Bots constantly hammer the default WordPress login page, working through username and password combinations. This adds load to your server and, if a weak password gives way, can lead to your site being compromised.
To change your WordPress login URL, install a plugin like WPS Hide Login and set a custom login slug. Your old /wp-admin and /wp-login.php addresses then return a 404, so the automated bots hitting those URLs get nowhere.
One thing to be clear about up front: changing the login URL is a layer, not a lock. It cuts down the automated noise, but it is not a replacement for a strong password and two-factor authentication. More on that below.
- Changing your login URL hides /wp-admin and /wp-login.php behind a custom slug, which stops most automated bot and brute-force traffic.
- The simplest reliable option is the free WPS Hide Login plugin. You set a custom slug under Settings > General.
- This is security through obscurity. Pair it with a strong password, two-factor authentication, and a limit on login attempts.
- Avoid renaming core files or editing .htaccess by hand. Those methods break on WordPress updates and can lock you out.
- Bookmark the new URL and tell your other admins. If you get locked out, rename the plugin folder over SFTP to restore the default login.
Video Tutorial
If you want to quickly see how to change your site’s login URL, check out my video below.
No time for a video? Keep reading below.
Why You Should Change Your WordPress Login Page URL
WordPress is by far the most used CMS on the internet. That popularity also makes it the top target for automated attacks. By default, every WordPress site exposes its login page at /wp-admin/ and /wp-login.php, so bots know exactly where to point a brute-force script.
Moving that page to a custom URL means those bots hit a 404 instead of your login form. You get less server load, cleaner logs, and far fewer login attempts to worry about. It will not stop someone specifically targeting you who finds the new URL, but it removes the constant background noise of broad, automated attacks.
How to Change Your WordPress Login Page URL with a Plugin
Plenty of plugins can change your login URL, but the easiest and most reliable is the free WPS Hide Login plugin. It is lightweight, does one job well, and reverts cleanly to the default login if you ever deactivate it. It makes your existing admin login URLs return a 404 while letting you set a custom URL for logging in.
You can easily install the plugin by searching WPS Hide Login in Plugins>add new.
Once the plugin is installed and activated, head to Settings>general.
At the bottom of your general settings page you’ll see a new option to set your WordPress login URL, plus where 404s should redirect.
Pick something unique that you’ll remember. From my experience, a simple slug like /login/ is easy to recall and still stops the automated attacks aimed at the default URLs.
Important: once you click save changes, the login URL changes immediately and the default WordPress login URLs will no longer work. Bookmark the new one before you save.
Don’t Stop at the Login URL
Changing your login URL is security through obscurity. It hides the door, but it does not strengthen the lock. If a bot or a person finds the new URL, a weak password still falls. Pair the URL change with the measures that actually protect the login:
- Use a strong, unique password and avoid the username “admin”. This is the single biggest factor in surviving a brute-force attempt.
- Turn on two-factor authentication or passkeys. Even a correct password is not enough to get in without the second factor.
- Limit login attempts. A plugin like Limit Login Attempts Reloaded locks out an IP after several failed tries, which shuts down brute-force scripts directly.
Security suites bundle several of these together. Solid Security (formerly iThemes Security) and All-In-One Security both include a hide-login feature alongside 2FA and lockouts. Wordfence takes a different stance and does not rename the login URL at all, instead defending the default page with rate limiting, 2FA, and a firewall. Any of these is a reasonable all-in-one alternative to a standalone hide-login plugin.
Avoid Editing Core Files or .htaccess by Hand
You’ll see tutorials that rename wp-login.php directly or add redirect rules to functions.php or .htaccess. Avoid these on a live site. Renaming the core file gets undone on the next WordPress update, hand-written redirect snippets often break logout and password resets, and an .htaccess IP rule can lock you out the moment your IP changes. A maintained plugin handles the login, logout, and password-reset URLs together and reverses cleanly, which is why it is the safer route.
Troubleshooting and Things to Watch For
- Locked out? Connect over SFTP or your host’s file manager and rename the wps-hide-login plugin folder in wp-content/plugins. That deactivates it and restores the default /wp-login.php.
- Caching conflicts. With most page caches other than WP Rocket, add your new login slug to the cache exclusion list so a cached page doesn’t serve the old login or cause a redirect loop. The same applies to a CDN cache like Cloudflare.
- Seeing a 404 on the new URL? Re-save your permalinks under Settings > Permalinks to flush the rewrite rules.
- It does not cover XML-RPC. Brute-force bots can still target xmlrpc.php, so disable or block it if you don’t use it.
Keep in mind that hiding the login page is one piece of a layered setup. Combined with a strong password and two-factor authentication, it is a quick win that quietly removes a huge share of the junk traffic aimed at your site.
6 Responses
Hello,
Once I use the plugin to change my login url, do I still need the plugin to remain activated?
Thank you.
Sincerely,
Tom
Hey Tom, yes you need to keep the plugin active for your login URL to be changed.
thanks a lot:D I´m helping a friend her site is constantly under brute force attack, this help I think thanks so much^^
Glad to help!
Thanks Andy for this tutorial. I have used this plugin in my site and it works perfectly. It will definitely help others. I will also share this with my friends so that they will also get benefit from it.
Glad it helped James!