How to change the default WordPress login URL

7 April 2022

There are lots of things you can do to optimise your WordPress website and make it more secure. This article looks at changing the default WordPress login page (wp-login.php or wp-admin) to something else. The other articles cover the following topics:

• How to disable XML-RPC
• How to replace the default WordPress cron
• How to protect WordPress comment forms

Changing wp-login.php

The default WordPress login page is /wp-login.php, and when you are logged in you are redirected to the WordPress dashboard at /wp-admin. Attackers commonly try to log in to your WordPress dashboard by guessing your username and password. A simple script can try hundreds of different logins per minute.

If you use a sensible username (that is, anything that is not “admin”) and a strong password then it is very unlikely that your account gets compromised. However, brute-force attacks do still affect the performance of your website, as they cause a lot of traffic. On servers that run LiteSpeed – which includes all our shared and premium servers – we do automatically block an IP address after five failed logins, but that doesn’t necessarily help if the logins come from dozens of different IP addresses.

An easy solution is to change the login URL from wp-login.php to something else. Unfortunately, WordPress does not support that out of the box. You need to use a plugin, and there are plenty of plugins that can change the login page. I personally like the All in One WP Security plugin, as it can also add anti-spam protection to comment forms.

The All in One Security plugin lets you change the login URL via WP Security » Brute Force. All you need to do is enable the feature and set a custom login URL.

Image: changing the login URL using All in One Security.

You should now get a “page not found” error when you visit the default wp-login.php page. Similarly, the /wp-admin/ URL should now return a “forbidden” error.

Image: the default wp-login.php URL no longer works.

What to do if you forget the login URL

If you ever forget what you changed the login URL to then you can usually check this via WordPress Toolkit, which you can access via your cPanel or Plesk control panel. Helpfully, Toolkit automatically updates the login URL when you change the URL via All in One Security. To see the login URL, simply select your website and click on Setup to check the login URL.

Image: the setup details include the login URL.

Alternatively, you can disable the plugin via Toolkit. To do so, select the Plugins tab for your WordPress website and toggle the plugin’s Active button from on to off. Once the plugin is disabled you can access your website via the /wp-login.php URL again. If you don’t have access to Toolkit then you can instead rename the plugin directory via cPanel’s file manager.

Further improving security

There are various other things you can do to prevent unauthorised logins. The most obvious improvement is multi-factor authentication. This add an extra layer of protection: in addition to your username and password you will also need to enter a TOTP token which you get from an app.