How to change the login URL in WordPress - Advanced Security

WordPress is known for its ease of use and highly customizable nature. However, this popularity also means that WordPress sites are frequent targets for brute force attacks. One way to protect your site is to change the default login URL. In this article, we’ll show you how to do it step by step.

Why Change the Login URL?

The default URL to access the WordPress admin is ‘yourdomain.com/wp-admin’. Being so predictable, it makes the job easier for attackers trying to access your site. By changing this URL, you can:

• Reduce the risk of brute force attacks.
• Decrease the load on your server caused by unauthorized access attempts.
• Add a layer of discretion to your site.

Benefits

Changing the login URL on your WordPress site offers several benefits, especially in terms of security and customization. Here are some of the most notable:

1. Enhanced Security

Prevention of Brute Force Attacks: Attackers often use the standard login URL (wp-login.php) to launch brute force attacks. By changing it, you significantly reduce the risk of these attacks, as bots and attackers must first find the new URL before they can try to access.
Decrease in Unwanted Traffic: Spam bots and unauthorized access attempts are usually programmed to target the standard URL. By changing it, you reduce unwanted traffic to your site.

2. Personalization and Branding

Customized User Experience: A custom login URL can better integrate with the overall design and user experience of your site, resulting in a more cohesive and professional experience for users.
Strengthening of the Brand: By customizing this URL, you can reinforce your brand identity in every aspect of the website, even on the login page.

3. Reduction of Server Workloads

Less Load by Automated Login Attempts: Bots attempting to access the standard login URL can cause unnecessary load on your server. By changing the URL, it’s less likely that these bots will find the login page, which can help reduce server load.

4. Improved Site Management

Better Access Control: Having a custom URL allows you to better control who has access to the login page, which can be especially useful for sites with multiple users and roles.
More Effective Monitoring: It’s easier to monitor access attempts when you have a custom URL, as any access to the standard login URL can be considered suspicious.

5. Better Maintenance Experience

Less Problematic Updates: Custom plugins and themes can sometimes interfere with the standard login page during updates. By using a custom URL, you decrease the likelihood of facing issues after an update.

Using Plugins to Change the Login URL

The safest and easiest way to change the login URL in WordPress is through plugins. Let’s see how to do it with one of the most popular plugins: WPS Hide Login.

Step 1: Install the Plugin

1. Enter your WordPress admin panel.
2. Go to ‘Plugins’ > ‘Add New’.
3. Search for ‘WPS Hide Login’ in the plugin directory.
4. Click on ‘Install Now’ and then ‘Activate’.

Step 2: Configure the Plugin

1. Once activated, go to ‘Settings’ > ‘WPS Hide Login’.
2. You will see a field to enter the new login URL. Choose a URL that is easy to remember for you but difficult to guess for others.
3. Save the changes.

Step 3: Test the New URL

After saving the changes, WordPress will redirect you to the new login URL. Make sure to test it to verify that it works correctly. Don’t forget to save this URL in a safe place.

Step 4: Notify Users

If you have other users who need to access the admin panel, make sure to notify them about the change of the login URL.

Changing the Login URL Manually

Changing the login URL manually is an advanced method and should only be performed by users who are confident working with PHP and WordPress files. Before starting, make sure you have a full backup of your site.

Step 1: Create a Custom PHP File for Login

1. Access the WordPress installation directory via FTP or your hosting’s file manager.
2. Navigate to the folder wp-content/themes/your-active-theme/.
3. Create a new PHP file. For example, you could call it my-custom-login.php.
4. Insert the following code inside the file my-custom-login.php:

<?php
// Customize the WordPress login
function custom_login() {
  global $pagenow;
  if( 'wp-login.php' == $pagenow ) {
    if ( isset( $_POST['log'] ) && isset( $_POST['pwd'] ) ) {
      return;
    } else {
      wp_redirect( home_url( '/my-login/' ) );
      exit();
    }
  }
}
add_action( 'init', 'custom_login');
?>

Save and upload the file to the server.

Step 2: Update the .htaccess File

1. 1. Find the .htaccess file in the WordPress root directory.
   2. Add the following code to the .htaccess file, adapting it as necessary for your site:

# Changes for the new login URL
RewriteRule ^my-login$ wp-login.php [NC,L]

Step 3: Update Functions in WordPress

1. 1. Open the functions.php file of your active theme.
   2. Add the following lines to the end of the functions.php file:

function redirect_login_page() {
  $login_page  = home_url( '/my-login/' );
  $page_viewed = basename($_SERVER['REQUEST_URI']);
if( $page_viewed == "wp-login.php" && $_SERVER['REQUEST_METHOD'] == 'GET') {
wp_redirect($login_page);
exit;
}
}
add_action('init','redirect_login_page');

function login_failed() {
$login_page = home_url( '/my-login/' );
wp_redirect($login_page . '?login=failed' );
exit;
}
add_action( 'wp_login_failed', 'login_failed' );

function verify_username_password( $user, $username, $password ) {
$login_page = home_url( '/my-login/' );
if( $username == "" || $password == "" ) {
wp_redirect( $login_page . "?login=empty" );
exit;
}
}
add_filter( 'authenticate', 'verify_username_password', 1, 3);

These functions ensure that failed login attempts or direct accesses to wp-login.php are redirected to your new login page.

Final Considerations for the Manual Method

• This method can be more prone to errors and conflicts with WordPress updates or plugins.
• You should manually update these changes if you change your theme or if there are updates that overwrite these files.
• It is not recommended if you are not comfortable editing PHP or .htaccess files.

Final Considerations

• Make a backup: Before making any changes, it is crucial that you make a backup of your site.
• Updates: When you update WordPress or your theme, check that the change in the login URL is still effective.
• Support: If you have trouble configuring the plugin, consult the documentation or seek help in WordPress forums.

Changing the login URL is a simple but effective security measure that can make a difference in protecting your WordPress site. With these steps, you can strengthen your site against unwanted attacks and ensure a better experience for all your users.

Conclusion

Changing the login URL of your WordPress site is an essential step towards a robust security strategy. Not only does it deter automated attacks and reduce server load, but it also contributes to a stronger brand identity and a better user experience. Although the process may seem technical, the long-term benefits of protecting your website far outweigh the initial effort.

For those seeking even more solid security, consider exploring other solutions that can work in conjunction with your custom login URL. You can find a complete list of the best WordPress security plugins in our specialized resource: The Best WordPress Security Plugins. By combining effective security measures, you will ensure that your site is not only more secure, but also more reliable and professional.

Remember, security in WordPress is an ongoing process, and staying informed and up-to-date with best practices is key to protecting your online presence. Protect your site today and browse with confidence!