How to Change WordPress Login URL: Hide wp-login.php

Every WordPress site uses wp-login.php for login by default. Attackers know this, making your login page an easy target. Changing your login URL adds an important layer of security by hiding your admin entrance.

Why Change Your WordPress Login URL?

The Default Login Problem

Every WordPress installation uses the same login URLs:

• yoursite.com/wp-login.php
• yoursite.com/wp-admin/
• yoursite.com/login

Attackers and bots automatically target these URLs, launching:

• Brute force password attacks
• Credential stuffing (using leaked passwords)
• Username enumeration
• Plugin vulnerability exploits

Attack Volume Statistics

A typical WordPress site receives:

• 100-1,000+ login attempts per day
• Millions of attempts per year across all sites
• Automated attacks running 24/7

By changing your login URL, these automated attacks fail immediately—they can't find your login page.

How Custom Login URLs Work

The Concept

1. You choose a secret URL (e.g., /my-secret-login)
2. Plugin redirects this URL to the real login page
3. Direct access to wp-login.php returns 404 or redirect
4. Only you know the actual login location

What Happens to Attackers

• Visit /wp-login.php → 404 Not Found
• Visit /wp-admin/ → Redirected away or 404
• Automated tools fail completely

Setting Up Custom Login URL with WP Folder Shield

Step 1: Enable Login URL Hiding

1. Navigate to WP Folder Shield > Settings
2. Click on "Login Security" tab
3. Find "Custom Login URL" section
4. Enable the feature

Step 2: Choose Your Custom URL

Enter your desired login URL slug:

• Example: my-secure-login
• Your new URL: yoursite.com/my-secure-login

Step 3: Configure Redirect Behavior

Choose what happens when someone visits the old login URLs:

• 404 Page: Shows "page not found" (recommended)
• Redirect to Homepage: Sends them to front page
• Custom URL: Redirect to any URL you choose

Step 4: Save and Test

1. Save your settings
2. Open a new incognito/private browser window
3. Try accessing /wp-login.php - should fail
4. Try your new custom URL - should show login
5. Bookmark your new login URL!

Choosing a Good Custom URL

Good Practices

• Use something memorable but not guessable
• Avoid common alternatives (admin-login, secret-admin)
• Include random characters: access-x7k9m
• Make it easy for you to remember

Bad Choices

• /admin - Too common
• /login - Already a WordPress alias
• /secret-login - Attackers check for this
• /wp-login-new - Too obvious

Examples of Good Custom URLs

• /access-portal-7x
• /team-entry-2024
• /backdoor-j9k3m (ironic but effective)
• /[your-pet-name]-door

Important Considerations

Don't Forget Your URL

If you forget your custom login URL, you'll be locked out. Always:

• Bookmark the new login URL
• Save it in your password manager
• Document it somewhere secure

Recovery Options

If locked out, you can recover by:

• Disabling the plugin via FTP (rename plugin folder)
• Directly accessing the database to change settings
• Using WP-CLI if available

Multisite Considerations

On WordPress Multisite, custom login URLs work but require network-level configuration. WP Folder Shield handles this automatically.

Combining with Other Security

Custom login URLs work best alongside:

• Brute force protection: Catches any attackers who find your URL
• Two-factor authentication: Protects even if password is compromised
• IP whitelisting: Restrict login access to known IPs
• CAPTCHA: Stop automated attempts

WP Folder Shield provides all these features in one integrated security suite.

Get WP Folder Shield to hide your WordPress login page and protect against automated attacks.