WP AI Agent
Features Pricing Blog Contact Download Plugin Manage Subscription Get Free Key →

How to Change the WordPress Login URL (Complete Guide)

· · 8 min read

Knowing how to change the WordPress login URL is one of the most effective security steps you can take to protect your website from automated brute-force attacks and unauthorized access attempts. By default, every WordPress site uses the same login address — yoursite.com/wp-login.php — making it an easy target for bots and hackers who know exactly where to look. In this guide, you will learn multiple methods to change that URL, understand why it matters, and discover best practices to keep your login page secure.

Why You Should Change Your WordPress Login URL

The default WordPress login page is publicly known. Automated bots constantly scan the internet looking for /wp-login.php and /wp-admin/ endpoints to launch credential-stuffing and brute-force attacks. Changing the login URL is a simple but powerful layer of security through obscurity that dramatically reduces unwanted login attempts.

Key Benefits of Changing the Login URL

  • Reduced server load: Fewer bot requests hitting your server means better performance.
  • Lower risk of brute-force attacks: Bots cannot attack a page they cannot find.
  • Fewer failed login notifications: Security plugins generate fewer alerts, making real threats easier to spot.
  • Improved overall security posture: Works well alongside two-factor authentication and strong passwords.

Important Caveats to Keep in Mind

Changing the login URL is not a silver bullet. It should be combined with other measures such as strong passwords, two-factor authentication, and a web application firewall (WAF). Also, make absolutely sure you record your new login URL — if you forget it, you could lock yourself out of your own site.

Method 1: Change the Login URL Using a Plugin (Recommended for Beginners)

The easiest and safest way to change the WordPress login URL is by using a dedicated plugin. These plugins handle all the technical details for you, including redirects and compatibility checks.

Using WPS Hide Login

WPS Hide Login is a lightweight, well-maintained plugin with over one million active installations. It changes the login URL without modifying any core files.

  1. Log in to your WordPress dashboard.
  2. Navigate to Plugins > Add New.
  3. Search for WPS Hide Login in the search bar.
  4. Click Install Now and then Activate.
  5. Go to Settings > General and scroll to the bottom of the page.
  6. Find the WPS Hide Login section and enter your desired login slug in the Login URL field (for example, my-secret-login).
  7. Set the Redirection URL — this is where visitors are sent if they try to access /wp-login.php or /wp-admin/ directly (e.g., your 404 page or homepage).
  8. Click Save Changes.
  9. Test the new URL immediately by opening a private/incognito browser window and navigating to yoursite.com/my-secret-login.

Using Perfmatters

Perfmatters is a premium performance plugin that also includes a login URL change feature. If you are already using Perfmatters for site optimization, you can enable the custom login URL under Perfmatters > Extras > Login URL without installing a separate plugin.

Method 2: Change the Login URL Manually Using .htaccess

If you prefer not to add another plugin to your site, you can change the login URL by editing your .htaccess file. This method works on Apache-based servers. Always back up your .htaccess file before making any changes.

Step-by-Step .htaccess Method

  1. Connect to your server via FTP or your hosting control panel's file manager.
  2. Navigate to your WordPress root directory (usually public_html or www).
  3. Download a backup copy of your .htaccess file before editing.
  4. Open the .htaccess file in a text editor.
  5. Add the following rewrite rules above the default WordPress rules (above the # BEGIN WordPress comment):
# Block direct access to wp-login.php
RewriteEngine On
RewriteBase /

# Allow only your custom login URL
RewriteRule ^my-secret-login$ /wp-login.php [L]
RewriteRule ^my-secret-login$ /wp-login.php?action=register [QSA,L]

# Redirect all other wp-login.php access to 404
RewriteCond %{REQUEST_URI} ^/wp-login\.php
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteRule ^ /404 [R=302,L]
  1. Replace my-secret-login with your desired custom slug.
  2. Save the file and upload it back to your server.
  3. Test by visiting yoursite.com/my-secret-login in a private browser window.
  4. Verify that visiting yoursite.com/wp-login.php directly redirects to your 404 page.

Nginx Server Alternative

If your server runs Nginx instead of Apache, you will need to edit your Nginx server block configuration file instead of .htaccess. Add a location block to deny direct access to wp-login.php and create a new location block for your custom slug that proxies to the real login page. This typically requires server-level access and a restart of the Nginx service, so it is recommended to use a plugin if you are not comfortable editing server configuration files.

Method 3: Change the Login URL Using WP-CLI

For developers and advanced users who manage WordPress from the command line, WP-CLI provides a fast way to install and configure login-URL plugins without ever touching the admin dashboard. This is especially useful when managing multiple sites or automating deployments.

Installing and Configuring WPS Hide Login via WP-CLI

  1. SSH into your server.
  2. Navigate to your WordPress root directory.
  3. Run the following commands to install, activate, and configure the plugin:
# Install and activate WPS Hide Login
wp plugin install wps-hide-login --activate

# Set the custom login slug
wp option update whl_page "my-secret-login"

# Set the redirect URL for blocked access attempts
wp option update whl_redirect "404"
  1. Verify the options were saved correctly:
wp option get whl_page
  1. Test the new login URL in your browser: yoursite.com/my-secret-login.

Updating wp-config.php via WP-CLI

Some security configurations can also be applied directly to wp-config.php. For example, you can add a constant to programmatically define the admin URL behavior:

// Add to wp-config.php to prevent admin redirect for non-logged-in users
// This works alongside your custom login URL plugin
define( 'ADMIN_COOKIE_PATH', '/' );

Use WP-CLI to add this constant safely:

wp config set ADMIN_COOKIE_PATH "/" --raw

Best Practices After Changing Your WordPress Login URL

Once you have changed your login URL, there are several best practices you should follow to maximize security and avoid accidentally locking yourself out.

Bookmark Your New Login URL Immediately

This sounds obvious, but it is the most commonly overlooked step. Add your new login URL as a bookmark in your browser right away. Consider storing it in your password manager alongside your credentials.

Combine with Other Security Measures

  • Enable two-factor authentication (2FA): Even if a bot somehow finds your new URL, 2FA prevents unauthorized access.
  • Use a strong, unique password: A changed URL plus a weak password is still a vulnerability.
  • Install a WAF: Plugins like Wordfence or Cloudflare WAF add another layer of protection.
  • Limit login attempts: Use a plugin to lock out users after a set number of failed attempts.
  • Whitelist your IP address: If you work from a static IP, restrict admin access to that IP only via .htaccess or your firewall.

Test Before Logging Out

Always test your new login URL in an incognito/private browser window before logging out of your current session. This way, if something went wrong, you are still logged in on the original window and can fix the issue without being locked out.

Document the Change for Your Team

If you run a multi-author or multi-administrator site, notify all users of the new login URL. Update any internal documentation or onboarding guides that reference the old URL.

What to Do If You Get Locked Out

If you forget your custom login URL and cannot access the dashboard, you can recover access by:

  1. Connecting via FTP or your hosting file manager.
  2. Deactivating the WPS Hide Login plugin by renaming its folder in wp-content/plugins/ (e.g., rename wps-hide-login to wps-hide-login-disabled).
  3. The default /wp-login.php URL will then work again.
  4. Log in, reactivate the plugin, and note down the login URL before logging out.

Verifying and Maintaining Your Custom Login URL

After making the change, ongoing verification and maintenance ensures your custom login URL continues to work correctly, especially after WordPress core updates or plugin updates.

How to Test the Change

  1. Open a private/incognito browser window.
  2. Navigate to yoursite.com/wp-login.php — you should be redirected to your 404 page or homepage, not to a login form.
  3. Navigate to yoursite.com/wp-admin/ — same result: redirect, not a login form.
  4. Navigate to yoursite.com/your-custom-slug — you should see the WordPress login form.
  5. Enter your credentials and confirm you can log in successfully.

Checking After Plugin or Core Updates

WordPress core updates and plugin updates occasionally reset or conflict with custom login URL settings. After every major update, run through the three-step test above to confirm everything is still working correctly. Set a reminder in your calendar or task manager to check after update cycles.

Frequently Asked Questions

Will changing the WordPress login URL break anything on my site?

No, changing the WordPress login URL will not break your site's front end, content, or functionality. It only affects how users and administrators access the backend login form. However, if you use any third-party services or scripts that directly reference /wp-login.php, you may need to update those references. Always test in a private browser window before logging out of your current session.

What happens to my login URL after a WordPress update?

If you used a plugin like WPS Hide Login, your custom URL is stored as a database option and will survive WordPress core updates. However, if the plugin itself is updated, it is wise to re-test the login URL afterward. If you used the manual .htaccess method, core updates should not affect your .htaccess file, but always verify after major updates.

Can I change the WordPress login URL on a multisite network?

Yes, but it requires extra care. On a WordPress Multisite installation, the login URL is shared across all sites in the network. WPS Hide Login supports Multisite, but you should configure it at the network level and test each subsite individually. Manual .htaccess methods can also work for Multisite, but the rewrite rules need to account for subdirectory or subdomain structures.

Is changing the WordPress login URL enough to secure my site?

Changing the login URL significantly reduces automated bot attacks but is not sufficient on its own. Think of it as one layer in a defense-in-depth strategy. You should also use strong passwords, enable two-factor authentication, keep WordPress core and plugins updated, and consider a web application firewall. Security is most effective when multiple overlapping measures are in place simultaneously.

Securing your WordPress login URL is a straightforward but impactful task — and it is just one of many WordPress maintenance and security tasks you may need to handle regularly. If you want a faster, easier way to manage your WordPress site without diving into plugins and code every time, WP AI Agent is a powerful tool that lets you handle WordPress tasks like this through natural-language AI chat, so you can make site changes and get expert guidance simply by describing what you need in plain English.

Ready to manage WordPress with AI?

Get 100,000 tokens free every month. No credit card required.

Get Your Free License Key →

More from the blog

7 min read

How to Configure WordPress Reading Settings: Complete Guide

8 min read

How to Embed a YouTube Video in WordPress: Complete Guide

8 min read

How to Schedule Posts in WordPress: Complete Step-by-Step Guide