Changing the default login URL is an effective way to stop the majority of bots who try to gain access to your website.
The normal way to login to WordPress is by calling yourdomain.com/wp-login.php or /wp-admin (which redirects to wp-login.php).
If you were to examine your server’s access logs you will likely see a huge number of entries involving the file wp-login.php. This is because there are bots out there who continuously call this file in hope of guessing the password and gaining entry to your website.
If you have a plugin like Malcare installed the number of times that someone can try to log in are limited because Malcare will block access after a few failed attempts.
Each time wp-login.php is called it puts a strain on your web server. Even though you might be protected with a plugin, it will relieve pressure considerably if you can return a 404 (page not found) response instead.
Fortunately, it is super easy to change the URL because there is a plugin you can install which is effective and lightweight, and it is super-easy to set up, with no technical knowledge required.
Video How to change the Login URL for better security
Don’t have time to read. See this short video instead.
How to change the Login URL for better security with a plugin
Step 1 – Install WPS Hide Login plugin
- Go to Plugins->Add New and search for wps hide login
You should find that the plugin comes up first in the list.
- Click Install then Activate
Step 2 – Setup the WPS Hide Login plugin
- Now visit Settings->WPS Hide Login and scroll down to the bottom of the screen.
- Set the Login URL. Here you can enter the name for your login URL. This is the URL that you will use to login instead of the normal one. You could leave it at the default ‘login’ or you could change it to something that might be more difficult to guess. Note that the URL you enter here doesn’t need to be an actual page on your website.
- Set the Redirection URL, i,e the page people will be sent to when they try to access to old URL. This setting is fine left at the default ‘404’. Again this page does not have to exist.
- Save your changes.
Step 3 – Login using the new URL
Now, every time you log in yourself, you must remember to use the new URL you set, so if you set the login URL to ‘login’ you would visit https://yourdomain.com/login
If someone really wanted to hack your website, they could probably find your new login URL without much trouble. We are using security by obscurity here.
However, this little fix is going to deter most of the bots that mindlessly try to login using the standard URL that most WordPress websites use.
If you don’t already have a security plugin such as Malcare installed on your blog, I thoroughly recommend you install it because it will vastly reduce the number of times that a bot or a person can attempt to login.