Hiding Your WordPress Login Page from Hackers with Code

Hiding Your WordPress Login Page from Hackers with Code

There are 40 million brute force attacks on websites every day, so it’s highly likely your site will succumb to an attack. One relatively easy way to protect your site is to hide your login page from hackers.

Making it harder for hackers to find the location of your login page file means there’s less chance they can attempt to guess your credentials and infiltrate your site.

So how do you do it? You can create a new login page URL and hide your login with code in a few simple steps, adding an extra layer of defense to your site.

You don’t need to install any plugins and it only takes a few minutes to implement.

Time’s a wastin’ and hackers aren’t letting up anytime soon so let’s get started.

Baby Back, Back, Back It Up

Since you need to make edits to your .htaccess file to hide your login, it’s important that you create a full backup of your site. Your .htaccess file is an important one where one teeny-tiny mistake could completely take down your site so it’s best not to live on the edge and take chances here.

If you scoff at the idea and insist that no one can slow down your rockin’ life, then at least backup your .htaccess file as well as the folder for whatever theme you’re using.

You can check out some of our other posts for details on how to backup your site:

It’s also a good idea to try the code below in a test environment. It’s optional, but if you’re concerned that your site may go down for a minute or so, then it’s the best option for you. After all, it’s better that your test site implodes, rather than your live site – no matter how short-lived.

Once that’s out of the way, you can try one of the options for changing your login page’s slug based on your comfort zone. Once your new slug is created, you can hide the original wp-login.php page.

The first option requires you to only edit your .htaccess file whereas you need to edit your theme’s functions.php and .htaccess files with the second option.

Feel free to skip down to the option you are more comfortable with trying.

Call Me, Maybe by a Different Slug

No matter which option you choose, you can edit the necessary files directly in your favorite SSH client on the command line, with FTP using certain clients such as FileZilla or in cPanel.

1. Using Only .htaccess Rules

The code you need to add should ideally be included at the top of your .htaccess file for single installs of WordPress or after the following lines for Multisite installs:

Here’s the code you need to add:

Be sure to change mylogin on line two to whatever you want your slug to be. If you don’t change it, you can find your login page at www.your-site.com/mylogin. If you do change it, your URL structure should be the same, except with your slug in place of mylogin.

It’s recommended that you change the slug since this post is available to the public which means hackers have access to it as well. If you do use it, they won’t have to guess your login URL since it’s printed here.

Also be sure to change 123 in lines two and seven to something else. This is a secret key that isn’t displayed to hackers. You should pick something that isn’t obvious so don’t change the secret key to “wordpress” or the title of your site. Your key should also only have letters and numbers.


Manage unlimited WP sites for free

Unlimited sites
No credit card required

Save your .htaccess file and check that your site is still up. If you get a 500, internal server error, it means that you have made a mistake somewhere, no matter how small. Restore the file and try again.

If your site is up but it’s not working for you, try clearing your browser’s cache.

2. Your Theme’s Functions Files and .htaccess

Before you continue adding code to your site, it’s important that you first create a child theme. This prevents you from losing the changes you make to your theme the next time it’s updated.

You can check out a couple of our posts How to Create a WordPress Child Theme and How to Automagically Create Child Themes in WordPress for details on how to create one.

Once you’re set to go, you need to start by adding some code to the top of your .htaccess file for single installs of WordPress and for Multisite, after this:

This code from one of our developers, Leighton Sapir, creates the new slug for you to use within your site:

You can replace myprivatelogin with whatever slug you want to use instead of wp-login.php. In this case, the new login URL you created should be www.you-site.com/myprivatelogin.

Save the file and check that your site functions properly. If you run into a 500, internal server error, you have some mistakes to correct. If you’re not sure what went wrong, restore your .htaccess file and try again.

You could go along on your merry way at this point and start using your new login URL, but you could go one step further and get WordPress to use this new URL everywhere it’s linked on your site.

Open your theme’s functions.php file. You can find it under /wp-content/themes/your-theme/.

You can add the following code from a WordPress support thread to almost anywhere in the file, though, the bottom is usually a safe bet:

Don’t forget to change myprivatelogin on line five with the slug you chose to write in your .htaccess file.

When that’s done, save the file and try it out. If you still have the default meta information in your sidebar, you can click the login link there, for example. It should go to your login page with the new slug your entered.

You Can Run, You Can Hide and Escape My Hacks

These two methods give an alternative to the old, ratty wp-login.php and adds a new slug to use in your login URL. Though, both options are completely useable at this point so it’s still important that you hide your actual wp-login.php page.

Since your new login URL isn’t easy guessable and printed multiple times in the WordPress Codex, it’s going to be more difficult for hackers to try brute force attacks once you deny them access to the default login page which they already know about.

For details on how to hide your original login page, check out our post Limit Access to the WordPress Login Page to Specific IP Addresses.

Using the code options above helps you add an extra layer of security to your site to prevent brute force attacks. Also, it helps keep your site as lightweight as possible since you don’t have to use a plugin that could slow down your site’s speed.

You could still use a plugin if you prefer not to touch code and there are loads to pick from in our post How to Hide Your WordPress Login Page From Hackers and Brute Force.

Is your site frequently under brute force attack? What security measures have you already implemented or tried? What tools or plugins are your favorites for reducing brute force attacks?

Jenni McKinnon

Jenni McKinnon Jenni has spent over 15 years developing websites and almost as long for WordPress as a copywriter, copy editor, web developer, and course instructor. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.