How to Hide Your WordPress Login Page with a Custom URL

Security Through Obscurity (That Actually Works)

Security experts often dismiss "security through obscurity"—and for good reason. Hiding things isn't real security. But when combined with other protections, hiding your login page is remarkably effective at stopping automated attacks. Bots targeting wp-login.php can't attack what they can't find.

The Problem with wp-login.php

It's Predictable

Every WordPress site has the login page at the same location:

• wp-login.php
• wp-admin (redirects to login if not authenticated)

Attackers Know This

Automated tools specifically target these URLs. They don't even need to scan your site—they just hit wp-login.php directly.

The Result

• Constant brute force attempts
• Server resources wasted on attack traffic
• Unnecessary security log noise
• Risk of successful attack

How Custom Login URLs Help

Bots Can't Find It

Change your login to /my-secret-portal and automated attacks targeting wp-login.php hit a 404 instead.

Massive Reduction in Attacks

Sites using custom login URLs typically see:

• 95-99% reduction in brute force attempts
• Cleaner security logs
• Lower server resource usage
• Fewer lockouts and false alarms

Not a Complete Solution

Important: Custom URLs don't prevent targeted attacks where someone specifically probes your site. Always combine with:

• Login attempt limiting
• Two-factor authentication
• Strong passwords

Setting Up a Custom Login URL

With WP Folder Shield

1. Go to Folder Shield > Settings > Login Security
2. Find "Custom Login URL" section
3. Enable the feature
4. Enter your custom slug (e.g., "secure-login")
5. Save changes

URL Requirements

• 4-32 characters
• Letters, numbers, and hyphens only
• Cannot use reserved slugs (admin, login, wp-admin, etc.)

After Configuration

• Old: yoursite.com/wp-login.php → 404 Error
• Old: yoursite.com/wp-admin → 404 Error (if not logged in)
• New: yoursite.com/secure-login → Login Page

Choosing a Good Custom URL

Good Choices

• Random: /access-7x9k4m
• Obscure: /team-portal
• Memorable: /backdoor (ironic but effective)

Bad Choices

• /login - Too obvious
• /admin - Too obvious
• /wp-login - Defeats the purpose
• /secret-login - Often guessed

Best Practice

Use something memorable to you but not guessable by others. Adding random characters helps: /team-access-42

What About wp-admin?

WP Folder Shield handles wp-admin intelligently:

• Not logged in: wp-admin returns 404
• Logged in: wp-admin works normally

You access admin through the normal wp-admin URL after logging in via your custom URL.

Don't Forget Your New URL!

Document It

• Save in password manager
• Bookmark in browser
• Share securely with team members

If You Forget

You can recover via:

1. FTP access - check WP Folder Shield settings in database
2. Disable plugin temporarily via FTP
3. Direct database access to find/change setting

Custom Login URL + Other Protections

Layered Security

Custom URL stops automated attacks. But you still need:

• Login limiting - In case someone finds your URL
• 2FA - Stops attacks even if password is guessed
• Strong passwords - Makes guessing impractical
• reCAPTCHA - Additional bot protection

Defense in Depth

No single measure is foolproof. The combination of custom URL + limiting + 2FA + strong passwords creates extremely robust protection.

Monitoring Effectiveness

Check Old URLs

After enabling custom login URL, check security logs for requests to:

• wp-login.php (should be blocked/404)
• wp-admin (should be blocked for non-authenticated)

Expected Results

• Massive drop in failed login attempts
• 404 errors for old login URLs
• Only legitimate access to new URL

Troubleshooting

Can't Access Login Page

• Make sure you're using the new URL
• Clear browser cache
• Try incognito mode

Custom URL Not Working

• Check for permalink conflicts
• Flush rewrite rules (Settings > Permalinks > Save)
• Verify .htaccess is writable

Conclusion

Hiding your WordPress login page with a custom URL is one of the simplest yet most effective security measures. It eliminates 95%+ of brute force attack traffic by making bots hit a 404 instead of your login form. WP Folder Shield makes setup easy—just enter your custom slug and save. Combined with login limiting and 2FA, a custom login URL creates a formidable defense against unauthorized access.