Change WordPress Login URL

Last modified: June 22, 2026

Every WordPress site starts with the same login URL: /wp-login.php or /wp-admin. Because these paths are identical across every WordPress installation worldwide, automated bots constantly probe them, trying common username and password combinations in what is called a brute force attack. This runs 24/7 against any WordPress site that has not taken steps to block it.

The scale of this traffic might surprise you. Security monitoring tools like Wordfence regularly report tens of thousands of failed login attempts per month on sites with no special protection, originating from IP addresses across dozens of countries. Most of this traffic is fully automated: scripts cycle through username/password lists against the known login path, log the results, and move on. There is no human on the other end.

Changing your WordPress login URL is one of the fastest security measures you can apply. The default WordPress login URL does not need to be public-facing, and hiding it removes a major attack surface without any performance cost. The change takes less than five minutes, but there are a few important steps to do correctly so you do not end up locked out of your own site.

How to Change the WordPress Login URL

The most reliable, non-technical method is a plugin. No code editing required, and the change is reversible from your admin panel if needed.

#	Name	Image
1	WPS Hide Login		More Info

* This button will show the rest of the post and open up an offer from a vendor

WPS Hide Login

WPS Hide Login is a lightweight plugin that intercepts WordPress’s login process and moves it to a URL of your choosing. The original /wp-login.php path returns a 404 error, and direct access to /wp-admin redirects to the same 404. Bots that probe those URLs hit a dead end and move on.

How to set it up:

In your WordPress dashboard, go to Plugins > Add New and search for “WPS Hide Login”. Install and activate it.
After activation, go to Settings > General and scroll to the bottom. You will see a “WPS Hide Login” section with a field for your custom login URL.
Enter a new path name. Avoid common guesses like “admin”, “login”, “dashboard”, or “user”. A short, random-ish word works well (for example: “portal”, “signin”, or something unrelated to login entirely).
Choose a “Redirect URL”: this is where anyone who tries to access the old /wp-login.php or /wp-admin gets sent. The default is a 404 page, which is fine.
Save changes.

Before you log out, test the new URL:

Open a new browser window or incognito tab and go to yoursite.com/your-new-login-path. If the login form appears, the plugin is working. Log in to confirm. Only then close your existing session.

If the new login URL is not working:

Check that the path you entered does not conflict with an existing page slug on your site.
Try flushing your permalink settings: go to Settings > Permalinks and click “Save Changes” without making any edits. This forces WordPress to rewrite its rewrite rules.
If you get locked out, you can deactivate the plugin via FTP or cPanel by renaming the plugin folder in wp-content/plugins/. The login URL reverts to the default immediately.

What about logging out and back in?

Once the new URL is active, WordPress login links in emails and on the frontend will still work. They redirect through the standard login process, which WPS Hide Login intercepts and reroutes. The only thing that changes is the URL where you type your credentials.

Worth knowing: This approach is called “security through obscurity” and works well as one layer in a broader security setup. Combine it with a strong password, two-factor authentication, and limiting login attempts for a more complete defense.

More Info

Elementor Hosting

Testing Your New Login URL Before Logging Out

The most common mistake when changing the WordPress login URL is saving the setting and then closing the browser without testing. If the new URL does not work, you could be locked out with no obvious way back in.

The right procedure:

After saving the new login URL in your plugin settings, open a new private/incognito window in your browser. This uses a fresh session with no active cookies.
Type your new login URL directly into the address bar. Do not click a link. You want to confirm the URL itself works.
Enter your credentials and confirm you can log in successfully.
Only after you have confirmed access in the incognito window should you consider the change done.

If the new URL shows a 404 or blank page:

Do not log out of your existing session. Stay logged in while you troubleshoot.
Go back to Settings > General in your still-active admin session and double-check the saved path.
Check whether a permalink flush is needed: go to Settings > Permalinks and click Save Changes without changing anything. This refreshes the rewrite rules.
Deactivate and reactivate the WPS Hide Login plugin to reset its hooks, then try the URL again.

Also bookmark the new URL in your browser and store it in your password manager. The biggest long-term risk is not a brute force attack; it is you or a colleague forgetting the new URL six months from now.

What to Do If You Get Locked Out After Changing the Login URL

If you have already lost access and cannot reach the login form, you can recover access through three options. None of them require your login URL.

Option 1: Disable the plugin via FTP or SFTP

Deactivating the plugin removes the URL change and restores the standard /wp-login.php path.

Connect to your server using an FTP client such as FileZilla, or use your host’s SFTP interface.
Navigate to /wp-content/plugins/.
Find the folder named wps-hide-login and rename it to anything else, such as wps-hide-login-disabled. WordPress will deactivate it automatically.
Visit https://yourdomain.com/wp-login.php. Your standard login page should return.
Log in, then rename the plugin folder back to its original name and reactivate it with a corrected URL.

Option 2: Use your hosting control panel file manager

If you do not have FTP credentials, most hosts provide a file manager in cPanel or Plesk. Navigate to the same /wp-content/plugins/ path and rename the plugin folder there. No FTP client required.

Option 3: Disable the plugin via phpMyAdmin

Log into phpMyAdmin from your hosting control panel.
Open the wp_options table (or with your custom prefix).
Search for the row where option_name is active_plugins.
Find wps-hide-login in the serialized value and remove the entire plugin reference.
Save. The plugin will be deactivated and the standard login URL will be restored.

Whichever method you use, get back in, then re-set the plugin with a URL you have written down somewhere secure before activating it again.

Security Measures to Add After Changing the Login URL

Changing the login URL removes bots that probe the default path, but it is not a complete defense. Once you have the URL changed, add these measures to close the remaining gaps.

Enable two-factor authentication (2FA)

2FA requires a second verification step beyond the password. Even if someone discovers your new login URL and has a valid password (from a data breach, for example), they cannot get in without the second factor. Plugins like WP 2FA or Google Authenticator for WordPress add 2FA to your login form in minutes. For sites with multiple users, this is the most important additional layer you can add.

Limit login attempts

By default, WordPress allows unlimited login attempts. A plugin like Limit Login Attempts Reloaded (free) caps how many times the same IP address can fail to log in before being temporarily blocked. Set the threshold to 3 to 5 attempts, with a lockout period of 15 to 30 minutes. This neutralizes credential-stuffing attacks that use valid username/password combinations from leaked databases.

Add CAPTCHA to the login form

A CAPTCHA on the login page filters out automated submissions without limiting the number of attempts. Simple Login Captcha or the math captcha option in WP Cerber Security are lightweight choices that do not require a Google account or reCAPTCHA API key.

Disable the username hint on login errors

By default, WordPress tells you whether the username or the password was wrong on a failed login. This helps an attacker confirm valid usernames. Add this to your functions.php to return a generic error message instead:

function scanwp_hide_login_errors() {
    return 'Login failed. Please check your credentials.';
}
add_filter('login_errors', 'scanwp_hide_login_errors');

Final Word: Change Your WordPress Login URL

Changing the WordPress login URL eliminates the vast majority of automated brute force traffic that targets the standard /wp-login.php path. The setup takes under five minutes with WPS Hide Login, but test the new URL from a private browser window before closing your current session. If something goes wrong, you can restore access through FTP, your hosting control panel, or phpMyAdmin without needing your login credentials.

Once the URL is changed, add at least one more layer: 2FA stops credential-stuffing attacks that know your password, and login attempt limits stop the brute force probing that the URL change alone does not prevent. Pair these with country blocking plugins if you see login attempts from regions where you have no real users, and you have covered the three main attack vectors against the WordPress login page.

Recap: