How To Change WordPress wp-admin Login URL to Improve Security?
If you run a WordPress website, you should restrict the default wp-admin or Admin login URL to secure it against hackers. One of the most common types of hacking on WordPress is a brute force attack. In this kind of attack, a hacker attempts to try various permutations & combinations of usernames & passwords to get inside of your WordPress blog. Especially when we all know that the common WordPress admin URL is “wp-admin”, any hacker can easily get started with brute force attacking. There a number of plugins available to restrict or change default /wp-admin url, but i recommend you don’t need to install any huge plugin if this can be achieve by a simple hook in php and .htaccess file. Below are the steps to change the admin url or wp-admin to secure login.
Steps:
1. Add constant to wp-confing.php
1 2 |
define('WP_ADMIN_DIR', 'adminLoginUrl'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); |
2. Add below filter to functions.php
1 2 3 4 5 6 7 |
add_filter('site_url', 'wpadmin_filter', 10, 3); function wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); } |
3. Add below line to .htaccess file under IfModule mod_rewrite.c
1 |
RewriteRule ^adminLoginUrl/(.*) wp-admin/$1?%{QUERY_STRING} [L] |
4. Restrict the /wp-admin URL:
The above code allow you to login the admin fror new url.(don’t forgot to add “/” at end of the URL) site.com/adminLoginUrl/ But till now wp-admin url is not blocked or disabled. To do this you need to add below code to restrict the URL : site.com/wp-admin. Now if someone access via /wp-admin url it will redirect to 404 page.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
add_action('login_form','redirect_wp_admin'); function redirect_wp_admin(){ $redirect_to = $_SERVER['REQUEST_URI']; if(count($_REQUEST)> 0 && array_key_exists('redirect_to', $_REQUEST)){ $redirect_to = $_REQUEST['redirect_to']; $check_wp_admin = stristr($redirect_to, 'wp-admin'); if($check_wp_admin){ wp_safe_redirect( '404.php' ); } } } |
5. Restrict the /wp-loging.php file:
Now if someone tries access via /wp-login.php url, it will show 404 page.
1 2 3 4 5 6 7 8 9 10 11 |
add_action( 'init', 'force_404', 1 ); function force_404() { $requested_uri = $_SERVER["REQUEST_URI"]; if (strpos( $requested_uri, '/wp-login.php') !== false ) { // The redirect code status_header( 404 ); nocache_headers(); include( get_query_template( '404' ) ); die(); } } |
When you successfully changed the wp-admin login url, the next thing you need to do is change logo hover default title and change default logo link which point to “WordPress.org”. You can do this in my next tutorial.
[paypal-donation]
Thanks for the great article.
However, it is not clear where does the last piece of code go ? In the .htaccess ?
The last code snippets goes to your site theme function.php file.
I am sure it must go in the in theme functions.php file of the theme ( at the top its the best way to go ) or, wp-config.php ( but from my experience, I am trying to avoid adding many code in the last file.
Wow what a great article, Found my solution what i am looking for.
Thanks 🙂
Most welcome and Glad to see you here 🙂
Hi,
When I put above code and sitename /adminLoginUrl on browser its go to 404 page can you please help me on this
Thanks
Gautam
Hi Gautam,
Glad to see you here, please follow this 4 steps as i mentioned, and can you just show me your second and third code snippets, so that i can found out where is issue.
one more thing while accessing with new site admin URL don’t forgot to add “/” at the end.
I have choosen this solution among other similar ones because it’s the most recent. But it’s not working for me. I set everything correct but my wp-admin is still active and my new login isn’t. Any idea?
Hi Criss,
The solution is well tested on single site and working. It is not for multi site. If it not working for you, it might be some plugin issue, because every caches plugin also put some entries in .htaccess file. Please disable your plugin one by one an check again. you can also write mail us to info@w3reign.com for more queries and support.
…..actually I’m not using cache plugins and my htaccess is just a basic one. Is the filter “site_url” meaning that I have to change it with my site, or i ta has to stay like that?
You know, I have found another post. They mention about creating a folder. I tested that version and I can see the login page when I browse my custom URL. However, I still can browse to my /wp-admin so the solution is only half working.
Hi Criss,
There is no sense to create an empty folder, the above solution is working perfectly, no need to create any folder. You can even check both URL of my website. 🙂
With your case i can’t say anything until i check your file where you put this code snippets.
New URL: w3reign.com/adminLoginUrl/
Default URL: w3reign.com/wp-admin/
Great Post.
Now any idea how to deal /wp-login.php .
I want to do the same thing for wp-login.php as well any idea how.
if anyone sends the request like this something.com/wp-login.php i want it to redirect it to 404 as well
Hello bajrasuprin,
Yes their should be a redirection on wp-loging.php page. Please add this code snippets in function.php file.
add_action( ‘init’, ‘force_404_redirect’, 1 );
function force_404_redirect() {
$requested_uri = $_SERVER[“REQUEST_URI”];
if (strpos( $requested_uri, ‘/wp-login.php’) !== false ) {
// The redirect code
status_header( 404 );
nocache_headers();
include( get_query_template( ‘404’ ) );
die();
}
}
Thanks for tricks.
Glad to see it help you. 🙂
Hello,
4 and 5 step shoud be in functions.php? I can’t log in. Thanks
Yes, Step 4th and 5th code will go to function.php file, Please follow the steps carefully it worked perfectly.
Hi,
2. Add below filter to functions.php
I was going to be mad before understand that code must be added in the wp-includes “functions.php” file… !
3. Add below line to .htaccess file under IfModule mod_rewrite.c
it doesn’t work there, added it in first line and works.
5. Restrict the /wp-loging.php file: Now if someone tries access via /wp-login.php url, it will show 404 page.
Yes, but with this code the created new wp-admin url with step 1-2-3 shows 404 page too.. suggestions?
It works but i dont want to display this URL there wp-login.php?redirect_to=https%3A%2F%2Fmysite.in%2Fwp-admin%2F&reauth=1.Any ideas how can i do it?
Hello,
thank you for sharing your code! I have some trouble to understand the last code snippet, well it works as expected, it redirects all request to wp-login.php to the 404 page, but the custom login is blocked too because it redirects as usual to siteurl/wp-login.php?redirect_to=…
Is there something I miss? There is no security improvement if I can’t manage to block wp-login.php too :/
Hello Noe,
Please follow the steps very carefully, and the last code snippets is to restrict when someone tries access via /wp-login.php url, it will show 404 page.
Hi Vijay,
thank you for your reply! I follow exactly every step I’m sure of that 🙂 I found this code that worked for me:
https://gist.github.com/em-piguet/f0482886996b48dec8e0
It seems this snipped is doing the trick by adding “connect” before wp-login.php:
add_filter(‘site_url’, ‘wplogin_filter’, 10, 3);
function wplogin_filter( $url, $path, $orig_scheme ) {
$old = array( “/(wp-login\.php)/”);
$new = array( “connect”);
return preg_replace( $old, $new, $url, 1);
}
in htaccess:
RewriteRule ^connect$ wp-login.php
Everything is working fine except the logout. Logout is not working . It redirects to home page without logging out.
Hey i tried this code . you explained very well . but still its showing page not found . its throwing 404 error.
hi sir i m try your code but it is not working for me
.htaccess code
# BEGIN WordPress
RewriteEngine On
RewriteBase /gnsmining/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /gnsmining/index.php [L]
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
# END WordPress
Hi ,
After adding the the code to restrict wp-login.php url as point.5
unable to login with New url http://something.com/adminLoginUrl/
Please help me.
Point 1 to point 4 code is working perfectly.
Maybe a solution for don’t have to care about the ” / ” character of the URI :
add_filter( 'login_redirect', 'custom_login_redirect', 10, 3 );
function custom_login_redirect( $redirect_to, $request, $user ) {
if(substr($redirect_to, -1) != "/"){
$redirect_to .= "/";
}
return $redirect_to;
}