How To Change The Login URL In WordPress (Security Hack)

Last Updated on June 22, 2020 by Fabrizio Van Marciano

Here’s a quick tutorial to help you add an extra layer of security to your WordPress blog.

A while back I discovered a cool plugin that enabled me to change the login URL for one of my niche website’s.

Why would I want to do this?

Well, sadly that niche site I was being bombarded with too many failed login attempts.

And yes, I did have the Limit Login Attempts plugin installed. But even so, there were still too many failed login attempts. That made me feel quite uncomfortable. What if one of those attempts were successful? What then?

Every few hours I would get an email notification about a failed login attempt.

On top of this, I also noticed an increase in “spammy” user registrations for the site. I had to do something about this quickly.

Are you experiencing the same issue with your blog?

If you’re reading this and you’re experiencing exactly the same kind of issues with your blog or membership WordPress site. Especially if you have the subscription option enabled like I do, the good news is that you can do something about it.

Here are some options:

  1. Disable user registration.
  2. Change URL of the login page.

So, the first obvious thing you can do is disable user registrations entirely. However, that’s not really a great solution. Especially if you depend on your users subscribing to your site to use certain features. You need to have this enabled in which case, right?

The other option you have is to completely change the URL login name, i.e. changing the URL permalink structure.

Bingo! That’s exactly what we’re going to do and I’ll show you how.

Plugins needed for the job

So, the easiest way to change the login URL in WordPress is to use a simple plugin.

There’s a few of them dotted about in the WordPress repository. Unfortunately, though, most of them are no longer maintained.

Originally I was using the Rename wp-login.php plugin. However, this hasn’t been updated in over three years now.

There’s another plugin you can use called: WPS Hide Login.

This is the plugin that I use on this site currently. It is an ultra lightweight plugin with one simple setting.

Before we start using this plugin, I want to give you a few important tips for changing the URL structure of your login page.

  1. Change the URL to something memorable: Change your new login URL to something that you and your site members will easily remember, yet something that will not be so obvious for unwanted visitors to guess. For instance; /login-page/ is pretty obvious so try and avoid using ones like that. You could instead use something like /jump-on-board/ or /let-me-in/ or /members-only-page/. I’m sure you can think of a few better ones. If you don’t require users to log in to use your site, you can change the URL to something more complex. But remember that YOU still have to remember it for your own use.
  2. Write it down: Make sure you write the new login page URL somewhere until you remember it off by heart. Or, simply bookmark it somewhere on your computer.

Right then, let’s begin…

1. Installing WPS Hide Login plugin

Pretty straightforward stuff if you’re already familiar with WordPress.

If you’re not familiar with WordPress, then all you have to do is –

From the back end of your site (WordPress Admin area), head over to Plugins > Add New, and do a search for “WPS Hide Login”. See the screenshot below.

wps hide login
  • Save

Once you’ve found it, simply hit the install and activate button.

If you prefer to download the plugin from the repository and upload it to your site via FTP, please check out this useful video. Though, these days, you don’t have to.

2. Configuring the WPS Hide Login plugin

Next is to make one simple configuration. Yep! Just one…

Head over to Settings > WPS Hide Login. Scroll down to the bottom of the page until you see the option to add a new string to the login page. See image below.

wps hide login 2
  • Save

Simply add a new URL extension of your choice in the box provided, then add the extension you’d like to have the old login page to redirect to. Once you’re done hit save.

That’s it you’re all done! How easy was that?

What happens to your wp-login.php URL extension?

If you now try accessing the old login page wp-login.php URL of your site or blog, you should be redirected to whatever page you entered in the redirection URL. I have mine redirected back to my blog page.

More WordPress security tips

There you have it, you’ve changed the URL name of your login page and added an extra layer of security to your WordPress site.

If you want to add even more security to your login page, the WP Limit Login Attempts plugin is something to consider installing if you haven’t already done so.

You can find this plugin here: Download WP Limit Login Attempt Plugin.

If you’d like to learn more cool WordPress security tips and hacks, check out this detailed blog post.

Also, do let me know if this has worked for you. I’d love to know. You can get in touch with me via the contact page here.

Ad – Is your website sending visitors away? Did you know that 94% of visitors make a 1-second decision, whether to trust or distrust a website based on design and usability? Click here to stop losing subscribers, sales, customers, and clients.

  • Save

Join Over 20,000+ Readers

Get fresh content from Magnet4Blogging delivered straight to your inbox, spam free! Or follow us on social media.

10 comments on “How To Change The Login URL In WordPress (Security Hack)”

  1. Hey Fabrizio,

    I wish I’d known how to rename the page years ago. At that time, like most people, I was being hit a LOT with people and bots trying to log into my blog. It’s SO frustrating as many know. I didn’t want to do the double opt-in type feature or log-in verification through the phone. They had a lot of those resolutions back when I was searching for a solution.

    I had someone create a detour so to speak and it worked. I highly recommend you rename that page so that you can stop those annoying people in their tracks. I believe I’m going into 3 years now and I haven’t had any issues at all. No one can get to my log-in page if they take that normal route. It sends them back to my blog which I love.

    Great share Fabrizio and I’m going to have to hang onto this post for future reference. I’m sure I’ll be creating another site in the future.

    Have a great week and I’m off to share.


    1. Hi Adrienne, thanks so much for your comment. Well I discovered this a while back to be honest and I’ve been meaning to share it with some folks.

      One of the things I get requested a lot for on Magnet4Blogging is more tips n tricks posts on WordPress, hacks etc. So I’ll be putting together a lot more posts like these in the future.

      Since renaming the login URL for my niche site I tell you, no more spammy registrations, for now at least. It’s such a shame there are people out there willing to try anything and everything to get into a WordPress site. And of course bots too mainly.

      Glad you found this post useful, have a great rest of the week 🙂 – Fabrizio.

  2. I too wish I would’ve known about this years ago. I didn’t even realize I was getting spam registrations until my web host threatened to shut me down because too many emails were being sent out from my server.

    Of course I had new registrations disabled on this one until I opened up my membership site but I still need to get to changing the default login page once I figure out it’s not going to cause any issues with MemberPress, which I’m using for the membership aspect now. I’m not super knowledgable when it comes to the tech side but it sounds like it should be compatible with other plugins based on the way it works.

    Thanks Fabrizio!

    1. Hey James, how are you. Spam registrations are aweful so I can sympathise with you.

      Even though I have this enabled on my own membership site, I do keep an eye on things just to make sure the spammers or bots or whoever, haven’t figured out where my new member signup page have gone.

      Sure give this plugin a try, as far as I know it shouldn’t conflict with much since it’s so lightweight, and it’s recently been updated as well. Might be the perfect solution to your problems buddy.

  3. Hi Fabrizio

    Security is one of the main challenges in personal blogging where failed login attempts report on daily basis perturbs a blogger who already is under stress of meeting deadlines and following a tough blogging schedule.

    Earlier the only smart trick was to change the user id and put a unique ID for WP control panel but now a lot of resources to change the login url is just amazing way to keep the site safe from any malicious attempt.

    Many thanks for sharing the wonderful review of the tool.

    Have a great rest of the week

    1. Hey Muba, thanks so much for dropping by buddy. Yeah security is such an important factor when using WordPress, and especially as your site begins to get more and more popular. Unfortunately there’s always going to be folks and bots looking to do some kind of exploitation and if we can stop them in their tracks before any damage is done, then that’s a great start.

      There are some truly amazing tools and solutions out there for boosting WordPress security. Currently I’m using WordFence premium for added piece of mind, and of course there’s backing up our sites for even more peace of mind.

      I’m in the midst of writing up a detailed tutorial of creating professional backups for WordPress users which will be live shortly.

      Thanks again for visiting mate, I appreciate you!

  4. Hi Fabrizio,

    I meant to stop by last week but with my demanding schedule I’ve been running behind in my blog commenting.

    With that said, I haven’t seen any activity to this point with my site where people are trying to access the login page.

    For sites like mine that don’t require logins, do you have data to show if it’s still a good idea to change the login or not?

    I may do it anyway just to be safe.

    Have an awesome week Fabrizio!

    ~ Don Purdum

    1. Hey Don, no need to apologise man it’s great to see you here any case busy man. I know you’ve just migrated your site over to WordPress, so it could be a little while before you start seeing increased activities on your wp-login.php page.

      The best plugin to use to track activity on wp-login.php page is the Limit Login Attempts plugin, though be careful as it hasn’t been updated for a long while. Coding some kind of software to do the job for you is more headache than it’s worth, and who has time for that when there’s a business to be running right?

      Another great activity tracking plugin is WP Security Audit Log, you can find that one here:

  5. Hey Fabrizio,

    Now this is something I can use. I have the limited login attempts plugin but i still get hit up with logon attempts. I must be a really popular guy to get hit up everyday LOL

    But I never heard of this and sounds like something I really need to implement with my blog. Yes I have the limited login and sucuri security plugin, but apparently with those two it’s not enough.

    I’ll let you know how it all pans out! Thanks for the awareness of rename wp_login.php!

    1. Hi Sherman, great to see you here mate. Yeah I’ve used the Limit Login Attempts too before now. It’s still a great plugin, shame it isn’t being updated anymore though.

      I discovered this plugin about a month ago, and it really did the trick for me. Instantly stopped all login activities and fake signups. How long that will last is another matter lol.

      Best of luck with it 🙂

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link