How To Better Secure Your Word Press Log In Page

During the installation process, WordPress creates two default login URLs. I’m sure you’re already familiar with at least one of these, but the two are:

  • wp-admin.php
  • wp-login.php

This happens during every WordPress installation. Given that these repetitive login URLs are a potential security risk (more on this later!), it’s somewhat surprising that WordPress doesn’t give users the option to create a custom login URL, don’t you think?

Well, even if WordPress doesn’t allow you to customize the login URL by default, it is perfectly possible to do so. If you’ve ever wondered how to change the default URLs, read on, as I’m about to show you!

Why Should I Change the WordPress Login URL?

  • Protect Against Brute Force Attacks
  • Protect your sites from bots looking for wp-admin/wp-login extension on your site
  • Hide the fact that you are using WordPress
  • Malicious hackers waste your WordPress resources and bandwidth when you use the default login URL because it is frequently attacked.
  • Protect WordPress from Zero Day Vulnerability Attacks

I know most of the world out-there is not code savvy. But yes you guessed it, there’s a plugin for that. this can be achieved with the help of a plugin WPS Hide Login

WPS Hide Login is a very light plugin that lets you easily and safely change the url of the login form page to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.

Compatibility

Requires WordPress 4.1 or higher. All login related things such as the registration form, lost password form, login widget and expired sessions just keep working.

It’s also compatible with any plugin that hooks in the login form, including:

  • BuddyPress,
  • bbPress,
  • Limit Login Attempts,
  • and User Switching.

Obviously it doesn’t work with plugins or themes that hardcoded wp-login.php.

Works with multisite, but not tested with subdomains. Activating it for a network allows you to set a networkwide default. Individual sites can still rename their login page to something else.

If you’re using a page caching plugin other than WP Rocket, you should add the slug of the new login url to the list of pages not to cache. WP Rocket is already fully compatible with the plugin.

For W3 Total Cache and WP Super Cache this plugin will give you a message with a link to the field you should update.