Home Blog WordPress Management How to change your WordPress login URL
How to change your WordPress login URL

Updated on 15 April, 2026 by Joel Barbara

15 min

How to change your WordPress login URL

Changing the WordPress login URL is a security practice recommended by several WordPress security professionals. Even so, many others warn that changing the login URL of your WordPress website does little to thwart attacks. The truth, as is often the case, lies somewhere in between.

Does changing the WordPress Login URL really improve the security of your WordPress blogs and websites? Or is this another WordPress security myth? In this article, we will be looking at the merits of this security practice, along with how to change your WordPress login URL.

Table of contents

Why Change the WordPress Login URL?

There are many reasons why you might want to change your WordPress admin login URL. This security-by-obscurity tactic helps WordPress administrators to:

  • Protect the WordPress login URL from brute force attacks
  • Save server resources and bandwidth by reducing the frequency of attacks

While these are not security issues per se, they can pose security risks, which can be partly mitigated by changing your WordPress login URL. This practice is called security by obscurity. The premise is that by hiding certain information, bad actors will have a harder time finding it – making an attack less likely.

It is safe to say that nobody is disputing whether hiding your WordPress URL is an effective security measure or not – it is. The argument against changing your WordPress login URL largely rests on whether it’s an effective enough security measure. We will look at the advantages of hiding your login URL later on in this article.

But first, let’s look at the different ways you can hide your wp admin login.

How to find your WordPress login URL

By default, the WordPress login URL is located in the /wp-login.php sub-directory. This needs to be appended to your domain name URL, for example:

www.myawesomesite.com/wp-login.php

If WordPress is installed in its own sub-directory or subdomain, then the login sub-directory needs to be appended to the full WordPress site URL. For example:

  • blog.myawesomesite.com/wp-login.php
  • myawesomesite.com/blog/wp-login.php
Default wordpress login

In custom installations, the location may differ, depending on how WordPress is set up. Some hosting providers also provide a link to the WordPress admin area directly from their back end without requiring access to the login URL. Speak to your hosting provider or developer for the details in such cases.

How to change the WordPress login URL (plugin method)

Changing the login URL of your WordPress site is easy, thanks to our Melapress Login Security plugin. This plugin is built from the ground up to protect various aspects of your WordPress login processes. In this short tutorial, we’ll show you how to change your old login URL to a brand-new one without breaking a sweat.

More good news? This feature is available in the free edition of the plugin. Sweet!

Step 1: Install and activate the plugin

Installing Melapress Login Security is easy. You’ll not only be able to change the login URL to a custom login URL (in no time at all) but get free access to other features like password policies. Here’s how to set up the plugin:

Download Melapress Login Security from the WordPress repository
  1. Login into your WordPress dashboard and navigate to Plugins > Add New
  2. Search for Melapress Login Security
  3. Click on Install Now and then Activate Plugin

That’s it! The plugin is now installed and activated.

Step 2: Change the login URL

To change the login URL, navigate to Login Security > Login page hardening.

Change the WordPress login URL using Melapress Login Security

In the Login page URL field, enter the new URL you want your WordPress login to use. You can also redirect anyone trying to access the default login URL by entering the redirect URL in the Old login page redirect field. Remember to click on Save Changes when done.

That’s it – your login URL has now been changed! You can test it by visiting your new login URL, and don’t forget to update any bookmarks or documentation you may have.

How to manually change the WordPress login URL

If you do not want to use a plugin to change your WordPress admin login URL, you can change it manually. Before adopting this method, however, there are a few caveats that you need to be aware of:

  1. You will need to make changes to the wp-login.php file, which is a core file of WordPress
  2. The file will need to be re-updated or re-uploaded every time WordPress is updated
  3. You will need to create a child theme to avoid having to re-do the process every time you change or update your theme

Step 1: Take a backup of the wp-login.php file

Log in to your WordPress using either SFTP or SSH. We need to do this as we will be amending a WordPress file, specifically – the wp-login.php file. You should find the file in the WordPress root directory.

Since we will be modifying a core WordPress file, it is a good idea to back up the file before making any modifications. This will allow you to return to a working configuration should something break.

You might also want to download a copy of the file to your machine. This will enable you to work on the login page file using an IDE (Integrated Developer Environment). Using an IDE makes the job easier.

Step 2: Rename the wp-login.php file

The filename represents the URL over which the login page is accessed. As such, for example, if you rename the file from wp-login.php to mysecretlogin.php, the new WordPress login URL will be www.mydomain.com/mysecretlogin.php

Step 3: Replace wp-login references with new URL

Next, we need to ensure WordPress knows the new login URL. The first step we need to take is to update all wp-login references in the newly-renamed wp-login file. This ensures that WordPress can always refer to the correct file, and this to the correct login page.

As mentioned earlier, the easiest way to do this is by using an IDE such as Microsoft Visual Studio Community, which is available for free.

Use the Search and Replace function to ensure you do not miss any wp-login instances, and then save the file once you are ready.

Edit the wp-login using an IDE to manually change the login URL

Once the file is saved, re-upload it to the WordPress root directory.

Just one step left, so let’s get to it.

Step 4: Update the functions.php file

The last step to change the WordPress admin login URL is to update the functions.php file. This tells the theme where to find the login page. You can edit the file using SFTP, SSH, or by editing the file directly from the WordPress admin.

Add this code to the file and save once ready. You’ll need to replace new-login-url.php with the new filename from Step 2.

add_filter( ‘login_url’, 'change_login_url’, PHP_INT_MAX );
function change_login_url( $login_url ) {
$login_url = site_url( ‘new-login-url.php’, ‘login’ );
return $login_url;
}

That is it! You can now access the WordPress login page using the new URL.

The flawed argument against changing the login URL

As we mentioned earlier, several security professionals question whether changing the WordPress default login URL of your WordPress admin is enough of a security measure that warrants implementation. The flaw in this argument is that, ultimately, no security measure on its own is ever enough.

Sure, a firewall might have a more significant effect on the security of your WordPress website than changing the login URL. Even so, a firewall on its own is not enough. The same can be said for any security measure (bar switching the server off, but that’s hardly a solution).

This does not mean that by changing the login URL, we are forever hiding it from everyone. For all intents and purposes, when changing the URL of your login page, you’re adding a stumbling block for bots and bad actors to trip over.

It’s important to realize that no one solution can stop 100% of attacks. The idea behind every solid and effective security policy is to strategically place as many stumbling blocks as possible while monitoring and adapting to emerging threats.

How hackers circumvent hidden login URLs

Bad actors, and their bots, can get very creative when it comes to circumventing security measures. This creativity also extends to finding hidden URLs. While multiple tools/techniques can be used to find a hidden URL, one common technique is called fuzzing.

Fuzzers are used to generate and enter semi-random data in a program. While mostly used to find bugs, Fuzzers can also be used to discover leftover files on a web server and hidden URLs.While this technique is by no means efficient, it goes on to show that there’s always a workaround. This is precisely why we need to take a 360-degree approach to WordPress security.

Troubleshooting issues with the WordPress login

If you’re having issues with your wp-admin login, there are several troubleshooting steps you can take to fix the problem. The steps you take will largely depend on the type of issue you are facing.

I cannot find the login URL

If, for one reason or another, you cannot find your login URL, the first step you should take is to check your hosting provider’s back end. Many providers offer a direct link, so you don’t need to know the wp-admin URL to log in. Alternatively, you can either SSH or FTP to the server and check the wp-login.php file. You’ll find the file in the public_html folder.

If you have used a plugin to change the URL, you might also want to check the database entries of that plugin for the updated URL.

I forgot my password

If you forgot your password, a few different options are available for resetting it.The easiest way is to use the ‘Lost your password?’ option on the WordPress login screen. 

You’ll need to enter your username or email address, and WordPress will send you a new password. If you’re not the only administrator on the website, you can also ask one of your colleagues to reset your password.

Alternatively, you can reset your WordPress password through the database or use WP-CLI. You can also use FTP to reset your WordPress password.

WordPress admin login URL is not working

If you used a plugin to change your WordPress admin login URL, chances are there is a plugin conflict that’s prohibiting the plugin from functioning correctly. To resolve this issue:

  1. First, disable the plugin. This can be done safely through SFTP.
  2. Log in to your WordPress site using SFTP and navigate to the plugins folder.
  3. Rename the plugin used to set the custom WordPress login URL.
  4. Once done, navigate to the default login URL.

To resolve the plugin issue, get in touch with the plugin developer for further assistance.

On the other hand, if you set a custom login URL manually, you will need to follow a slightly different procedure:

  1. Locate the wp-login.php and functions.php files. We will be replacing the modified versions with the original versions.
  2. Log in to your WordPress site using SFTP.

More security measures to protect your WordPress login

As we mentioned earlier, changing the login URL of the WordPress admin login is a good security practice – as long as it’s undertaken in conjunction with other security measures. Here are more security measures you can apply for a solid login page:

Implement login policies

Now that you have the Melapress Login Security WordPress plugin installed, you can take full advantage of the plugin for better WordPress login security. Navigate to Login Security > Login Security Policies and then tick the Enable login security policies checkbox. This will allow you to set the following policies:

Password policies

Research shows that, left to their own devices, many users choose weak passwords that are easy to remember. Such passwords are often easy to crack, potentially leading to breaches. Through password policies, you can set policies for password complexity, expiration, recycling, and much more. In turn, this helps you make passwords more robust and your login forms more secure.

WordPress password policies configuration options

Inactive users policies

Inactive WordPress users pose a unique security threat since breaches often go unnoticed. Automatically disabling inactive users ensures that such accounts do not become a target.

Limit login attempts

Failed WordPress logins can happen for one of two reasons – a user has genuinely forgotten their password, or a hacker is genuinely trying to guess it. With a failed login policy, you can essentially limit login attempts on your WordPress website – giving genuine users enough time to remember their passwords and bad actors not enough tries to guess the password (especially when having a strong password policy in place)

Geo-blocking

Another way to protect your WordPress login is to limit who can access the login page. Geo-blocking is an efficient way of accomplishing this. It enables you to block access from specific countries or only allow connections from specific countries. Since the wp login URL is typically accessed by known people, implementing geo-blocking can help you reduce risk.

WordPress login page geo-blocking configuration

Change the admin username

Everyone is familiar with default administrator usernames, such as admin. As such, it is important to use a username that is not easy to guess, making it that much more difficult for attackers to guess the username. Any account bearing a default username should be disabled or deleted (after all appropriate rights have been transferred to another user account).

Add HTTP Authentication

HTTP authentication adds another authentication layer through the web server. On Apache systems, this is implemented through the htaccess file. You can edit this file directly or through applications such as CPanel, which is offered by most WordPress hosting providers.

An htaccess file protects the WordPress directory it is in and its sub-directories, so you need to be careful where to place it and how to edit it. If you have SSH access, you can log in to the server and edit it directly using a text editor. You can also use an FTP file manager.

Add two-factor authentication

Two-factor authentication, also known as 2FA for short, adds an additional security layer by requiring a secondary authentication following the username and password combination. One of the most common 2FA methods is called OTP, which is a one-time code provided by apps such as Google Authenticator.

WordPress 2FA authentication page

Adding 2FA to WordPress is easier than you might think, thanks to WP 2FA – the number one user-rated WordPress 2FA plugin.

Other solutions

When it comes to WordPress security, there are more solutions than you can shake a stick at. Some, like blocking specific IP addresses, tend to have very limited effect – it’s very easy to change IPs, after all. Others, such as installing a firewall, follow best practices that have withstood the test of time.

One of the most important things underpinning WordPress security is knowledge. Knowing what is happening, such as who is logging in, what activities are being actioned, and everything else that takes place on your WordPress website, can help you take action before risks become issues.

The best way to achieve this is by installing WP Activity Log. This plugin keeps a record of all user and system activities on your WordPress site, including activities for 3rd party plugins such as WooCommerce, MemberPress, Yoast, and many others.

Monitor user and system activity with support for 3rd party plugins and session management.

Get WP Activity Log

Frequently Asked Questions

How do I change my WordPress login URL without plugins?

You can manually change the WordPress login URL by editing the wp-login.php file. Do keep in mind that editing the WordPress core files is not something that is recommended, and an update can easily wipe out all of your changes.

How do I change my WordPress admin login link?

You can easily change your default WordPress login using Melapress Login Security. This security plugin is designed to secure different aspects of your WordPress login processes, including changing your WordPress login page URL. The plugin also enables you to set up policies for passwords, limit login attempts, and much more.

Can you change WordPress login URL?

Yes, you can change the WordPress login URL using either a plugin like Melapress Login Security or manually by updating the wp-login.php and functions.php files. If you opt for the manual method, you’ll need to create a child team to avoid having to re-do the process every time there is an update.

FIELD:
Joel Barbara Avatar
Joel Barbara
Joel was our technical writer who wrote a number of articles on our blog. With a background in tech and content, he has a passion for making technology accessible and understandable for everyone.