For the past few years the Shield Security plugin for WordPress has been demonstrating its ability to thwart attempts to compromise websites, with its many layers of protection.
One the most important of these layers is the user login protection system. Shield locks down your WordPress login against automated bots and brute force login attacks.
It does this using simple techniques. Rather that use complex analyses of IP addresses and the like, it takes advantage of how humans use websites versus automated bots.
The result is a highly effective system that protects WordPress websites like no other.
Hide The WordPress Login URL – wp-login.php
One of the core tenants of Shield is to never make file system changes – never touch WordPress core files, or write to the .htaccess.
This feature is no different. We don’t touch your wp-login.php, nor do we block it using .htaccess rules. We simply prevent it from being loaded directly using the standard WordPress login url – wp-login.php
Simply supply the Shield plugin with the URL you want to use as your login, and that’s what you’ll use thereafter.
You will of course need to remember that login URL, because if you forget it, you’ll not being able to login. WordPress will never tell you what it is. In fact, it’ll deny all knowledge of its existence and you’ll reach a 404 page, as if it doesn’t exist.
The same is true for your WordPress Admin (wp-admin). If you attempt to access this and you’re not logged in, you’ll be shown a 404 error. It wont automatically redirect you to the WordPress login screen (which is standard WordPress behavior).
How exactly do we rename the WordPress login page?
It’s a fairly simple process, but basically involves hooking into wherever WordPress normally loads wp-login.php. The wp-login.php is the only file within the WordPress core that handles the WordPress user sign-on process.
Therefore, without direct access to that file, no-one can log into your WordPress sites.
What better way to prevent login to your WordPress site than to hide your WordPress login page altogether.
The new plugin option can be found under the “Login Guard” module of the Shield Security plugin.
Simply supply a string of text (letters and numbers are supported) and this will immediately become your new login URL.
Please note: We do not rename or touch the original wp-login.php file.
How to change your WordPress Login URL
Take this website for example. The address is www.icontrolwp.com
If I put “mysecreturl” into the option to rename the WordPress login page, then my new login url will be:
www.icontrolwp.com/mysecreturl
This option only permits letters and numbers, and only when Permalinks are enabled for your site.
Important points to note about your hidden login URL
Simply supplying anything in this option will enable your secret login URL. When you do this, you need to understand that a few things will change in the behavior of your website:
- Normally when you try access your WordPress admin area you are automatically forwarded to the login page. To ensure your login page remains hidden, you will receive a 404 page not found error instead. It will appear as if your WordPress admin doesn’t exist! But it does – you must log in to your site to see it.
- If you try to access your old wp-login.php page, you will also receive a 404 page not found error. Again, this is used to mask the fact that the file exists.
- The blank standard “HTTP 404 Not Found” error page will be used but if you want to automatically redirect for any requests made to hidden pages, you can use WP Login & Admin Redirect option.
- If you have plugins that use hard-coded redirects to your wp-login.php, these will fail to redirect you correctly. Please contact the author to explain that they should use the native “site_url()” function within WordPress.
- This feature is not tested with WordPress Multisite – if you have issues, please provide feedback to help.
Please provide suggestions!
This plugin feature was only implemented upon the repeated requests from several users of the plugin. You make this plugin what it is, and any ideas, feedback, or suggestions you may have are necessary to keep this plugin up-to-date and relevant.
Thank you to everyone who has made suggestions and helped with testing of this plugin.
Hello dear reader!
If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)
You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.
We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.
Hi, I’d like to be able to use the change-login-url-to-something-else feature, and I have permalinks enabled, but when I try to enable the feature it says I need to have permalinks enabled. Now, although I do have permalinks enabled, I am using the default (ugly) style. Do I need to select a particular style of permalink before this feature will work?
The “ugly” style doesn’t work – this means in-fact you’re not using Permalinks.
I may release an update to support “ugly” links, but for the 1st release I opted to not support because it adds a bit more complexity.
Thanks,
Paul.
When I try to use the redirect login on my test site, I get a 404. How I find out what is going wrong? Is there a conflict with another plugin?
I want to add that my test site is in a sub-folder.
Thanks.
What is the URL that you get a 404 on?
Having the same problem. Permalinks are set to option 5 (page name only). The wp-login link now returns a 404, but so does the specified redirect URL, which is previewed as https://domain/wp/sitelogin … could there be an issue with WP installations in subfolders?
Hi Daniel,
Is your WordPress installation in a sub-folder, but the URL of the site is different? If this is the case, this is tested and working.
If the WordPress installation is in a sub-folder and the WordPress URL is also in a sub-folder, perhaps there is an issue there, but I’m not sure how that would work. I’ll have to do some testing with that to see…
Can you confirm which way your URL is configured etc.?
Thanks,
Paul.
did you see my reply below?
The WP installation is not in the domain/web root, but in its “/wp” subfolder
The WP directory and the start page settings on the WP config page are both configured as “https://domain/w”p (no trailing slash)
The name of the login page in the firewall plugin is set to “sitelogin”
The WP installation works without problems, but the https://domain/wp/sitelogin URL that is displayed on the firewall page now doesn’t work (404)
I’m glad I tested the login URL in a second browser before logging out in the first one; because apparently I have no way left to log in 🙂
When I reset the login page name in the firewall settings to blank, everything is fine again
Under “Login Protection”, I changed the Login Page from “wp-admin” to a name that only I would know and now, “wp-admin” AND my custom name does not work.
There are no subdomains or subfolders. This works on another site that I am using this plugin on, but not this one.
Any thoughts?
Thanks!
Apologies – I am getting a 404 for both.
“The requested URL /wp-admin/ was not found on this server.”
Similar to Tommy, I’ve renamed my login screen but when I navigate to the page I get a 404.
Oh – and fyi. Running the latest version of WP & Simple Firewall.
Me 2, the login rename doesnt work. i get a page not found.
Hi,
If I rename the login page , the new name is shown in emails sent to users during 2 factors authentication! so the new name is public..
is there any solution for that?
Thanks
Talal
Hi,
I just checked this and I can’t see what you’re seeing. That email doesn’t send out the new login URL.
And, if it was, it would be sending it to a user that already new the URL… I’m not sure how this is “public”.
Thanks,
Paul.
Hi,
You’re right, the email doesn’t send out the new login URL.
By the way, allow me to thank you for your grate plugin.
Talal
Hi Paul,
Presumably this won’t work for sites which require login to post a comment?
I see you have comments enabled here. Could you share your thoughts on preventing comment spam without login being required? On the only site I manage with comments enabled we currently have it set so people have to be logged in to leave a comment and we are using the CleanTalk plugin to prevent comment spam (which does a great job), but the site is experiencing frequent hacking attempts and it would be good to be able to rename the wp-login page and allow comments without opening up to a massive comment spam problem.
Thanks
Rob
Hi Rob,
We have a very good Comment SPAM protection built into the Simple Firewall plugin itself… look under the Comments Filter section. I have no issues whatsoever with comment spam with these enabled.
Worth trying out.
Cheers!
Thanks Paul,
I renamed wp-login.php, enabled the comment spam protection in Simple Firewall and removed the requirement for people to be logged in to post a comment and in the past 10 days this has been working brilliantly.
Cheers
Rob
Hey Rob,
Brilliant news… Glad it’s working so well for you!
Haha. I hate to be ‘that guy’, but there’s a website that I haven’t accessed in quite a while now, and…………. I’ve forgotten my custom login page url. 😀
So question is: Can one determine what the current login page is via some research with an FTP? Or, is there some way to revert the login page to the default WP login url without logging in or removing the entire WP Simple Firewall plugin?
Thanks in advance!
You can turn off the plugin functions without disabling the plugin itself using the process outlined here: https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959
I seem to have done the same thing as the previous comment. I have my username and password, but I can’t for the life of me find a record or notation of where I put my custom URL. This is driving me crazy, is there any way that I can find the info or temporarily change it from my server or MySQL database to regain access?
The process outlined here: https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959
can be used to knock off the plugin and get in to change it.
Hi Paul,
I’m not sure comments here will still receive replies, but it’s worth a try. For two days now I encounter that bots occasionally attack the renamed login page of my site. I’ve changed the url after I’ve noticed it first, but within the next 24 hours attempts to register a user (which is disabled) will move to the new url (/mysecreturl?action=register). My question: How is it possible that they even detect this “secret” url, which doesn’t seem to be so secret anymore? My concern: could that be related to the latest release since I’ve never encountered that problem before?
Thanks in advance
Max
There are couple of way this can happen. If you have private pages/posts, they will link to the login page. Or if you have any plugin that somehow exposes the login page, or forwards to the login page. Every site is different, but if you probably have something, somewhere that’s exposing the URL somehow either explicitly, or through a redirect.
Hope this helps.
Thanks, Paul. There are no private pages or posts and I haven’t installed any new plugins over the past few months and only encountered the problem for the last two days, that’s why I thought it might have to do with your recent update. Renaming the login page felt better before, but I guess I will learn to live with it. 😉
Hi, Paul, I’m sure this has aleady been addressed, but when I try to set my wp-loging url, I get “Warning: Can not use the Rename WP Login feature because you have the “Theme My Login” plugin installed and it is active.”
I have been battling to activate the Login Protection module without success (get a login error 500) and have eliminated the culprit to be My Theme Login, so i tried to rename the wp-login to “login”,as per the Theme My Login plugin.
Is there any way that I can fix this issue without removing Theme My Login?
How can I reset a renamed login back to wp-login.php. ?
You can use the forceoff system as outlined here:
https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959
very good
Thanks for introducing the plugin info, which secures the user’s website without doing changes in coded or .htaccess.
I can’t enter to my wp account now, either can’t find where is the plugin file in my site for delete de plugin, i looking in the file directory of my site in plugins and no appear there what i can do ?
Hi Jorge,
We’re sorry to hear about the troubles you’re having.
To help you with this issue, we’ve opened a support ticket for you. Please check your email inbox when you have a chance. Email is sent to the email address you used to post your comment here.
Thanks 🙂