By default, WordPress login pages have a predictable URL structure (usually ending with “/wp-admin” or “/wp-login.php“), making them susceptible to brute-force attacks. Hackers often target these login pages to gain unauthorized access to websites.
Changing the login page URL adds an extra layer of security by making it harder for attackers to find the login page. It obscures the standard login URL, making it more challenging for automated bots to locate and exploit it. This simple change can significantly reduce the risk of unauthorized access and enhance the overall security posture of a WordPress website.
If you are a website administrator and want a bit of peace of mind by knowing that your login pages are not easily accessible to malicious entities, you can follow this tutorial to manually change your WordPress login page from “/wp-login.php” to unique path of your choice, such as “/safe-access.php“.
Changing WordPress Login Page Manually
To change the WordPress login page without relying on a plugin, you need to modify the WordPress core file. It’s essential to create a backup of your WordPress files using a plugin or your hosting backup feature before proceeding.
When you’re prepared, begin by accessing your WordPress files through an SFTP connection or your hosting site’s file manager. (This tutorial employs FileZilla as the FTP client and Visual Code Editor as the code editor.) Once you’re connected, follow the steps below.
Step 1: Copy the Code from wp-login.php File
Begin by locating the wp-login.php file which can be found at the top level of a WordPress installation (usually inside the public_html folder).
Open up the file by double-clicking it if you are using the host file manager, or download it if you are using an FTP client. Once you open the file, copy all the code from it.
Step 2: Paste the Code on a New File (New URL)
Now, create a new file in the same directory as the wp-login.php file. Assign a unique name (safe-access.php for example) for the new file which will become a new path for your login page.
Continue by editing the file to paste the copied code from the wp-login.php file.
Step 3: Replace All String “wp-login.php” with New File name
After pasting the code into the file, utilize the code editor’s ‘find and replace’ feature to replace every instance of wp-login.php in the file with your new login file name (in this case, safe-access.php). Save the changes made to the file afterward.
Step 4: Test Out Your New Login URL and Delete the wp-login.php FIle
At this point, you should be able to access your website’s login page using the new path you have created, as demonstrated in the following illustration.
Once you’ve made sure your new login page is functioning correctly, you can delete the wp-login.php file. By doing so, any HTTP request to the /wp-login.php, or /wp-admin will lead to a 404 not-found page.
The Bottom Line
Changing the default WordPress login page URL, which is often predictable and susceptible to attacks, provides an additional layer of security. Hackers commonly target these pages for unauthorized access. Altering the login page URL makes it challenging for attackers to locate and exploit, reducing the risk of unauthorized access and enhancing overall website security. Website administrators can follow this tutorial to manually change the login page URL, offering peace of mind by ensuring that login pages are not easily accessible to malicious entities.
In addition, you can also add Cloudflare Turnstile and Google ReCAPTACHA to your site’s login form to add extra securiry layer.