How to Change the WordPress Login URL (With and Without a Plugin)

TL;DR

• Default WordPress login URLs like /wp-admin and /wp-login.php are common hacker targets for brute-force attacks.
  
• Changing your login URL adds an extra layer of security and helps prevent unauthorized access.
  
• You can easily change it using a plugin such as WPS Hide Login or manually through a custom code-based method.
  
• Always back up your site before making changes and test your new login URL carefully.
  
• For secure, scalable, and optimized WordPress solutions, work with expert WordPress developers to strengthen your website.

---

Introduction

Website security isn’t just about firewalls and malware scans, it’s about protecting your site from every possible entry point. One of the most common vulnerabilities in WordPress sites comes from automated bots and brute-force login attempts targeting the default login URL. When hackers already know that most sites use /wp-admin or /wp-login.php, it’s like handing them a map to your front door.

Changing your WordPress login URL is a simple yet powerful step to strengthen your website’s defenses. By customizing this URL, you make it significantly harder for malicious scripts and bots to find your login page, reducing the risk of unauthorized access.

In this guide, we’ll show you two easy ways to change your WordPress login URL – one using a plugin and another through a manual code-based approach. Both methods are safe, beginner-friendly, and effective at adding an extra layer of protection to your site.

If you’re managing multiple websites or want to go beyond basic security tweaks, partnering with a professional WordPress development company can help you optimize performance, secure your infrastructure, and ensure your site is always protected against evolving threats.

In WordPress, the admin panel (or dashboard) is where site owners and editors manage content, settings, themes, plugins, and users. By default, you can access this panel using either:

• https://example.com/wp-admin (Redirects to wp-login.php) 
• https://example.com/wp-login.php

These default paths are common knowledge, making them targets for malicious bots and hackers. Changing these URLs can add an extra layer of security to your website.

Here is the WordPress login form:

---

Read More: What is WordPress: Everything You Need to Know

---

Backup Your Website

Before making any changes, always take a full backup of your site, including the database and files. You can use plugins like:

• UpdraftPlus
• All-in-One WP Migration

---

---

Change the WordPress Login URL Using a Plugin

One of the easiest ways to change your WordPress login URL is by using the WPS Hide Login plugin.

Step-by-step:

1. Go to your WordPress dashboard.
2. Navigate to Plugins > Add New.
3. Search for WPS Hide Login.
4. Click Install Now and then Activate.
5. Go to Settings > General.
6. Scroll down to the WPS Hide Login section.
7. Enter your custom login URL (e.g., secure-login) and save.
8. Enter the redirection URL when someone tries to access the wp-login.php page and the wp-admin directory while not logged in.

Now, your login page is accessible at https://example.com/secure-login, and attempts to access wp-login.php or wp-admin will be redirected as specified.

---

Change the Login URL Without Using a Plugin

If you prefer a code-based approach, you can achieve the same functionality by writing a custom plugin. This gives you full control and reduces reliance on third-party tools.

Step 1: Create a Custom Plugin

1. Go to /wp-content/plugins/
2. Create a new folder: custom-login-url
3. Inside that folder, create a file: custom-login-url.php
4. Add the following plugin header:

<?php
/**
* Plugin Name: Custom Login URL
* Description: Change the default login URL.
* Version: 1.0
* Author: Author Name
*/

Step 2: Define a Constant in wp-config.php

Open your wp-config.php file and add:

define('CUSTOM_ADMIN_URL', 'secure-login'); // Replace 'secure-login' with your desired slug

Step 3: Implement the Functionality

// Hook to restrict direct access to wp-login.phpadd_action('login_init', 'restrict_login_access');
// Hook to modify the URL returned by site_url() when it points to wp-login.phpadd_filter('site_url', 'modify_login_url', 10, 2);
// Hook to redirect anyone who tries to access the default wp-login.php URLadd_filter('wp_redirect', 'redirect_login_url', 10, 2);
// Hook to change the logout redirection to the custom login URLadd_action('wp_logout', 'custom_logout_redirect');
// Hook to register custom rewrite rules for your login URL (so it behaves like a real page)add_filter('rewrite_rules_array', 'add_custom_login_rewrite_rule');
// Hook to handle requests made to your custom login slug and internally map to wp-login.phpadd_action('parse_request', 'handle_custom_login_request');

Restrict access to wp-login.php unless it’s accessed via the custom URL

function restrict_login_access() {
    $request_uri = $_SERVER['REQUEST_URI'] ?? '';
    $is_wp_login = strpos($request_uri, 'wp-login.php') !== false;

    $is_logout = isset($_GET['action']) && sanitize_text_field(wp_unslash($_GET['action'])) === 'logout';
    $is_confirm_admin_email = isset($_GET['action']) && sanitize_text_field(wp_unslash($_GET['action'])) === 'confirm_admin_email';

    // Custom query param to allow wp-login.php to load internally
    $has_custom_url = isset($_GET['custom_url']) && sanitize_text_field(wp_unslash($_GET['custom_url'])) === 'true';

    // Block access unless it's a logout or system action or accessed via ?custom_url=true
    if ($is_wp_login && !$has_custom_url && !$is_logout && !$is_confirm_admin_email) {
        wp_die('Access Denied.');
    }
}

Modify URLs pointing to wp-login.php

function modify_login_url($url, $path) {
    if ($path === 'wp-login.php' && strpos($url, 'custom_url=true') === false) {
        // Redirect to your custom login URL
        $url = home_url(CUSTOM_ADMIN_URL);
    }
    return $url;
}

Redirect default login URL access attempts

function redirect_login_url($location, $status) {
    if (strpos($location, 'wp-login.php') !== false) {
        $location = home_url(CUSTOM_ADMIN_URL);
    }
    return $location;
}

Custom redirect after logout

function custom_logout_redirect(){    wp_safe_redirect(home_url(CUSTOM_ADMIN_URL));
    exit;
}

Add a rewrite rule for your custom login URL

function add_custom_login_rewrite_rule($rules) {
    $new_rules = [
        '^' . CUSTOM_ADMIN_URL . '/?$' => 'wp-login.php?custom_url=true',
    ];
    return $new_rules + $rules;
}

Handle actual login requests to the new slug

function handle_custom_login_request($query) {
    $request_uri = trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/');

    if ($request_uri === CUSTOM_ADMIN_URL) {
        // Load the login page as if it's wp-login.php
        include ABSPATH . 'wp-login.php';
        exit;
    }
}

Flush permalinks and test the new slug

After activating the plugin, go to Settings → Permalinks and click Save Changes to flush rewrite rules.

Visit https://yourdomain.com/secure-login to access your login page. Ensure that accessing wp-login.php or wp-admin without proper parameters results in an access denied message or redirection, as configured.

---

---

Conclusion

Changing your WordPress login URL is a proactive step toward improving your website’s security. Whether you use a plugin like WPS Hide Login or set up a custom code-based solution, this small tweak can significantly reduce exposure to brute-force attacks and unauthorized access attempts.

Always remember to back up your website before making any modifications and test the new login URL thoroughly to avoid lockouts. It’s also wise to combine this measure with other best practices like two-factor authentication, strong passwords, and limited login attempts for complete protection.

If you’re managing a business website or want to ensure your WordPress setup follows the latest security and performance standards, consider working with experienced WordPress developers who can help you implement secure, scalable, and customized solutions tailored to your needs.And if you’re ready to strengthen your site’s security or optimize performance, book a free 30-minute consultation with our WordPress experts to discuss your project and get personalized recommendations.

---