. Stay login. What show I do? Thanks.
It seems like this does not work or something is missing. Just like Eva and Bella, I’m also logged in when I click leave. Could you give us an update?
Hello, thanks for your comment. Try to use the seocnd method, https://www.mediumtalk.net/change-wordpress-login-url-without-plugin/#Method_2_Protect_wp-loginphp_With_a_Cookie_and_htaccess
Hi, thank you. I just tried the second option using htaccess. It works perfectly as I want.
You’re very welcome, I personally recommend this method.
I liked the 2nd one! Do you know how to do it using Nginx as it does not support htaccess?
If you’re familiar with Ngnix this page might help: https://www.cyberciti.biz/faq/nginx-block-url-access-all-except-one-ip-address/
Thanks for the info. I’ve seen other solutions that didn’t even work. This one does.
Hello, I think your blog might be having browser compatibility issues.
When I look at your website in Chrome, it looks fine but when opening in Internet Explorer, it has some overlapping.
I just wanted to give you a quick heads up! Other then that, amazing blog!
Thanks for this article. I like the second method you mention about HTTP_COOkies. And plugin is also handy and helpful.
Hello, thanks for this post. I wanted to change admin URL without a plugin. I knew one method that you mention in first. But I little doubt that will work fine continuously. And the second method is just fine and works charm for me.
Thanks for this, and keep sharing these types of content.
Iris B.
Method 2, works like charm, thanks.
It’s hard to come by knowledgeable people
about this topic, but you sound like you know what you’re talking about!
Thanks
Hello, method 2 has a bug for woocommerce logout, when click logout on woocommerce my account page, will redirect 403 issor, can you help me? thank you
Very nice write-up. I absolutely love this site. Keep writing!
can we use both methods to change url and save it in by cookie also, which you name in the article at the same time?
Yes, that’s a good idea.
also please correct if i’m wrong.
most of time hacker does not directly access wp-login and wp-admin pages. they use software to access or someting called cli and ip address to gain access to website. please tell how to secure website in deeper.
Little update. May be useful for someone.
Add 403 redirect rule to your home page or any other page you need in .htaccess
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !^.*wp\-connex=2917998723.*$ [NC]
RewriteRule wp-login.php – [F]
ErrorDocument 403 https://your-domain.tld/
Make cookie expirees within certain time period ie: 24 hours = time() + 86400
<?php
setcookie("wp-connex", 2917998723, time() + 86400);
header("Location: wp-login.php");
Update your wp-login.php. After wp_logout(); function delete the cookie
if (isset($_COOKIE['wp-connex'])) {
unset($_COOKIE['wp-connex']);
setcookie('wp-connex', null, -1);
}
Once you logout you will redirected to the 403 URL set 🙂
I have tried the cookie method. It works great for restricting access, but unfortunately is alos blocking submission of forms on my website, any idea how to address this?
Thanks for commenting Jason, I need to check personally to figure it out. You can ping me on live:684068dc2358990e this skype, cheers.
Thanks for this. HTACESS method worked for me…BUT perhaps it would be good to clarify:
1. where exactly to paste the mod
2. what the numbers are and if you can make up your own (assuming you can, and even make it a word, though numbers seem better)
If you go to a 404 page after you log out, then you need to change all the old login (wp-login.php) in /wp-includes/general-template.php file to your new page (newlogin.php.)
IN THE FIRST METHOD I CANT LOGOUT BUT IN THE SECONF I CHANGE HTACCES AND THE COOKIE, BUT MY WORDPRESS USE WOOCOMMERCE AND WHEN MY CLIENTS LOGOUT, THE WEBSITE REDIRECT TO THE FORBBIDEN PAGE. COULD YOU GIVE ME OTHER SOLUTION? THANKS!
Second option works like a charm for me.
THanks.
Redirecting the wp-admin works fine, but why can’t I log out?