Change the Default WordPress Login URL to More Secure, Custom URL

Even if a hacker has your WordPress password, they still need to know where to enter it.

/
.
/
.

Heads up! Do you know how easily hackers or bots could find your WordPress login screen? Every WordPress site starts with default login URLs that end with the same slug, i.e. example.com/wp-admin and example.com/wp-login.php. For anyone who wants to try to hack their way in (or who has stolen your password), this is like having your front door wide open with a big "come on in" sign. It's also a prime target for those automated attacks and bots sniffing around for vulnerable sites.

Think about it - if someone's trying to break into houses in your neighbourhood, they'll have a much harder time if your door is hidden down a secret path rather than right on the main street. The same goes for your WordPress login page!

This might be news to you, because MyHost customers can login to WordPress directly from within cPanel’s WordPress Management screen. This single sign-on is a convenient way to access your WordPress without entering any more usernames and passwords. But it makes it easy to forget that there's another way in - a way in that you ought to hide.

Ways to change the default URL

Here's the good news: changing your login URL is a breeze, and you've got several ways to tackle it. We'll step you through each of these three options below, but here's a quick comparison to get you started:

  • The Plugin Route (Easy as!)—If you're not keen on fiddling with code, which is fair enough, plugins are your best mate here. Take a look at WPS Hide Login - it's lightweight, does the job brilliantly, and won't mess with your site's performance.
  • The .htaccess Method (For the tech-savvy)—If you're comfortable getting your hands dirty with a bit of code, you can modify your .htaccess file. This method gives you more control but requires a tad more care. If you can handle code as carefully as your mum's best china, this is for you.
  • Security through pro plugins (The full package)—If you're after the full monty, security plugins like WP Security Ninja not only let you change your login URL but also throw in a bunch of other sweet security features. They're like having a security guard, CCTV, and alarm system all rolled into one.

Process of Changing WordPress Default URL

Now we are going to cover those three methods that you can use to change the URL. Any one of them can change the default URL to a custom URL and it's up to you to choose the one you're most comfortable with.

How to use the WPS Hide Login plugin

Follow the steps below to quickly change the URL.

  1. To install the WPS Hide Login plugin, open your WordPress dashboard and go to Plugins > Add New Plugin. Search for WPS Hide Login.
  2. Pop over to Settings > WPS Hide Login.
  3. Chuck in your new login URL (something creative like "toku-portal" or "secret-entrance").
  4. Under Redirection URL, choose where to send people who try your old default login URL. It's best to give them a 404.
  5. Hit save, and boom! You're sorted.

Pro tip: Make sure you note down your new URL somewhere safe or bookmark it; also save it in your password manager if you use one. You don't want to end up locked out of your own site - that would be a proper nightmare!

How to edit the .htaccess file

If you don’t want to use plugins and are comfortable going in and editing code, then here's what you'll need to add to your .htaccess file:

  1. Log into cPanel (here's how).
  2. In cPanel's Tools screen, looks under Files and click File Manager to access the website files stored on your hosting server.

  1. Click Settings in the top right and select Show Hidden Files.

  1. Navigate to the website's public_html folder and find the .htaccess file.
  2. Create a backup of the .htaccess file before editing it. If something goes wrong you will simply need to reupload the file again to make everything work as before.
  3. Open the .htaccess file through a code editor and add the following code, replacing your-new-login-url with whatever crafty name you've chosen.
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [NC]
RewriteRule ^(.*)$ /your-new-login-url [R=301,L]

How to use the WP Security Ninja plugins to change your login URL

Paid security plugins are an all-in-one solution to harden and secure your WordPress website. Some of them also provide an easy way to change the default log in URL.

Here is how you can do it through WP Security Ninja.

  1. Login to your WordPress dashboard, navigate to Plugins > Add New Plugin and search for WP Security Ninja. Install the plugin.
  2. Once it's installed, go to Security Ninja > Firewall and click Enable Firewall.

  1. Once the firewall activates you will get a lot of options, one of which is to change the default login URL.

Pro tip: Some paid plugins offer more security options, so check what other settings you can make use of. For example, using two-factor authentcation (2FA) is a powerful way to secure your WordPress website even if someone knows your password and login URL.

Advanced tips for making WordPress login even more secure

If you're feeling adventurous, here are some extra security measures you can chuck in:

  • Add IP-based restrictions to your new login URL. It's like having a VIP list for your website's entrance, and stopping anyone else before they even knock on the door.
  • Set up environmental variables for your login path instead of hardcoding it. This way, if you need to change it again, it's easy as!
  • Consider using a subdomain for your admin area - this one's a bit flash, but it can add another layer of security.

But what about legitimate users?

As happy as you are to keep out hackers and bad bots, what about your content team? Hiding a login screen is no good if it stops the right people from finding it.

A few recommendations:

  • Always remember that you can bypass the WordPress login screen by accessing WordPress via cPanel (which, in turn, you can access through your MyHost account).
  • Create a secure document (not just a Post-it note on your screen) with the new URL.
  • Share login details through a password manager if you've got one.
  • Consider setting up Single Sign-On (SSO) for your team.
  • Keep a backup way to access your admin area (just in case - we're talking belt AND braces here)

Monitoring your new setup

Now that you've given your login page a fresh disguise, you might be wondering, "How do I know if it's actually working?"

Good question! It's worth keeping an eye on your security logs for a few weeks after making the change. You'll likely notice a dramatic drop in failed login attempts - it's quite satisfying, like watching spam emails hit your junk folder instead of your inbox. A lot of security plugins will show you these stats in a pretty dashboard.

More security tips for WordPress users

Changing your WordPress login URL is a sweet little security boost that punches above its weight. It's not going to make your site completely hackproof (nothing will, if we're honest), but it'll definitely make those automated attacks about as successful as a chocolate teapot.

Like almost any aspect of web development, security is an area where there's always more work that could do. Our tips for keeping WordPress secure give you some good ideas for where to focus next.


Image by Åsa K from Pixabay

Hosting and domains

Get everything you need from MyHost

Any questions?

We can help with anything to do with WordPress hosting, from security top performance. Let's talk!

Contact us

People Sharing The Love

Fast response time. A very pleasant experience with my first time delving into WordPress. Response time to questions to MyHost support was very fast and helpful. Installation was straightforward as it should be. Great job MyHost. Thank you very much. ★★★★★

Crispin B.
Trustpilot reviewer

Fantastic support with hosting, and just a fantastic knowledge base overall. I was let down by Crazy Domains, nothing worked. MyHost transferred the domain and everything worked as expected instantly. I made a mistake and the site went down, but within 30 minutes MyHost reverted my changes and saved the day. ★★★★★

Chris Kennedy
Google reviewer

Great support when things go wrong. I patronised more than a dozen web hosts during my career, and I would say MyHost has one of the best support services that I have encountered. I've been with them for seven years, and I've been a very satisfied customer. Highly recommended! ★★★★★

John P.
Trustpilot reviewer