{"id":158091,"date":"2016-08-08T14:00:55","date_gmt":"2016-08-08T14:00:55","guid":{"rendered":"https:\/\/premium.wpmudev.org\/blog\/?p=158091"},"modified":"2016-08-23T15:34:58","modified_gmt":"2016-08-23T15:34:58","slug":"hide-wordpress-login-page-2","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/hide-wordpress-login-page-2\/","title":{"rendered":"Hiding Your WordPress Login Page from Hackers with Code"},"content":{"rendered":"<p>There are <a href=\"https:\/\/sucuri.net\/website-firewall\/stop-brute-force-attacks\/\" target=\"_blank\">40 million brute force attacks on websites every day<\/a>, so it\u2019s highly likely your site will succumb to an attack. One relatively easy way to protect your site is to hide your login page from hackers.<\/p>\n<p>Making it harder for hackers to find the location of your login page file means there\u2019s less chance they can attempt to guess your credentials and infiltrate your site.<\/p>\n<p>So how do you do it? You can create a new login page URL and hide your login with code in a few simple steps, adding an extra layer of defense to your site.<\/p>\n<p>You don\u2019t need to install any plugins and it only takes a few minutes to implement.<\/p>\n<p>Time&#8217;s a wastin&#8217; and hackers aren&#8217;t letting up anytime soon so let&#8217;s get started.<\/p>\n<h2>Baby Back, Back, Back It Up<\/h2>\n<p>Since you need to make edits to your <em>.htaccess<\/em>\u00a0file to hide your login, it&#8217;s important that you create a full backup of your site. Your <em>.htaccess<\/em> file is an important one where one teeny-tiny mistake could completely take down your site so it&#8217;s best not to live on the edge and take chances here.<\/p>\n<p>If you scoff at the idea and insist that no one can slow down your rockin&#8217; life, then at least backup your <em>.htaccess<\/em>\u00a0file as well as the folder for whatever theme you&#8217;re using.<\/p>\n<p>You can check out some of our other posts for details on how to backup your site:<\/p>\n<ul>\n<li><a href=\"https:\/\/wpmudev.com\/blog\/backup-with-snapshot\/\" target=\"_blank\" rel=\"noopener\">How to Backup Your WordPress Website (and Multisite) Using Snapshot<\/a><\/li>\n<li><a href=\"https:\/\/wpmudev.com\/blog\/creating-manual-backup\/\" target=\"_blank\" rel=\"noopener\">Creating a Manual Backup of WordPress When It\u2019s Down or Locked<\/a><\/li>\n<li><a href=\"https:\/\/wpmudev.com\/blog\/backup-and-restoring\/\" target=\"_blank\" rel=\"noopener\">Backup Plugins Aren\u2019t About Backing up, They\u2019re About Restoring<\/a><\/li>\n<li><a href=\"https:\/\/wpmudev.com\/blog\/multisite-backup-solutions\/\" target=\"_blank\" rel=\"noopener\">4 Top WordPress Multisite Backup Solutions Tested and Reviewed<\/a><\/li>\n<li><a href=\"https:\/\/wpmudev.com\/blog\/premium-freemium-wordpress-backup-plugins\/\" target=\"_blank\" rel=\"noopener\">7 Top Premium and Freemium WordPress Backup Plugins Reviewed<\/a><\/li>\n<\/ul>\n<p>It&#8217;s also a good idea to try the code below in a test environment. It&#8217;s optional, but if you&#8217;re concerned that your site may go down for a minute or so, then it&#8217;s the best option for you. After all, it&#8217;s better that your test site implodes, rather than your live site\u00a0\u2013 no matter how short-lived.<\/p>\n<p>Once that&#8217;s out of the way, you can try one of the options for changing your login page&#8217;s slug based on your comfort zone. Once your new slug is created, you can hide the original <em>wp-login.php<\/em> page.<\/p>\n<p>The first option requires you to only edit your <em>.htaccess<\/em> file whereas you need to edit your theme&#8217;s <em>functions.php<\/em> and <em>.htaccess<\/em> files with the second option.<\/p>\n<p>Feel free to skip down to the option you are more comfortable with trying.<\/p>\n<h2>Call Me, Maybe by a Different Slug<\/h2>\n<p>No matter which option you choose, you can edit the necessary files directly in your favorite <a href=\"https:\/\/wpmudev.com\/blog\/terminal-command-line\/\" target=\"_blank\" rel=\"noopener\">SSH client on the command line<\/a>, with <a href=\"https:\/\/wpmudev.com\/blog\/ftp-wordpress\/\" target=\"_blank\" rel=\"noopener\">FTP<\/a> using certain clients such as FileZilla or in cPanel.<\/p>\n<h3>1. Using Only <em>.htaccess<\/em>\u00a0Rules<\/h3>\n<p>The code you need to add should ideally be included at the top of your <em>.htaccess<\/em> file for single installs of WordPress or after the following lines for Multisite installs:<\/p>\n<div class=\"gist\" data-gist=\"a122d52c329456997b5878b789bafcfa\" data-gist-file=\".htaccess\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/a122d52c329456997b5878b789bafcfa.js?file=.htaccess\">Loading gist a122d52c329456997b5878b789bafcfa<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>Here&#8217;s the code you need to add:<\/p>\n<div class=\"gist\" data-gist=\"a8ca8be7b0dbf2124c9d00035b3a0620\" data-gist-file=\".htaccess\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/a8ca8be7b0dbf2124c9d00035b3a0620.js?file=.htaccess\">Loading gist a8ca8be7b0dbf2124c9d00035b3a0620<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>Be sure to change <code>mylogin<\/code>\u00a0on line two to whatever you want your slug to be. If you don&#8217;t change it, you can find your login page at <code>www.your-site.com\/mylogin<\/code>. If you do change it, your URL structure should be the same, except with your slug in place of <code>mylogin<\/code>.<\/p>\n<p>It&#8217;s recommended that you change the slug since this post is available to the public which means hackers have access to it as well. If you do use it, they won&#8217;t have to guess your login URL since it&#8217;s printed here.<\/p>\n<p>Also be sure to change <code>123<\/code> in lines two and seven to something else. This is a secret key that isn&#8217;t displayed to hackers. You should pick something that isn&#8217;t obvious so don&#8217;t change the secret key to &#8220;wordpress&#8221; or the title of your site. Your key should also only have letters and numbers.<\/p>\n<p>Save your <em>.htaccess<\/em> file and check that your site is still up. If you get a 500, internal server error, it means that you have made a mistake somewhere, no matter how small. Restore the file and try again.<\/p>\n<p>If your site is up but it&#8217;s not working for you, try clearing your browser&#8217;s cache.<\/p>\n\n<h3>2. Your Theme&#8217;s Functions Files and <em>.htaccess<\/em><\/h3>\n<p>Before you continue adding code to your site, it&#8217;s important that you first create a child theme. This prevents you from losing the changes you make to your theme the next time it&#8217;s updated.<\/p>\n<p>You can check out a couple of our posts <a href=\"https:\/\/wpmudev.com\/blog\/how-to-create-wordpress-child-theme\/\" target=\"_blank\" rel=\"noopener\">How to Create a WordPress Child Theme<\/a> and <a href=\"https:\/\/wpmudev.com\/blog\/easy-child-themes\/\" target=\"_blank\" rel=\"noopener\">How to Automagically Create Child Themes in WordPress<\/a>\u00a0for details on how to create one.<\/p>\n<p>Once you&#8217;re set to go, you need to start by adding some code to the top of your <em>.htaccess<\/em> file for single installs of WordPress and for Multisite, after this:<\/p>\n<div class=\"gist\" data-gist=\"e121375ce4839cc564d07ec3e82150d4\" data-gist-file=\".htaccess\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/e121375ce4839cc564d07ec3e82150d4.js?file=.htaccess\">Loading gist e121375ce4839cc564d07ec3e82150d4<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>This code from one of our developers, Leighton Sapir, creates the new slug for you to use within your site:<\/p>\n<div class=\"gist\" data-gist=\"4389b8e8abbf9143e4a2d04f12c3e5ca\" data-gist-file=\".htaccess\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/4389b8e8abbf9143e4a2d04f12c3e5ca.js?file=.htaccess\">Loading gist 4389b8e8abbf9143e4a2d04f12c3e5ca<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>You can replace <code>myprivatelogin<\/code> with whatever slug you want to use instead of <em>wp-login.php<\/em>. In this case, the new login URL you created should be <code>www.you-site.com\/myprivatelogin<\/code>.<\/p>\n<p>Save the file and check that your site functions properly. If you run into a 500, internal server error, you have some mistakes to correct. If you&#8217;re not sure what went wrong, restore your <em>.htaccess<\/em> file and try again.<\/p>\n<p>You could go along on your merry way at this point and start using your new login URL, but you could go one step further and get WordPress to use this new URL everywhere it&#8217;s linked on your site.<\/p>\n<p>Open your theme&#8217;s <em>functions.php<\/em> file. You can find it under <em>\/wp-content\/themes\/your-theme\/<\/em>.<\/p>\n<p>You can add the following <a href=\"https:\/\/wordpress.org\/support\/topic\/how-to-change-from-wp-loginphp-to-login\" rel=\"noopener\" target=\"_blank\">code from a WordPress support thread<\/a> to almost anywhere in the file, though, the bottom is usually a safe bet:<\/p>\n<div class=\"gist\" data-gist=\"e59a4677dc2b25f99113ae00b2846953\" data-gist-file=\".functions.php\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/e59a4677dc2b25f99113ae00b2846953.js?file=.functions.php\">Loading gist e59a4677dc2b25f99113ae00b2846953<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>Don&#8217;t forget to change <code>myprivatelogin<\/code> on line five with the slug you chose to write in your <em>.htaccess<\/em> file.<\/p>\n<p>When that&#8217;s done, save the file and try it out. If you still have the default meta information in your sidebar, you can click the login link there, for example. It should go to your login page with the new slug your entered.<\/p>\n<h2>You Can Run, You Can Hide and Escape My Hacks<\/h2>\n<p>These two methods give an alternative to the old, ratty <em>wp-login.php<\/em> and adds a new slug to use in your login URL. Though, both options are completely useable at this point so it&#8217;s still important that you hide your actual <em>wp-login.php<\/em> page.<\/p>\n<p>Since your new login URL isn&#8217;t easy guessable and printed multiple times in the WordPress Codex, it&#8217;s going to be more difficult for hackers to try brute force attacks once you deny them access to the default login page which they already know about.<\/p>\n<p>For details on how to hide your original login page, check out our post\u00a0<a href=\"https:\/\/wpmudev.com\/blog\/limit-access-login-page\/\" target=\"_blank\" rel=\"noopener\">Limit Access to the WordPress Login Page to Specific IP Addresses<\/a>.<\/p>\n<p>Using the code options above helps you add an extra layer of security to your site to prevent brute force attacks. Also, it helps keep your site as lightweight as possible since you don&#8217;t have to use a plugin that could slow down your site&#8217;s speed.<\/p>\n<p>You could still use a plugin if you prefer not to touch code and there are loads to pick from in our post\u00a0<a href=\"https:\/\/wpmudev.com\/blog\/hide-wordpress-login-page\/\" target=\"_blank\" rel=\"noopener\">How to Hide Your WordPress Login Page From Hackers and Brute Force<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are 40 million brute force attacks on websites every day, so it\u2019s highly likely your site will succumb to an attack. One relatively easy way to protect your site is to hide your login page from hackers. Making it harder for hackers to find the location of your login page file means there\u2019s less [&hellip;]<\/p>\n","protected":false},"author":54213,"featured_media":158131,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[263],"tags":[10810],"tutorials_categories":[],"class_list":["post-158091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-wordpress-security"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/158091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/54213"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=158091"}],"version-history":[{"count":17,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/158091\/revisions"}],"predecessor-version":[{"id":209389,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/158091\/revisions\/209389"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/158131"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=158091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=158091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=158091"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=158091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}