How to change WordPress wp-admin url in wordpress without plugin

By April 22, 2017 WordPress 25 Comments
How To Change WordPress Admin Login URL to Improve Security

How To Change WordPress wp-admin Login URL to  Improve Security?

If you run a WordPress website, you should restrict the default wp-admin or Admin login URL to secure it against hackers. One of the most common types of hacking on WordPress is a brute force attack. In this kind of attack, a hacker attempts to try various permutations & combinations of usernames & passwords to get inside of your WordPress blog. Especially when we all know that the common WordPress admin URL is “wp-admin”, any hacker can easily get started with brute force attacking. There a number of plugins available to restrict  or change default /wp-admin url, but i recommend you don’t need to install any huge plugin if this can be achieve by a simple hook in php and .htaccess file. Below are the steps  to change the admin url or wp-admin to secure login.

Steps:

1.  Add constant to wp-confing.php

2.  Add below filter to functions.php

3.  Add below line to .htaccess file under IfModule mod_rewrite.c 

4.   Restrict the /wp-admin URL:

The above code allow you to login the admin fror new url.(don’t forgot to add “/” at  end of  the URL) site.com/adminLoginUrl/ But till now wp-admin url is  not blocked or disabled. To do this you need to add below code to restrict the URL : site.com/wp-admin. Now if someone access via /wp-admin url it will redirect to 404 page.

5.   Restrict the /wp-loging.php file:

Now if someone tries access via /wp-login.php url, it will show 404 page.

 

When you successfully changed the wp-admin login url, the next thing you need to do is change logo hover default title and change default logo link which point to “WordPress.org”. You can do this in my next tutorial.


About Vijay Dhanvai

A passionate blogger by heart and mind, I have been working in this field for 7 years now. A WordPress Professional, web developer and designer who intends to guide his readers about Web Design, WordPress, Blogging, Web Development, and more.

25 Comments

  • coco says:

    Thanks for the great article.
    However, it is not clear where does the last piece of code go ? In the .htaccess ?

    • Admin says:

      The last code snippets goes to your site theme function.php file.

      • Alex says:

        I am sure it must go in the in theme functions.php file of the theme ( at the top its the best way to go ) or, wp-config.php ( but from my experience, I am trying to avoid adding many code in the last file.

  • Nilesh Upadhyay says:

    Wow what a great article, Found my solution what i am looking for.

    Thanks 🙂

  • gautam says:

    Hi,

    When I put above code and sitename /adminLoginUrl on browser its go to 404 page can you please help me on this

    Thanks
    Gautam

    • Karan Sharma says:

      Hi Gautam,
      Glad to see you here, please follow this 4 steps as i mentioned, and can you just show me your second and third code snippets, so that i can found out where is issue.

      one more thing while accessing with new site admin URL don’t forgot to add “/” at the end.

  • Criss says:

    I have choosen this solution among other similar ones because it’s the most recent. But it’s not working for me. I set everything correct but my wp-admin is still active and my new login isn’t. Any idea?

    • Karan Sharma says:

      Hi Criss,
      The solution is well tested on single site and working. It is not for multi site. If it not working for you, it might be some plugin issue, because every caches plugin also put some entries in .htaccess file. Please disable your plugin one by one an check again. you can also write mail us to info@w3reign.com for more queries and support.

      • Criss says:

        …..actually I’m not using cache plugins and my htaccess is just a basic one. Is the filter “site_url” meaning that I have to change it with my site, or i ta has to stay like that?

  • Criss says:

    You know, I have found another post. They mention about creating a folder. I tested that version and I can see the login page when I browse my custom URL. However, I still can browse to my /wp-admin so the solution is only half working.

    • Karan Sharma says:

      Hi Criss,

      There is no sense to create an empty folder, the above solution is working perfectly, no need to create any folder. You can even check both URL of my website. 🙂
      With your case i can’t say anything until i check your file where you put this code snippets.

      New URL: w3reign.com/adminLoginUrl/
      Default URL: w3reign.com/wp-admin/

  • bajrasuprin says:

    Great Post.
    Now any idea how to deal /wp-login.php .
    I want to do the same thing for wp-login.php as well any idea how.
    if anyone sends the request like this something.com/wp-login.php i want it to redirect it to 404 as well

    • Karan Sharma says:

      Hello bajrasuprin,
      Yes their should be a redirection on wp-loging.php page. Please add this code snippets in function.php file.

      add_action( ‘init’, ‘force_404_redirect’, 1 );
      function force_404_redirect() {
      $requested_uri = $_SERVER[“REQUEST_URI”];
      if (strpos( $requested_uri, ‘/wp-login.php’) !== false ) {
      // The redirect code
      status_header( 404 );
      nocache_headers();
      include( get_query_template( ‘404’ ) );
      die();
      }
      }

  • ComWebSite says:

    Thanks for tricks.

  • 8vasa8 says:

    Hello,

    4 and 5 step shoud be in functions.php? I can’t log in. Thanks

  • Alex says:

    Hi,

    2. Add below filter to functions.php
    I was going to be mad before understand that code must be added in the wp-includes “functions.php” file… !

    3. Add below line to .htaccess file under IfModule mod_rewrite.c
    it doesn’t work there, added it in first line and works.

    5. Restrict the /wp-loging.php file: Now if someone tries access via /wp-login.php url, it will show 404 page.
    Yes, but with this code the created new wp-admin url with step 1-2-3 shows 404 page too.. suggestions?

  • sanket says:

    It works but i dont want to display this URL there wp-login.php?redirect_to=https%3A%2F%2Fmysite.in%2Fwp-admin%2F&reauth=1.Any ideas how can i do it?

  • Noe says:

    Hello,
    thank you for sharing your code! I have some trouble to understand the last code snippet, well it works as expected, it redirects all request to wp-login.php to the 404 page, but the custom login is blocked too because it redirects as usual to siteurl/wp-login.php?redirect_to=…
    Is there something I miss? There is no security improvement if I can’t manage to block wp-login.php too :/

    • Hello Noe,

      Please follow the steps very carefully, and the last code snippets is to restrict when someone tries access via /wp-login.php url, it will show 404 page.

      • Noé says:

        Hi Vijay,
        thank you for your reply! I follow exactly every step I’m sure of that 🙂 I found this code that worked for me:
        https://gist.github.com/em-piguet/f0482886996b48dec8e0
        It seems this snipped is doing the trick by adding “connect” before wp-login.php:

        add_filter(‘site_url’, ‘wplogin_filter’, 10, 3);
        function wplogin_filter( $url, $path, $orig_scheme ) {
        $old = array( “/(wp-login\.php)/”);
        $new = array( “connect”);
        return preg_replace( $old, $new, $url, 1);
        }
        in htaccess:
        RewriteRule ^connect$ wp-login.php

  • vasu says:

    Everything is working fine except the logout. Logout is not working . It redirects to home page without logging out.

  • Hey i tried this code . you explained very well . but still its showing page not found . its throwing 404 error.

Leave a Reply