Why Hiding the Default WordPress wp-admin and wp-login URLs is Important
By default, all WordPress websites use the same login URLs (wp-admin) and (wp-login.php) making them an easy target for hackers, bots, and brute force attacks. Attackers can repeatedly attempt to guess your credentials, potentially gaining unauthorized access to your site.
A major reason these attacks are so common is that the default login URL is predictable. If you change this URL to a custom address that only you know it, then it becomes extremely difficult for attackers to find your login page. Most automated bots won’t waste time searching for the correct URL and will simply move on to another target, significantly reducing the risk of brute force attacks.
Beyond security, hiding your login page can improve website performance by reducing unnecessary bot traffic and login attempts that consume server resources.
In this guide, we’ll explore how to manually change the default WordPress login URL.
Manually Changing the WordPress Login URL Using Web Hosting Panels or FTP
Manually changing the WordPress login URL requires modifying core PHP files within your website. Since this cannot be done directly through the WordPress dashboard (unless you install a File Manager plugin), you will need access to your web hosting panel (cPanel, hPanel, Plesk) or an FTP client. The exact steps may vary depending on your hosting provider and server configuration.
Steps to Change the WordPress Login URL Manually
Rename wp-login.php
- Access Your Web Hosting Panel or FTP
- Log in to your hosting control panel (cPanel, hPanel, Plesk) or connect via an FTP client like FileZilla.
- Navigate to the File Manager and locate your WordPress installation directory.
- Locate the wp-login.php File
- In your WordPress root folder, find the file named
wp-login.php. This is the default login file for your WordPress site.
- In your WordPress root folder, find the file named
- Rename the Login File
- Change the filename to a custom name of your choice (e.g.,
weave-login.php). - Ensure the file extension remains
.php(e.g.,weave-login.php). - Make a note of your new login URL, as you will need it change few line of codes and to access your WordPress dashboard.
- Change the filename to a custom name of your choice (e.g.,
By renaming this file, you obscure the default login path, making it harder for attackers to find and attempt unauthorized logins.
However, this method has limitations – WordPress updates may overwrite changes, and plugins or themes relying on wp-login.php may break. For a more secure and efficient solution, consider using a dedicated security plugin, just that you need to consider to use lightweight plugin so it wont affect your website speed and the entire usage of plugins.
From the image above, we can see thatwp-login.php file changed to custom name weave-login.php. Next, you need to in text editor and edit your weave-login.php.
Right-click on the .php folder and select Edit.
On Mac, press Command + F (or CTRL + F on Windows) to activate the search function. Then, search for wp-login.php and replace all instances with your new custom file name, such as weave-login.php.
Save the file and close the text editor. There’s no need to restart your server—your website will immediately stop accepting requests on the old login URL and start using the new one.
Now you need to go to wp-content > themes > (your theme) > functions.php
Fix Logout URL
WordPress uses wp-login.php?action=logout for logging out. Since we renamed wp-login.php to weave-login.php, we need to update logout links.
Add this to functions.php:
function custom_logout_url($logout_url, $redirect) {
$logout_url = str_replace('wp-login.php', 'weave-login.php', $logout_url);
return $logout_url;
}
add_filter('logout_url', 'custom_logout_url', 10, 2);
Now, the logout URL will use weave-login.php?action=logout instead of wp-login.php?action=logout.
Fix Logout Redirection
When logging out, WordPress tries to redirect to wp-login.php. To fix this, force it to redirect to the homepage or a custom page.
Add this to functions.php:
function custom_logout_redirect() {
wp_redirect(home_url()); // Change this to a custom page if needed
exit();
}
add_action('wp_logout', 'custom_logout_redirect');
After that, last step will be to update your .htaccess which can be found in main folder
Update .htaccess Rules to Handle Old Logout Links
If users try to log out using the old wp-login.php?action=logout, redirect them to weave-login.php:
Add this to .htaccess:
RewriteEngine On
# Redirect logout requests to weave-login.php
RewriteCond %{QUERY_STRING} ^action=logout [NC]
RewriteRule ^wp-login.php$ /weave-login.php?%{QUERY_STRING} [R=302,L]
Final Thoughts
Changing the default WordPress login URL to a custom name adds an extra layer of security by deterring automated bots and brute-force attacks. However, it’s not a foolproof method, hackers can still uncover your login page through site inspection or database analysis.
For robust protection, this approach should be part of a broader security strategy. Consider implementing additional safeguards such as IP blocking, login attempt limitations, strong password policies, and regular updates for plugins and themes. Strengthening your overall website security will ensure better protection against cyber threats.
