Adding an extra layer of security is always beneficial and would be useful in the long run. The same applies to our WordPress websites also. We already have a login username and password that acts as the first line of defense against outsiders. The login credentials prevent them from gaining access to our website’s foundation and doing dreadful damage. But it is only safe and effective up to a certain degree. The basic login URL for a WordPress website is yourwebsitedomain/wp-admin. and yourwebsitedomain/wp-login.php.
What is the need to change the WordPress login URL, you are wondering? We will take a look at why you should have a custom WordPress login URL. One that is hard to guess and more secure than the default ones.
Why You Should Have a Unique WordPress Login URL
If you still continue to use the basic WordPress Login URL like wp-admin.php or wp-login.php you already have a disadvantage. The outsider or the perpetrator or commonly called a Hacker or an Attacker may be at the gate of our WordPress website. The only thing left to do now is to pick the lock, which is our WordPress login username and password. Now you might have a strong password and a unique username, but what about the other users? This is the loophole that the attacker will leverage. Most users would use their name and an easy-to-remember password to log in. Most often users will use a sequence of numbers or easy words as their login password.
For example:12345, 9630admin, qwerty147 or ilikedeveloping123, and so on.
The attacker can unleash the trial and error method, commonly known as Brute Force Attack to gain access, pick the lock and reach the dashboard. The attacker will try to log in with a number of usernames and passwords combination. A software or script does the rest and the only thing the attacker needs to do is to wait. Because WordPress powers a majority of websites around the around, finding the website login address to attack is not that hard. As all WordPress sites use the same login address by default. If any website user still uses the standard login username- admin and a weak password, now might be a good time to change it.
Now, now, no need to panic. You can stop all the dreadful thoughts of losing your website and all the content. The only thing you need to do is to change the WordPress login URL to a custom and unique one. Yes, it is possible to change the login address. There are two ways to do it-
- Change the login URL with the help of a WordPress Plugin
- Create a custom WordPress login URL manually
How to Create a Custom WordPress Login URL With a Plugin
In the WordPress repository, there are multiple plugins that will allow us to change the login address to a custom one. Some of the common ones are Change wp-admin login and WPS Hide Login. For now, we will be focusing on WPS Hide Login. With over 1 million downloads, it is a light plugin that does the job perfectly.
With the use of this plugin, one can easily change the login URL, without the need to code anything. Before starting, it is always a good idea to back up the entire WordPress site, just in case. Once again, all you need to back up a WordPress site is a plugin. We can also back up the website manually. After a successful backup, let’s move on to changing the login URL.
Go to the WordPress plugin repository, download, and activate the WPS Hide Login Plugin.
The plugin after activation can be found in the settings section. Access the plugin from there.
After accessing the plugin, scroll down and locate the login URL section. Enter a new URL for your WordPress site and that is it.
Le’s try out our new WordPress login page URL.
Under the redirection URL option, there is a note that tells us that the two URLs- mainly wp-login.php and wp-admin, cannot be accessed by non-connected people. Access to those two URLs can only be made if you are already logged in.
If anyone tries to access the wp-admin or wp-login.php it would redirect them to the 404 error page.
Now, there are a number of plugins that offer the same functionality of changing the login URL as a part of their features. To mention a few are- All In One WP Security & Firewall, Shield Security, and Defender Security. If you are using any of these plugins, there is no need to switch to a different plugin. The functionality to change the URL is already there.
Create a Custom WordPress Login URL Manually
Now if you don’t want to use a plugin to create a custom URL, there is always a manual method. Only four steps are involved to create a custom login URL. Creating a custom login URL manually does have its drawbacks which we will discuss. As always make a backup of the WordPress website before starting.
Firstly, we need to download the wp-login.php file and keep a copy of it. We can do this by logging in to the administrative area. Now access the file manager to download the file. The file would be located inside the public_html folder.
Now, open the downloaded file with a code editor. Search for wp_login. Replace all wp_login.php instances with the new login URL. In our case, it would be wp-secret.1login.php, and save the file with a new name.
Now go back to the file manager, and upload the new file.
Now, we need to add the below code snippet to redirect the default login URL to the homepage and register wp-secret.1login.php as the new login endpoint. We can add this code in the theme’s functions.php file (child theme is recommended), or if using any code snippets plugin, then code can be added with the help of the plugin.
function wpcontentco_redirect_default_login_url() {
global $pagenow;
if ( isset( $pagenow ) && $pagenow === 'wp-login.php' && ! is_user_logged_in() ) {
wp_safe_redirect( site_url( '/' ) );
exit;
}
}
add_action( 'init', 'wpcontentco_redirect_default_login_url' );
function wpcontentco_login_url( $url ) {
$url = str_replace( 'wp-login.php', 'wp-secret.1login.php', $url );
return $url;
}
add_filter( 'login_url', 'wpcontentco_login_url', 100 );
add_filter( 'lostpassword_url', 'wpcontentco_login_url', 100 );
add_filter( 'logout_url', 'wpcontentco_login_url', 100 );The last thing to do is to test the new login file. Put the login address in the browser and see if it works.
After any major update to WordPress core, if there are any issues, it is recommended to repeat the whole process again, and create a new login.php file and add the code snippet.
Also read: How to Create a WordPress Staging Site
How To Revert Back To The Original WordPress Login URL
In very rare cases, the new URL address may not work properly, leaving us stranded with no access to our dashboard. If such a scenario ever happens, don’t panic, we can fix the issue.
There are three ways to restore the original WordPress login URL depending on how you changed the URL in the first place.
- The first method is either to restore the WordPress backup that we created.
- The second method would be to remove the new login.php file and replace it with the old one and also to remove all the added code.
- The third method is to delete the plugin folder from an FTP file manager ( for those who used the plugin to change the URL).
If you have used a plugin, just follow the below-mentioned steps:
Access the FTP file manager and connect to your website. Once connected to the website, the plugin folder can be found inside the wp-content/plugins folder.
Delete the folder. After deletion, the login URL will be replaced by the default WordPress URL.
For those who followed the manual method:
Delete the new login file and replace it with the old one. In our case, it would be to delete wp-secret.1login.php and replace it with wp-login.php. This is why we recommended taking a backup of the original login file. Also, make sure to remove the added code snippet.
Wrapping up
Changing the WordPress login URL is that simple. But do not forget the new login URL. The moment we deactivate the plugin, the login URL reverts to the standard WordPress login. Make sure to alert all the other backend users about the new WordPress login URL. With a new login URL in place, there is no way an attacker can gain access to the main dashboard and wreak havoc. To add an extra layer of security, incorporate a captcha to your WordPress login page.