WP AI Agent
Features Pricing Blog Contact Download Plugin Manage Subscription Get Free Key →

How to Change the WordPress Login URL (Step-by-Step Guide)

· · 9 min read

Knowing how to change the WordPress login URL is one of the most effective security steps you can take to protect your website from automated bots and brute-force attacks. By default, every WordPress site uses yourdomain.com/wp-login.php or yourdomain.com/wp-admin as its login address — a fact that malicious actors exploit daily. Changing this URL adds a powerful layer of security through obscurity, dramatically reducing unwanted login attempts without requiring complex server configurations.

Why You Should Change Your WordPress Login URL

The default WordPress login page is one of the most targeted endpoints on the internet. Because the URL is the same for every WordPress installation, hackers and bots can target it automatically without even knowing anything about your specific site.

Security Benefits

Changing your login URL delivers several immediate security advantages:

  • Blocks automated bot attacks: Most bots target the default URL. A custom URL stops them before they even try a password.
  • Reduces server load: Fewer failed login attempts mean less strain on your database and server resources.
  • Complements other security measures: Combined with two-factor authentication and strong passwords, a custom login URL makes your site significantly harder to compromise.
  • Prevents username enumeration: Attackers who cannot find the login page cannot attempt to enumerate valid usernames.

Who Should Do This?

This step is recommended for virtually every WordPress site — whether you run a personal blog, a WooCommerce store, or a large corporate website. It is especially critical if your site handles sensitive user data, payments, or member accounts.

Method 1: Change the WordPress Login URL Using a Plugin

The easiest and most beginner-friendly way to change your WordPress login URL is by using a dedicated security plugin. Several reliable options are available in the WordPress plugin repository.

Using WPS Hide Login

WPS Hide Login is a lightweight plugin with over 1 million active installations. It is specifically built for this single task and does not bloat your site with unnecessary features.

  1. Log in to your WordPress dashboard at your current login URL.
  2. Navigate to Plugins > Add New in the left sidebar.
  3. Search for WPS Hide Login in the search bar.
  4. Click Install Now next to the plugin, then click Activate.
  5. Go to Settings > WPS Hide Login.
  6. In the Login URL field, type your desired custom login path (e.g., my-secure-login).
  7. In the Redirection URL field, enter the page users are redirected to if they try to access /wp-admin without being logged in (e.g., 404 or your homepage).
  8. Click Save Changes.

After saving, your new login URL will be yourdomain.com/my-secure-login. Bookmark it immediately so you do not lose access.

Using All In One WP Security & Firewall

If you prefer an all-in-one security solution, the All In One WP Security & Firewall plugin also includes a login URL changer among its many features.

  1. Install and activate All In One WP Security & Firewall from the plugin repository.
  2. In your dashboard, go to WP Security > Brute Force.
  3. Click the Rename Login Page tab.
  4. Toggle the Enable Rename Login Page Feature checkbox to on.
  5. Enter your custom login page slug in the Login Page URL field.
  6. Click Save Settings.

Method 2: Change the WordPress Login URL Manually (No Plugin)

Advanced users may prefer to change the login URL without relying on a plugin. This approach uses WordPress hooks and a small PHP snippet added to your theme's functions.php file or a custom plugin.

Important Warning Before Proceeding

Editing core WordPress files or your theme's functions.php incorrectly can lock you out of your site. Always back up your website before making any manual changes. Consider using a child theme to avoid losing changes during theme updates.

Adding a Custom Rewrite Rule

The following PHP snippet uses WordPress hooks to redirect the default login URL to a custom path. Add this to your active theme's functions.php file or to a custom plugin file.

/**
 * Change the WordPress login URL to a custom path.
 * Add this to your child theme's functions.php or a custom plugin.
 */
function custom_login_url( $login_url, $redirect, $force_reauth ) {
    return home_url( '/my-secure-login', 'login' );
}
add_filter( 'login_url', 'custom_login_url', 10, 3 );

function redirect_default_login() {
    $request = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '';
    if ( strpos( $request, 'wp-login.php' ) !== false && ! is_user_logged_in() ) {
        wp_redirect( home_url( '/404' ) );
        exit;
    }
}
add_action( 'init', 'redirect_default_login' );

Replace /my-secure-login with your chosen URL slug and /404 with the page you want unauthorised visitors to be redirected to. Note that for a fully robust manual solution, you would also need to configure server-level rewrite rules in your .htaccess file (for Apache) or your Nginx configuration, which is beyond the scope of a standard functions.php edit. For most users, a plugin-based approach is safer and more complete.

Method 3: Change the WordPress Login URL Using WP-CLI

WP-CLI is the command-line interface for WordPress. If you have server access and are comfortable with terminal commands, WP-CLI offers a fast way to install and configure the WPS Hide Login plugin without touching the browser.

Installing and Configuring the Plugin via WP-CLI

  1. SSH into your server and navigate to your WordPress root directory. For example: cd /var/www/html
  2. Install the WPS Hide Login plugin using the following command:
wp plugin install wps-hide-login --activate
  1. Set your custom login URL slug by updating the plugin's option in the WordPress database:
wp option update whl_page "my-secure-login"
  1. Optionally, set the redirect URL for blocked access attempts:
wp option update whl_redirect "404"
  1. Flush the rewrite rules to make sure WordPress recognises the new URL:
wp rewrite flush

Your custom login URL is now active. You can verify it by visiting yourdomain.com/my-secure-login in your browser.

Best Practices After Changing Your Login URL

Changing your login URL is an important step, but it works best as part of a broader security strategy. Here are the key best practices to follow once you have made the change.

Bookmark Your New Login URL

This sounds obvious, but it is the most common mistake users make. The moment you save your new login URL, add it to your browser bookmarks and save it in your password manager. If you forget the URL, you may need to access your database via phpMyAdmin or WP-CLI to retrieve or reset it.

Inform Your Team

If other users or administrators access your WordPress dashboard, notify them of the new URL immediately. Update any internal documentation, wikis, or onboarding guides that reference the old login address.

Combine With Other Security Measures

A custom login URL is not a silver bullet. Pair it with these additional protections for maximum security:

  • Two-factor authentication (2FA): Require a one-time code in addition to a password for all administrator accounts.
  • Strong, unique passwords: Use a password manager to generate and store complex passwords.
  • Login attempt limiting: Restrict the number of failed login attempts to lock out bots after a few tries.
  • SSL certificate: Ensure your site uses HTTPS so that login credentials are encrypted in transit.
  • Regular backups: Maintain automated, off-site backups so you can recover from any security incident.

Test the Redirect for Old URLs

After changing your login URL, visit yourdomain.com/wp-login.php and yourdomain.com/wp-admin in your browser while logged out. Both should redirect to your chosen page (typically a 404 page or your homepage) rather than displaying the login form. If they still show the login form, double-check your plugin settings or code snippet.

Troubleshooting Common Issues

Even with a straightforward process, things can occasionally go wrong. Here are the most common problems and how to fix them.

Locked Out of WordPress Admin

If you forget your new login URL or get locked out, you have several recovery options:

  • Check your browser history: Your new URL may still be in your recent history.
  • Use WP-CLI: Run wp option get whl_page to retrieve the saved URL slug from the database.
  • Use phpMyAdmin: Log in to your hosting control panel, open phpMyAdmin, navigate to the wp_options table, and search for the whl_page option to see or change the value.
  • Deactivate the plugin via FTP: Connect to your server via FTP, navigate to wp-content/plugins/, and rename the wps-hide-login folder. This deactivates the plugin and restores the default login URL.

Caching Issues

If your custom login URL does not seem to work immediately, a caching plugin or CDN might be serving old cached responses. Clear your WordPress cache, your browser cache, and any CDN cache (such as Cloudflare) after making changes. Most caching plugins have a one-click purge option in the dashboard.

Conflict With Other Plugins

Some security plugins and membership plugins modify login behaviour and can conflict with login URL changers. If you experience redirect loops or errors, temporarily deactivate other security plugins one by one to identify the conflict, then consult the documentation for both plugins to find a compatible configuration.

Frequently Asked Questions

Is changing the WordPress login URL enough to secure my site?

Changing the WordPress login URL is an excellent first step, but it should not be your only security measure. It works best when combined with two-factor authentication, strong passwords, login attempt limiting, an SSL certificate, and regular backups. Think of it as one layer in a multi-layered security strategy.

Will changing the login URL break anything on my WordPress site?

In most cases, no. Reputable plugins like WPS Hide Login are designed to change the URL cleanly without affecting your site's front end, plugins, or theme. However, some plugins that rely on the default login URL — such as certain membership or LMS plugins — may need reconfiguring. Always test on a staging environment first if possible.

What happens if I forget my new WordPress login URL?

If you forget your custom login URL, you can recover it by checking your browser history, using WP-CLI to query the database option, using phpMyAdmin to view the wp_options table, or deactivating the login URL plugin via FTP by renaming its folder in wp-content/plugins/. This will restore access through the default /wp-login.php URL.

Can I change the WordPress login URL on a multisite network?

Yes, but it requires extra care. On a WordPress multisite network, the login is handled at the network level. Plugins like WPS Hide Login support multisite, but you should activate them network-wide and ensure the custom URL does not conflict with any sub-site slugs. Test thoroughly on a staging multisite before applying changes to a live network.

Changing your WordPress login URL is a quick, high-impact security improvement that every site owner should implement. Whether you choose a plugin, a manual code snippet, or WP-CLI, the process is straightforward and the benefits are immediate. If you want an even simpler way to handle security tasks like this — along with other WordPress management tasks — consider using WP AI Agent, an AI-powered tool that lets you manage and configure your WordPress site through natural-language chat, so you can make changes like these without ever needing to touch code or navigate complex settings menus.

Ready to manage WordPress with AI?

Get 100,000 tokens free every month. No credit card required.

Get Your Free License Key →

More from the blog

8 min read

How to Add a Table of Contents to WordPress Posts (Complete Guide)

7 min read

How to Display a Recent Posts Widget in WordPress: Complete Guide

8 min read

How to Create a 404 Error Page in WordPress: Complete Guide