WordPress is the most popular CMS platform in the world and this makes it\u00a0an irresistible magnet for hackers and malicious login attempts. Even the best of the best can be brought down by a stealthy maverick with access\u00a0to brute-force tools that will automatically try to guess your username and password by hitting your WordPress login page over and over and over again.<\/p>\n
Hide Your WordPress Login Page with 4 Different Ways:<\/h2>\n
1. Hide wp-login.php Using a Plugin<\/a> Brute force attempts to log into WordPress are so common,\u00a0there’s even a page in the Codex<\/a> dedicated to the topic.<\/p>\n But… why give hackers and malicious bots the opportunity to even try and guess your login details? Just hide your WordPress login page and most bots and automated software won’t even know that your site exists.<\/p>\n In this article, you will learn how to implement one of the simplest and easiest strategies to protect your site from hackers and malicious bots: change your WordPress login URL, hide your\u00a0wp-admin<\/em>\u00a0and\u00a0wp-login\u00a0<\/em>page and redirect unwanted visitors away from your login page.<\/p>\n I have a standard WordPress site that I installed a few years ago. To get to the login page all you have to do is go to \/wp-admin<\/em>\u00a0or \/wp-login.php<\/em>.<\/p>\n This site doesn’t see a ton of traffic. In a typical month, it generates about 5,000 pageviews. However, the site’s login page sees malicious login attempts on a startlingly regular basis. I have the Defender<\/a> plugin activated on this site, and it tracks the number of blocked malicious login attempts. Since I’ve started tracking the number of blocked malicious login attempts, I can see that my site handles\u00a0hundreds of malicious login attempts each month, averaging about 24 per day, or one malicious login attempt every 60 minutes<\/a>.<\/p>\n Login attempts don’t happen at a regular pace of one per hour. Weeks can go by without a single malicious login attempt being logged. Then, suddenly, a few hundred or even a couple of thousand login attempts will be logged in a short period of time.<\/p>\n Most WordPress sites\u00a0set up as standard installations periodically experience brute force attacks attempting to log into the WordPress dashboard. Yours probably does too, whether you know it or not.<\/p>\n You may think that using canny logins will keep your site safe.<\/p>\n Hackers can easily tell if a site is powered by WordPress or not (often just by looking at the page source).<\/p>\n Once a hacker knows that your site runs on WordPress, they also know how to find your WordPress login URL<\/a>\u00a0(spoiler alert: the default WordPress login URL is found by entering your domain name, followed by\u00a0 Default WordPress behavior loads the login page when you access wp-login.php<\/em>. Type in wp-admin<\/em> instead, and you’ll be automatically redirected to wp-login.php<\/em>.<\/p>\n Unless you know\u00a0how to change your admin username<\/a>, your friendly neighborhood All the hacker has to do now is guess the password. Even if they can’t guess the password but keep trying to, this can use up your server’s resources and possibly end up taking your site down.<\/p>\n Many hackers are opportunistic and look for low hanging fruit that’s ripe and easy pickings.<\/p>\n If you don’t want people to steal your fruit, hide your tree.<\/p>\n Continuing with this really poor analogy (when life gives you lemons…), your WordPress login page gives admin users access to the whole orchard, so as part of our strategy of creating ‘security through obscurity,’ let’s hide your login page URL from everyone else but the admin.<\/p>\n Whether you’re dealing with a brand new WordPress installation or an existing WordPress website, whenever possible consider\u00a0installing WordPress in a subdirectory<\/a>. While this won’t prevent hackers from finding your WordPress login page if they deliberately choose to target your site, it will discourage many random bots and malicious users looking for easy targets to start hitting up your site and shaking your tree to see what falls out.<\/p>\n Having your WordPress site installed in a subdirectory, then, is a good first step toward creating ‘security through obscurity.’<\/p>\n If you’re moving an existing WordPress installation, before you do anything else, create a complete backup of your site<\/a> and store it someplace where you won’t accidentally delete or modify it. (Related: How to Back Up Your Backups For Bulletproof Protection<\/a>)<\/p>\n One more thing. When creating a subdirectory, choose a name that’s not too predictable like\u00a0http:\/\/example.com\/wordpress<\/em> or http:\/\/example.com\/wp<\/em>. Instead, choose something unique that no one will ever be able to guess like http:\/\/example.com\/dwiiw<\/em>\u00a0(an acronym for\u00a0d<\/b>irectory w<\/b>here I<\/b> i<\/b>nstalled W<\/b>ordPress<\/i>.)<\/p>\n Whether you choose to install WordPress in a subdirectory or not as an added security precaution is up to you.<\/p>\n The next step is to hide your login page URL (and optionally redirect wp-login.php visitors to another page on your site).<\/p>\n There are a few ways you can hide your WP login page from other users:<\/p>\n Before we get started, the strategy shared below isn’t recommended if your site requires a login page that needs to remain easy for other users to find (like a membership site).<\/p>\n If your site is not a membership site and login attempts are limited to a dozen or fewer admins, authors, editors, and contributors, then hiding your login page will help protect your site against malicious login attempts.<\/p>\n There are a number of free WordPress plugins that will let you hide the login page URL. Some of these plugins will also let you redirect wp-login.php visitors to another page of your website. Just visit the WordPress.org plugins directory and search for “Hide WP Login” to see a list of security plugins that you can use.<\/p>\n For this tutorial, we’ll use WPMU DEV’s own\u00a0Defender<\/strong> plugin.<\/p>\n Defender\u00a0lets you hide and<\/em> redirect wp-login.php, and includes many other top gun security features.<\/p>\n You can download Defender for free<\/a> from the WordPress plugin repository or if you’re a WPMU DEV member<\/a>, go ahead and install Defender Pro<\/a> from your WordPress site management hub<\/a>.<\/p>\n
\n2. Hide WordPress Login Page Without A Plugin<\/a>
\n3. Hide WP Login page with .htaccess<\/a>
\n4. Hide WP Login with Code<\/a><\/p>\nThe Best Way To Fight Against Brute-Force Attacks… Hide!<\/h3>\n
![\"WordPress](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/wordpress-hide-login-page.png\")
Why Change The WordPress Login URL?<\/h3>\n
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/defender-ip-lockout-logs.jpg\")
WordPress Security Through Obscurity<\/h3>\n
![\"Google](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/view-page-source.png\")
\/wp-login.php<\/code>).<\/p>\nmotherf<\/del> hacker will also know that your username is most likely something like admin<\/code>.<\/p>\n![\"WP](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/wp-login-page-admin-password.png\")
If They Can’t See It, They Can’t Crack It<\/h3>\n
Optional Step: Install WordPress In Its Own Directory<\/h3>\n
![\"WordPress](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/wordpress-installed-in-subdirectory.jpg\")
\n
Hide Your Site Login Page – Disclaimer<\/h3>\n
1. Hide wp-login.php Using a Plugin<\/h3>\n
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/defender-wordpress-security-plugin.png\")
<\/a>![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/install-defender-pro-WordPress-security-plugin.jpg\")
![\"Activate](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/activate-mask-login-defender.png\")
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/setup-mask-login-defender.jpg\")
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2100\/10\/defender-advanced-tools-screen.png\")