How to change (and hide) your WordPress login URL

The WordPress login URL is standard across all WordPress installations. This makes it easy to access your login page; however, those with malicious intent will also have no problem finding it. You can change it to deter anyone from illegitimately accessing the login URL to your WordPress website.

Changing the WordPress login URL is a security-by-obscurity tactic. The main aim of this tactic is to hide certain vital elements, like login URLs, making it difficult to find them. The premise is that hackers tend to prefer softer targets and are more likely to move on to their next target if the information-gathering phase proves to be too time-consuming.

The easiest way to change the WordPress admin login URL is by using Melapress Login Security – a Melapress WordPress plugin designed to help you secure different elements of your WordPress login processes. Among many other things, it enables you to change the default WordPress login URL to anything you want very easily.

Melapress Login Security comes in a number of different editions and plans. The free version enables you to change your WordPress login URL, set password policies, and set other security policies.

However, you might want to consider the Premium plan instead. Here, you’ll see the addition of Limit failed login attempts policies, integration with 3rd party plugins, and much more.

You can download the free version directly from the official WordPress repository by logging in to your WordPress admin dashboard and navigating to Plugins > Add New Plugin. Next, search for Melapress Login Security, then download and install the plugin.

On the other hand, if you’re ready to take your WordPress login security to the next level straight away, you can purchase Premium or Enterprise directly from Melapress.

Once you’ve decided which plan best fits your needs and requirements, it is time to install the plugin. If you’ve purchased Premium or Enterprise, you’ll receive an email with your license key and a download link for the premium plugin enclosed.

First, log in to your WordPress dashboard. Take a moment to appreciate the login URL since this will look very different next time you log in.

Download the plugin .ZIP file and upload it to your WordPress website by navigating to Plugins > Add New Plugin. Next, click on Upload Plugin > Choose File and select the plugin’s .ZIP file. Once you’ve selected the file, click on Install Now and then activate the plugin.

Once you activate the plugin, you’ll be asked to enter your license key. This will activate your premium features.

With the plugin installed and activated, we can go ahead and change the login URL.

First, navigate to Login Security > Hide login page. Here, you’ll see two fields that you’ll need to fill in as follows:

  • Login page URL: Enter the new URL that you would like to change the login URL to. This works best if you choose something random

Old login page URL redirect: Enter the URL that you would like the old login URL to redirect to

Once you’ve entered the requested data, click on Save Changes, and you’re done! Your custom WordPress login URL is now live and ready for use.

Choosing a custom URL for your WordPress login can help you improve your overall WordPress security. To ensure the best possible outcome, here is what you should keep in mind:

  • Take note of the new URL and keep it somewhere safe
  • If other users access the WP admin page, remember to share the new login URL
  • Changing the wp-login URL works best when replaced with a string that allows it to blend in with the rest of your pages. You should also avoid dictionary words. Calling it ‘mysecretloginpage’ makes it easy for bad actors to find it
  • When you change your WordPress login URL, the page does not make it hacker-proof. Using strong passwords and two-factor authentication is still recommended
  • If your hosting provider offers a link to the login page, this might not work after changing the URL

Melapress Login Security offers an easy and safe way to change your WordPress Login URL. There is no need to create a new login page, change any of the WordPress core files, or update the htaccess file or the login file – the plugin will take care of everything for you.

This means that changes will persist, even after an update, ensuring security measures remain in place.

The plugin also comes with additional security features to help you increase the security of your WordPress login processes even further.

When you configure a custom WordPress login URL, you make it more difficult for bad actors to access the page. They can’t just go to the wp-login.php page – they will need to scan the site with a tool such as WPScan or Dirb to learn about your website and its structure. This will give them a list of pages on your website.

We previously mentioned that changing the wp-admin login works best when the URL is replaced with something innocuous. This allows the page to blend in with the rest of the pages, so now, the bad actor needs to figure out what is going on. Doable? yes – but you’re adding more spokes in their wheels.

This is why changing your WordPress login is a good security strategy – as long as it’s used with other security measures.

To help you keep your login secure, Melapress Login Security comes with many additional features, which we’ll look at next.

Melapress Login Security offers more than the ability to set a custom login URL. It sits with the best WordPress security plugins available and includes additional functionality to strengthen different aspects of your WordPress login process.

Weak passwords limit the effectiveness of users’ login credentials, making it easy for bad actors to break through the defense lines. With Melapress Login Security’s password policies, you can ensure that all users set passwords that meet best practices.

The plugin offers extensive customization options, so it’s always up to you how comple passwords should be. Users will also be offered assistance when setting their passwords, aiding them in meeting the set password requirements.

Inactive users can increase your security risks when left unattended. Should an inactive account get compromised, it is highly likely that nobody will notice. Bad actors can use privilege escalation to turn accounts with minimal access into accounts with administrator-level access.

With Melapress Login Security, you can automatically disable inactive users. You can set the hours, days, or months of inactivity required for the account to be disabled. You’ll also find other options to ensure the policy is set according to your requirements.

Limiting login attempts protects you from brute-force attacks, which rely on a large number of login attempts to force their way through. By limiting login attempts, you take away the one thing that brute-force attacks need to succeed: keeping your website much safer.

Like all other features the plugin offers, here you’ll also find many customization options, including the number of failed login attempts allowed, the time period, and what happens once an account is locked.

Another great feature that Melapress Login Security offers is the restricted user login times. It allows you to set the days and hours during which users can log on to the back end. Such policies can also be set by user role, ensuring, for example, that administrators can always log in while other users can only log in during their regular hours.

The default WordPress login page is located at /wp-login.php. This is appended to the URL of your WordPress website as follows:

This login URL comes preconfigured with every WordPress installation and is the same for all sites that do not change the login URL. On this page, you have to enter your username and password in the login form. Provided your credentials are correct, you’ll then be granted access to wp-admin – the WordPress backend.

If you have the WP 2FA WordPress 2FA plugin installed, you will also need to enter your 2FA code. 2FA is highly recommended as it makes the WordPress login incredibly more secure.

It’s important to note that the wp-admin URL and the wp-login URL are two different things. The wp-admin URL is where you’ll find the WordPress dashboard, while the wp-login URL is the login page for the dashboard.

When you change your login link with Melapress Login Security, your WordPress login file remains untouched, ensuring you don’t experience any sudden compatibility issues with themes or plugins.

Bad actors with knowledge of the WordPress login form page may attempt to log in by using stolen credentials or what is known as a brute-force attack. In the latter, attackers will attempt to log in with different username and password combinations until they are successful.

By changing the login URL of your WordPress site, bad actors won’t be able to find it as easily. This does not mean its impossible to find it. That’s why Melapress Login Security comes with additional security tools to keep your WordPress login secure.

Security by obscurity is a security tactic that aims to make it more difficult for attackers to find the information they need to launch an attack. It is important to note that security by obscurity alone does not protect you from attacks. Changing the default login URL does not mean that a hacker will not be able to find it. It just makes it harder for a breach to take place.

Take the Melapress Security Survey 2024

Share your perspective
and WIN