How To Change The Login URL In WordPress (Security Hack)

Last Updated On

Do you want to know of a great way to add an extra layer of security to your WordPress website? Read on.

So, a while back I decided to change the login URL for one of my niche sites.

Reason for doing this?

Well, with that particular site I was receiving way too many login attempts.

And yes, I did have the Limit Login Attempts plugin installed, even so, my poor site was still getting an extortionate amount of 'failed login attempts'.

Every hour or so I would get a notification email about a failed login attempt.

In addition to this, I also noticed many new "spammy" user registrations taking place on the membership site.

I had to do something about it.

Are you experiencing the same issue with your blog?

If you're reading this and you're experiencing exactly the same kind of issues with your blog or membership WordPress site. Especially if you have subscription option enabled like I do, the good news is that you can do something about it.

Here are some options:

  1. Disable user registration.
  2. Change URL of the login page.

So the first obvious thing you can do is to disable user registrations entirely, however, that's not really a great solution. Especially if you depend on your users subscribing to your site to use certain features. You need to have this enabled in which case.

The other option you have is to completely change the URL login name, i.e. changing the URL permalink structure.

Bingo! That's what I'm going to show you how to do in this post.

Plugins needed for the job

So the easiest way to change the login URL in WordPress is to use a simple plugin.

There's a few of them dotted about in the WordPress.org repository. Unfortunately, though, most of them are no longer maintained or even updated.

I used to use Rename wp-login.php, however, this hasn't been updated in over three years now.

There's another plugin you can use called: WPS Hide Login.

This is the plugin that I use on this site. It is an ultra lightweight plugin with one simple setting.

Before we start using this plugin, I want to give you a few important tips for changing the URL structure of your login page.

  1. Change the URL to something memorable: Change your new login URL to something that you and your site members will easily remember, yet something that will not be so obvious for unwanted visitors to guess. For instance; /login-page/ is pretty obvious so try and avoid using ones like that. You could instead use something like /jump-on-board/ or /let-me-in/ or /members-only-page/. I'm sure you can think of a few better ones.
  2. Write it down: Make sure you write the new login page URL somewhere until you remember it off by heart. Or, simply bookmark it somewhere on your computer.

Right then, let's begin...

1. Installing WPS Hide Login plugin

Pretty straightforward stuff if you're already familiar with WordPress.

If you're not, then all you have to do is from the back end of your site (WordPress Admin area), is head over to Plugins > Add New, and do a search for "WPS Hide Login". See screenshot below.

  • Save

Once you've found it, simply hit the install and activate button.

If you prefer to download the plugin from the repository and upload it to your site via FTP, please check out this useful video.

2. Configuring the WPS Hide Login plugin

Next is to make one simple configuration. Yep! Just one...

Head over to Settings > WPS Hide Login. Scroll down to the bottom of the page until you see the option to add a new string to the login page. See image below.

  • Save

Simply add a new URL extension of your choice in the box provided, then add the extension you'd like to have the old login page to redirect to. Once you're done hit save.

That's it you're done! How easy was that?

What happens to your wp-login.php extension?

If you now try accessing the wp-login.php URL of your site or blog, you should be redirected to whatever page you entered in the redirection URL.

More WordPress security tips

So, there you have it, you've changed the URL name of your login page and added an extra layer of security to your WordPress site.

If you want to add even more security to your login page, the WP Limit Login Attempts plugin is something to consider installing if you haven't already done so.

You can find this plugin here: Download WP Limit Login Attempt Plugin.

If you'd like to get access to more cool WordPress security tips and hacks, check out this blog post.

Also, do let me know if this has worked for you. I'd love to know.

Is your website sending visitors away? Did you know that 94% of visitors make a 1-second decision, whether to trust or distrust a website based on design and usability? Click here to stop losing subscribers, sales, customers, and clients.

Thanks for reading, I'll have more tutorial posts coming up soon.

Enjoyed reading this post?

Hey! Thanks a bunch for reading this post, I hope it was of value to you. I publish new posts every week, so be sure to check back soon, or hit the button below to subscribe.
subscribe to updates

10 comments on “How To Change The Login URL In WordPress (Security Hack)”

  1. Hey Fabrizio,

    I wish I'd known how to rename the page years ago. At that time, like most people, I was being hit a LOT with people and bots trying to log into my blog. It's SO frustrating as many know. I didn't want to do the double opt-in type feature or log-in verification through the phone. They had a lot of those resolutions back when I was searching for a solution.

    I had someone create a detour so to speak and it worked. I highly recommend you rename that page so that you can stop those annoying people in their tracks. I believe I'm going into 3 years now and I haven't had any issues at all. No one can get to my log-in page if they take that normal route. It sends them back to my blog which I love.

    Great share Fabrizio and I'm going to have to hang onto this post for future reference. I'm sure I'll be creating another site in the future.

    Have a great week and I'm off to share.

    ~Adrienne

    1. Hi Adrienne, thanks so much for your comment. Well I discovered this a while back to be honest and I've been meaning to share it with some folks.

      One of the things I get requested a lot for on Magnet4Blogging is more tips n tricks posts on WordPress, hacks etc. So I'll be putting together a lot more posts like these in the future.

      Since renaming the login URL for my niche site I tell you, no more spammy registrations, for now at least. It's such a shame there are people out there willing to try anything and everything to get into a WordPress site. And of course bots too mainly.

      Glad you found this post useful, have a great rest of the week 🙂 - Fabrizio.

  2. I too wish I would've known about this years ago. I didn't even realize I was getting spam registrations until my web host threatened to shut me down because too many emails were being sent out from my server.

    Of course I had new registrations disabled on this one until I opened up my membership site but I still need to get to changing the default login page once I figure out it's not going to cause any issues with MemberPress, which I'm using for the membership aspect now. I'm not super knowledgable when it comes to the tech side but it sounds like it should be compatible with other plugins based on the way it works.

    Thanks Fabrizio!

    1. Hey James, how are you. Spam registrations are aweful so I can sympathise with you.

      Even though I have this enabled on my own membership site, I do keep an eye on things just to make sure the spammers or bots or whoever, haven't figured out where my new member signup page have gone.

      Sure give this plugin a try, as far as I know it shouldn't conflict with much since it's so lightweight, and it's recently been updated as well. Might be the perfect solution to your problems buddy.

  3. Hi Fabrizio

    Security is one of the main challenges in personal blogging where failed login attempts report on daily basis perturbs a blogger who already is under stress of meeting deadlines and following a tough blogging schedule.

    Earlier the only smart trick was to change the user id and put a unique ID for WP control panel but now a lot of resources to change the login url is just amazing way to keep the site safe from any malicious attempt.

    Many thanks for sharing the wonderful review of the tool.

    Have a great rest of the week

    1. Hey Muba, thanks so much for dropping by buddy. Yeah security is such an important factor when using WordPress, and especially as your site begins to get more and more popular. Unfortunately there's always going to be folks and bots looking to do some kind of exploitation and if we can stop them in their tracks before any damage is done, then that's a great start.

      There are some truly amazing tools and solutions out there for boosting WordPress security. Currently I'm using WordFence premium for added piece of mind, and of course there's backing up our sites for even more peace of mind.

      I'm in the midst of writing up a detailed tutorial of creating professional backups for WordPress users which will be live shortly.

      Thanks again for visiting mate, I appreciate you!

  4. Hi Fabrizio,

    I meant to stop by last week but with my demanding schedule I've been running behind in my blog commenting.

    With that said, I haven't seen any activity to this point with my site where people are trying to access the login page.

    For sites like mine that don't require logins, do you have data to show if it's still a good idea to change the login or not?

    I may do it anyway just to be safe.

    Have an awesome week Fabrizio!

    ~ Don Purdum

    1. Hey Don, no need to apologise man it's great to see you here any case busy man. I know you've just migrated your site over to WordPress, so it could be a little while before you start seeing increased activities on your wp-login.php page.

      The best plugin to use to track activity on wp-login.php page is the Limit Login Attempts plugin, though be careful as it hasn't been updated for a long while. Coding some kind of software to do the job for you is more headache than it's worth, and who has time for that when there's a business to be running right?

      Another great activity tracking plugin is WP Security Audit Log, you can find that one here: https://wordpress.org/plugins/wp-security-audit-log/

  5. Hey Fabrizio,

    Now this is something I can use. I have the limited login attempts plugin but i still get hit up with logon attempts. I must be a really popular guy to get hit up everyday LOL

    But I never heard of this and sounds like something I really need to implement with my blog. Yes I have the limited login and sucuri security plugin, but apparently with those two it's not enough.

    I'll let you know how it all pans out! Thanks for the awareness of rename wp_login.php!

    1. Hi Sherman, great to see you here mate. Yeah I've used the Limit Login Attempts too before now. It's still a great plugin, shame it isn't being updated anymore though.

      I discovered this plugin about a month ago, and it really did the trick for me. Instantly stopped all login activities and fake signups. How long that will last is another matter lol.

      Best of luck with it 🙂

Read Commenting Policy

Start Planning Your Blogging Strategy For 2020 Today!

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link