Keep in mind to get:
- Text editor.
- Access cPanel Manager.
While you are at it, go ahead and make a backup of everything else too, as you’re about to mess with code and enter the danger zone!
Note: If you’re looking for a great plugin to backup and restore your files and WordPress site, we recommend using our very own Snapshot.
Next, open your wp-login.php file. Select and copy all the code to your clipboard.
Create a new file using your text editor. Call this file anything you like (e.g. ‘canny-login.php’, ‘danger-zone.php’ etc.).
Paste the code from your existing wp-login.php file into your new file and save. Alternatively, open your wp-login.php file and ‘save as’ your new filename.
Search and replace every instance of ‘wp-login.php’ in the code with your new login filename.
Resave the file with the modified code.
Log into your server and upload the new login file to the root folder or directory where you have installed WordPress. Delete the original wp-login.php file from your server.
The last step is to hook into the
logout_url filters to update our file.
Add the following code to your theme’s
functions.php (preferably in your child theme):
Test your new login page URL. Anyone visiting the default wp-login.php page will experience an error.
No canny logins for stealthy hackers here unless they know how to cruise on the highway to the danger zone.
To revert to the original login page, simply restore the wp-login.php file from your backup and delete the new file from your server.
WordPress Login URL .htaccess File Hacks
There are ways to ‘obscure’ your WordPress login details using the .htaccess file. Obscuring your WordPress login URL, however, doesn’t necessarily mean hiding it from others.
For example, let’s take a look at what happens when you add URL forwarding to your .htaccess. Remember to make a complete backup of your site before making any changes to your .htaccess file.
WordPress Login Page Obscurity With URL Redirection
You can change the location of your login page by changing the name of your WordPress login file using the mod_rewrite module in an Apache server.
To do this, add the line below to your .htaccess file (note: replace ‘newloginpage’ with any alias and change the example.com URL to your domain):
RewriteRule ^newloginpage$ http://www.example.com/wp-login.php [NC,L]
In this example, we’ll add an alias called ‘dancekevindance’ and reupload the .htaccess file to our server:
Now, go back to the site and enter the new URL.
As you can see, the above method doesn’t hide the default WordPress login URL, it merely creates an alias that lets users log into their WordPress dashboard using a web address that is easier for them to remember than
Hide Your WordPress Login Page With Code
Ideally, we recommend just sticking to using a plugin if you want to change your WordPress login URL, hide the wp-admin wp-login.php pages, or redirect users away from the default login page. Messing with code can cause compatibility issues, slow down your site, and create other problems.
If you want to look at other options that involve code, however, then check out this post we’ve written about hiding your WordPress login page from hackers with code.
Don’t Let Them Gonna Take You Right Into The Danger Zone
WordPress is a magnet for hackers and malicious bots, so it’s important to understand WordPress security best practices and implement multiple WordPress security strategies to protect your site from hackers and brute-force attacks. This includes security through obscurity.
When used as part of a more comprehensive security strategy, obscurity can be helpful. As we’ve just seen, however, simply hiding the WordPress login page is not enough to guarantee that you will see zero malicious login attempts.
Unless you actually change the WordPress login URL of your site and redirect unwanted visitors away from pages like wp-login.php and wp-admin, hackers and bots will still be able to find your login page and attempt to guess your login details.
Messing with code can cause compatibility issues, slow down your site, and create other problems. Using a plugin like Defender is the easiest way to hide your WordPress login page from hackers and make it all but invisible to the vast majority of low-flying malicious login attempts.
To protect your site against the worst of the worst, you need help from the best of the best. If you’re not a member of WPMU DEV yet, join our elite group of top gun WordPress developers and website owners with our no-risk free 7-day trial and get access to all the security tools, protection features, and support your site needs to fly high and free out of the danger zone.