Everybody knows that they can access their WordPress site via (name_of_site_goes_here)/wp-login.php. This is great for your convenience, but it also opens the door to would-be attackers. Because if everybody knows how to do this, then so do the bad people.
Of course, they need to have figured out that you are using a WordPress site. But it isn’t exactly difficult to discover. Just right click on the page in any browser and choose “view source”. Hit Ctrl+F to do a text search and type in “wp-content”. If you get any hits, then it’s definitely a WordPress site.
So, next they will try the usual login URL, then cross their fingers and type in “admin” as the username. Because it’s the one that WordPress creates by default, and some people don’t ever bother to change theirs. If “admin” gets them in, then the last hurdle is the password. And hopefully you’re someone who makes it difficult for the bad guys by using a password manager. So they can’t surreptitiously record which keys you hit.
Now, a password is a pretty big hurdle to get over. So it’s most likely going to be the one that finally trips up our Hacker. Hooray! Your site is safe from the forces of darkness – but that doesn’t mean that your troubles are over.
Determined Hackers might carry on trying to get into your site with a million and one different password combinations. But even though they don’t stumble on the right one, they can still overtax your server’s precious CPU cycles. To the point where your site keels over.
Are you now a nervous wreck? It’s OK – We wouldn’t reduce you to that state if there wasn’t a simple way to get you out of it.
Change WordPress Login URL with Better WP Security Plugin
With this plug-in, you will be able to change:
- /wp-login.php to /login/
- /wp-admin/ to /admin/
- /wp-login.php?action=register to /register/
Compatibility might give you some trouble. Get yourself familiar with all of the Better WP Security options before you change any settings. If you have an odd set up and aren’t sure if this plugin might affect it adversely then chat to your developer or web host about it before you proceed.
For safety’s sake it’s best to change every single one of your login URLs, which includes the ones you use to login, register and manage your site. Here’s how:
Step 1: Perform a Complete Backup
Use the power of WP Toolkit to back everything up (not just the database). Check that it’s done, and you’ve saved it where you want before moving on to step two.
Step 2: Install and Activate
Install the plugin. Activate it. Done.
Step 3: How to Set it up
Once installed, follow these steps:
- Open the plugin’s wp-admin options page.
- Follow the first 3 setup steps as shown in the screenshots below.
- Let the plugin change WordPress’s core files (taking note of the warning before you do).
- Click the “Secure My Site from Basic Attacks” button.
- Click the “Hide” tab
- Check the “Enable Hide Backend” box
- Enter your desired login, register, and admin slugs or leave them at the plugin’s defaults of “login”, “register”, and “admin”.
- Click “Save Changes”.
How the Better WP Security Plugin Changes the Login URL
So how does it work? The secret sauce is in the .htaccess file. The plugin adds around 30 lines to the beginning of your main WordPress .htaccess file. That’s all it takes to change the login URLs. Note that both the wp-login.php file and the wp-config.php file are not modified, moved, or renamed. No prior knowledge of .htaccess is necessary to use the Better WP Security plugin.
If you haven’t changed your WordPress Login URL already, consider changing it as soon as possible… before it’s too late!