How to Hide the WordPress Login URL From Hackers (Without Breaking Your Site)

Every WordPress site on the planet has the same two login addresses out of the box: /wp-login.php and /wp-admin. Hackers know this. Bots know this. Credential stuffing scripts are written around this. The moment you launch a WordPress site, automated scanners start hammering those URLs trying thousands of username and password combinations every hour.

This guide walks you through what hiding the login URL actually does, which tools do it reliably, and how to layer it with other defenses so your login page becomes genuinely difficult to find and even harder to crack.

Why Attackers Target /wp-login.php and /wp-admin

WordPress powers around 43% of all websites. That market share makes it an irresistible target. Attackers do not need to write custom tools for each site they attack. They write one script that fires at /wp-login.php and deploy it against millions of domains simultaneously.

The two main attack types you face are:

Brute Force Attacks

A brute force bot tries username and password combinations in rapid sequence. It might start with common pairs like admin/password, admin/123456, or admin/[site-name] and then work through dictionary lists. On a site without rate limiting, a bot can try hundreds of combinations per minute.

Credential Stuffing

Credential stuffing is more targeted. Attackers buy or download lists of real email and password combinations leaked from other data breaches. They then try those same credentials against WordPress login pages, gambling that users reused their passwords. This works more often than it should.

Both attacks depend on knowing where the login page is. If the bot cannot find the login page, it cannot attempt a login. That is the core logic behind hiding the login URL. For context on what happens when attackers do succeed, see our guide on how to fix a WordPress redirect hack that sends visitors to spam sites.

What Hiding the Login URL Does (and Does Not Do)

Let’s be honest about what this technique is: security through obscurity. It is not a bulletproof defense. It does not fix weak passwords. It does not stop a determined attacker who already knows your custom URL. It does not protect you if someone leaks or guesses your new login path.

What it does do, and does it well, is eliminate the vast majority of automated, commodity attacks. Bots hitting /wp-login.php at random will hit a 404 or a redirect and move on. Your server logs get quieter. Your server load drops. Your risk of a successful brute force attack from untargeted bots drops to near zero.

Think of it like this: locking your front door does not stop someone who really wants to get in, but it stops everyone who was just testing handles. Hiding the login URL is the digital equivalent of that lock.

The real security gains come from combining URL hiding with rate limiting, strong passwords, and two-factor authentication. More on that layered approach later in this guide.

Method 1: WPS Hide Login Plugin

WPS Hide Login is the most popular dedicated plugin for this task, with over one million active installations. It does one thing: changes the URL of the login page. No bloat, no upsells in the way of the feature.

How to Install and Set It Up

1. Go to Plugins > Add New in your WordPress dashboard.
2. Search for WPS Hide Login.
3. Install and activate it.
4. Go to Settings > General and scroll to the bottom.
5. Find the WPS Hide Login section.
6. Set a new login URL slug. Something like site-access or team-login-2024. Avoid obvious choices like login, signin, or backend.
7. Set a redirect URL for when someone visits /wp-login.php directly. The home page works fine.
8. Save changes.

Your new login URL will be https://yourdomain.com/your-chosen-slug. Bookmark it immediately.

Choosing a Good Login URL

Pick something memorable enough that you will not forget it but not so predictable that anyone could guess it. A random combination of two or three words works well: blue-crater-entry, panel-oak-77, or even a made-up word. Avoid common backend slugs that scanners already check for.

What Happens If You Forget the URL

This is the number one concern people have with this plugin. If you forget your custom login URL, you are locked out of the dashboard. The recovery options are:

• Use your bookmark. Seriously, bookmark the URL before you save the settings.
• Deactivate the plugin via FTP or file manager. Connect to your server, navigate to /wp-content/plugins/, and rename the wps-hide-login folder to something like wps-hide-login-disabled. This deactivates it and restores the default login URL.
• Use WP-CLI: wp plugin deactivate wps-hide-login from the command line.
• Disable via the database. In phpMyAdmin, go to the wp_options table and find the active_plugins row. Remove the WPS Hide Login entry from the serialized array.

Method 2: iThemes Security / Solid Security

iThemes Security was rebranded as Solid Security in 2023. The plugin covers a broad range of hardening tasks, and changing the login URL is one feature among many.

Changing the Login URL

1. Install and activate Solid Security (free version is sufficient for this feature).
2. Go to Security > Settings.
3. Look for the Hide Login Area module.
4. Enable it and set your custom slug.
5. Save settings.

Lockout Settings Worth Enabling

While you are in Solid Security, turn on the local brute force protection module too. It lets you set how many failed login attempts are allowed before an IP address gets blocked, and for how long. A sensible default is 5 failed attempts within 5 minutes triggers a 15-minute lockout. Repeat offenders get banned for longer.

The combination of a hidden URL and automatic IP lockouts covers both the discovery problem and the persistence problem.

Method 3: Wordfence

Wordfence is the most widely used WordPress security plugin. It is worth addressing directly because many people assume it includes login URL hiding. It does not.

What Wordfence does offer on the login security front:

• Rate limiting: Throttles the number of login attempts per IP per minute.
• Two-factor authentication: Available in the free version. Adds a TOTP code requirement on top of the password.
• Login security page: Under Wordfence > Login Security, you can enable 2FA for admin accounts and force strong passwords.
• IP blocking: You can manually or automatically block IPs attempting brute force attacks.
• reCAPTCHA on login: Adds Google reCAPTCHA v3 to the login form.

If you are already running Wordfence and want to add login URL hiding, use it alongside WPS Hide Login. They are compatible. Run Wordfence for threat detection and firewall, and WPS Hide Login for the URL change.

Method 4: .htaccess to Block /wp-login.php

If you want to protect the login page without changing its URL, or as an additional layer on top of URL hiding, you can restrict access to /wp-login.php by IP address using Apache’s .htaccess file.

This approach lets only your specific IP address reach the login page. Everyone else gets a 403 Forbidden response before WordPress even loads.

The .htaccess Rules

Open your root .htaccess file and add the following block. Place it before the standard WordPress rewrite rules:

# Protect wp-login.php
<Files wp-login.php>
  Order Deny,Allow
  Deny from all
  Allow from 203.0.113.50
  Allow from 198.51.100.25
</Files>

Replace 203.0.113.50 and 198.51.100.25 with your actual IP addresses. If you work from multiple locations, add a line for each one.

Finding Your IP Address

Search for “what is my IP” in Google. It shows your current public IP. If your IP changes frequently because you are on a residential ISP, this method becomes inconvenient. In that case, you can whitelist an IP range instead of a single address by using CIDR notation: Allow from 203.0.113.0/24 covers all IPs from 203.0.113.0 to 203.0.113.255.

Important Caveat

This method works on Apache web servers. If your host uses Nginx, the equivalent goes in your server block configuration, not in .htaccess. The Nginx equivalent looks like this:

location = /wp-login.php {
  allow 203.0.113.50;
  deny all;
}

Contact your host if you are unsure which web server you are running.

Method 5: Cloudflare WAF Rule

If your site sits behind Cloudflare (and it should), you can add a firewall rule that blocks all requests to /wp-login.php except from specific IP addresses. This happens at the network edge, before any request reaches your server.

Setting Up the Rule

1. Log in to your Cloudflare dashboard and select your domain.
2. Go to Security > WAF.
3. Click Create Rule.
4. Name the rule something like Protect WP Login.
5. Set the following conditions:
   • Field: URI Path
   • Operator: contains
   • Value: /wp-login.php
6. Add an exception using AND NOT:
   • Field: IP Source Address
   • Operator: is in
   • Value: your IP addresses
7. Set the action to Block.
8. Deploy the rule.

The free Cloudflare plan includes 5 custom WAF rules. This is a good use of one of them.

One thing to keep in mind: if you use WooCommerce or a plugin that has customers log in, this rule might block customer logins too unless you whitelist the right IPs or adjust the rule scope. Test it after deployment.

Why Two-Factor Authentication Beats URL Hiding Alone

Hiding the login URL reduces noise. Two-factor authentication stops attacks cold even if the attacker finds your login page and knows your password.

Here is the reality: passwords get compromised. Phishing, data breaches, malware, shoulder surfing. A password is a single point of failure. 2FA adds a second factor that an attacker cannot get just by stealing or guessing a password. They would also need physical access to your phone or authenticator app.

WP 2FA Plugin

WP 2FA is a dedicated plugin from the team at WP White Security. It supports:

• TOTP apps (Google Authenticator, Authy, Microsoft Authenticator)
• Email OTP as a backup
• Grace periods for users to set up 2FA before being locked out
• Role-based enforcement (require 2FA for admins and editors, optional for subscribers)

Setup is straightforward: install the plugin, run the setup wizard, scan the QR code with your authenticator app, and verify with the first code. You are done in under five minutes.

Wordfence 2FA

If you are already running Wordfence, its built-in 2FA works well. Go to Wordfence > Login Security, enable two-factor authentication for your user role, and follow the setup steps. Same TOTP flow as WP 2FA.

Google Authenticator Plugin

The miniOrange Google Authenticator plugin is another solid option that supports TOTP, push notifications, and hardware security keys (YubiKey). It has a free tier that covers basic TOTP for individual accounts.

Login Attempt Limiting

Even if an attacker finds your login page, rate limiting means they cannot try thousands of passwords per minute. They get a handful of attempts before getting locked out.

Loginizer

Loginizer is a popular free plugin with over one million active installs. It blocks IP addresses that exceed a configurable number of failed login attempts. Default settings are reasonable: 3 failed attempts in 15 minutes triggers a lockout. After multiple lockouts, the IP gets blacklisted.

It also shows you a log of recent failed attempts, which is useful for seeing how much attack traffic your site is getting.

WP Limit Login Attempts

WP Limit Login Attempts is a lightweight alternative that focuses purely on limiting login attempts. It has no upsell, no dashboard widget clutter, just the core function. You set the number of retries, the lockout duration, and optionally get email notifications on lockouts.

Both plugins are free and compatible with most themes and security plugins.

Emergency Recovery: What to Do If You Lock Yourself Out

Locking yourself out after changing the login URL or enabling IP restrictions is the most common problem people run into. Here is how to get back in. (If your issue is a blank white screen on the login page, that is a separate problem with a different fix.)

Scenario 1: Forgot Custom Login URL (WPS Hide Login)

Connect to your server via FTP, SFTP, or your host’s file manager. Navigate to /wp-content/plugins/. Rename the wps-hide-login folder to wps-hide-login-disabled. The plugin is now deactivated and your login page reverts to /wp-login.php.

Scenario 2: Locked Out by .htaccess IP Restriction

Your IP changed (happens with residential ISPs), so now you are blocked too. Connect via FTP and open .htaccess. Find the <Files wp-login.php> block you added. Update the Allow from line with your new IP address, or temporarily remove the block entirely to regain access, then re-add it with the correct IP.

Scenario 3: Locked Out by Login Attempt Limit

If Loginizer or a similar plugin blocked your IP, the quickest fix is to deactivate the plugin via FTP (rename its folder in /wp-content/plugins/). Alternatively, if you have database access, you can clear the lockout by deleting the relevant option in the wp_options table (Loginizer stores lockout data there).

Scenario 4: No FTP Access

If you are on a managed host without direct file access, contact support. Explain you are locked out and need them to deactivate a specific plugin via WP-CLI or the file system. Most managed hosts handle this quickly.

The broader lesson: always keep FTP or SFTP credentials handy, and always bookmark your custom login URL the moment you set it.

Multisite Considerations

Hiding the login URL on a WordPress multisite network is more involved than on a single site. Here is why:

• WordPress multisite uses a shared login page across all subsites. Changing the login URL affects every site on the network simultaneously.
• WPS Hide Login supports multisite, but you need to network-activate it rather than activating it per site. Settings are managed from the network admin.
• If you have subdomain installs (site1.yourdomain.com, site2.yourdomain.com), the shared login page URL change applies at the network level, not per subdomain.
• Some plugins that auto-generate login URLs for users (membership plugins, WooCommerce) may break if they hard-code /wp-login.php in their redirect logic. Test thoroughly after enabling login URL changes on multisite.
• The .htaccess IP restriction approach is generally safer on multisite since it does not depend on WordPress routing logic.

If you are running a small multisite network with a known team of admins, the .htaccess or Cloudflare approach is the most predictable option. If you have user registrations and member logins, test everything in a staging environment first.

The Combination Approach: What Actually Works

No single technique is enough on its own. The combination is what makes your WordPress login genuinely hard to attack.

The Three-Layer Setup

Layer 1: Hidden Login URL
Use WPS Hide Login to move the login page to a non-standard URL. This eliminates commodity bot attacks that target the default WordPress login path. Set a redirect to the home page for anyone hitting the old URL.

Layer 2: Two-Factor Authentication
Enable 2FA via WP 2FA or Wordfence Login Security. Even if someone finds your login URL and has your password, they still cannot log in without your TOTP code. This is the highest-impact security measure you can add to any WordPress site.

Layer 3: Rate Limiting and Lockouts
Install Loginizer or enable the brute force protection in Solid Security. Set it to lock out IPs after 5 failed attempts. Combined with a hidden URL and 2FA, this makes automated attacks completely impractical.

Optional Add-ons

• Cloudflare WAF rule if you want edge-level blocking before traffic reaches your server
• .htaccess IP restriction if you always log in from the same IP or a known range
• Strong unique passwords managed in a password manager (this should go without saying, but it bears repeating)
• Username change: if your admin username is still admin, change it. This removes half the guesswork from brute force attacks

What This Stack Does to an Attacker

A bot scanning for /wp-login.php hits a 404 or a redirect. It does not find the login page at all. If an attacker does somehow discover your custom URL (say, through a source code leak or a tool that fuzzes common slug names), they still face a TOTP requirement. If they try to guess the TOTP code, Loginizer blocks their IP after a few failed attempts. There is no realistic automated attack path through this stack.

Quick-Reference Checklist

Use this to verify your login security setup:

• [ ] Login URL changed from default (/wp-login.php returns 404 or redirects)
• [ ] Custom login URL bookmarked in your browser and saved in your password manager
• [ ] Two-factor authentication enabled for all admin accounts
• [ ] 2FA backup codes saved securely
• [ ] Failed login attempt limiting active (3-5 attempts before lockout)
• [ ] Admin username is NOT admin
• [ ] All admin passwords are 16+ characters, unique, stored in a password manager
• [ ] FTP/SFTP credentials documented for emergency recovery
• [ ] Tested that you can still log in after all changes

Frequently Asked Questions

Will hiding the login URL break my plugins?

Most plugins are unaffected. Plugins that generate login redirect URLs dynamically (using WordPress functions like wp_login_url()) automatically use your new custom URL because WPS Hide Login hooks into the WordPress URL filter. Plugins that hard-code /wp-login.php as a string will break. This is uncommon but worth testing. Check any membership, LMS, or custom user flow plugins after making the change.

Does this affect my XML-RPC or REST API?

No. Login URL hiding only changes the web form login path. XML-RPC authentication and REST API authentication flows are separate. If you are worried about XML-RPC abuse (it is also a brute force target), consider disabling it separately unless you need it for Jetpack or remote publishing.

Can I hide /wp-admin too?

You can restrict access to /wp-admin via .htaccess or Cloudflare WAF the same way you restrict /wp-login.php. WPS Hide Login does not change the /wp-admin URL itself, but once you are logged in, /wp-admin works normally. For users who are not logged in, visiting /wp-admin redirects to the login page, which is now your hidden URL.

What about passwordless login or passkeys?

Some modern authentication plugins support passkeys (WebAuthn), which eliminate passwords entirely. This is an emerging option but not yet mainstream in WordPress. If you want to explore it, look at plugins like Passwordless Login for WordPress or the WebAuthn provider by 2-Factor. For most sites, TOTP-based 2FA is the right balance of security and usability right now.

Summary

Hiding the WordPress login URL is a practical first step against automated brute force attacks. It is not magic, and it is not enough on its own, but it reliably eliminates a significant category of attacks with minimal setup. Use WPS Hide Login for the URL change, add 2FA via WP 2FA or Wordfence, and enable login attempt limiting with Loginizer. That three-layer stack makes your WordPress login significantly harder to attack without breaking any site functionality.

The most common mistake is stopping after the URL change and assuming the job is done. It is not. Add 2FA. That one step turns a forgettable password into a login that cannot be compromised even if the password leaks.

Beginner WordPress Tips Site Security WordFence Security wordpress security WordPress Security Plugins

Last modified: April 29, 2026