WordPress is now one of the most used Content Management Systems and with Woo commerce it is now a leading ecommerce platform. However, WordPress is often targeted by hackers.
Do you want to frustrate hackers with a good ‘ole fashioned game of hide and seek? If so, hiding your WordPress login page is a great way to secure your site from both targeted hacks and automated brute-force attacks.
To secure the login of your WordPress and Woo website requires some editing work and this is something that you should ideally review each month. For example the first Monday of each month quickly review the existing administrators and editors and delete users that no longer need access. Also consider changing the access URL monthly and circulate the new details. You may also force all admins to change their passwords at this time by resetting their password and of course ensure you are usingh 2FA.
In this post we discuss how to to you change your access URL. Please ensure this is done to your website to keep hackers out, not changing the login URL is very risky, you have been warned!
Why you should use Custom login URL in WordPress?
In general, anybody can guess the default login page for the admin, all you have to do is add ‘wp-admin’ or ‘wp-login.php’ to the URL and a hacker can then use a bit of brute force on the and site predicting the login password of your site and before you know it you’ve been hacked or hijacked.
A brute-force attack is a process of where a hacker tries many passwords to enter into your website, hoping eventually to guess the right one. The hacker will check frequently used common passwords and software to try about 10000 passwords combinations every second so it does not take time for your site to be hijacked if you use weak passwords.
You need to make it impossible for the hackers to access the administration login page of your website.
Unfortunately, WordPress engine does not provide an option to rename admin folder by default. However, there are bunch of free plugins on the web that you can use for that matter. Please note that you use such plugins at your own risk. It is strongly recommended to make backups and test first on a staging site. Be aware any extra plugins may slow you website and its easy to have one less plugin to worry about by following this tutorial.
Changing wp-admin URL without any plugin
The process of the WordPress Login URL without a plugin is such a simple thing to do, if you have backend access to your wordpress site and you are comfortable with a text editor and before you start, backup your files.
Manually Create a New PHP Login File
By default, the wp-login.php file contains all the code that generates the login page, and handles the login sequence. We will use the code from wp-login.php in our new file.
There are only 5 things we need to do:
- Create a new file.
- Copy the code from your wp-login.php, then paste it into your new file.
- Replace each instance of wp-login.php with the new file name.
- Delete the wp-login.php file.
- Login through your new URL.
1. Create a New File
Create a new file from the text editor and save it into your root folder. Name this file whatever you want your login url to be. In this example I named it site-login-month-year.php but I could have a login URL like ‘organic-seo=october%21-login.php’ to make it difficult to know my login.
2. Copy and Paste the Code
Next open up the wp-login.php file, select all the code, and copy it into your new file site-login-month-year.php . Make sure to save it. You may have to do this locally.
3. Find and Replace the String “wp-login.php”
Now find and replace every instance of “wp-login.php” in the file – then replace it with your new file name site-login-month-year.php . Notepad++ has a find and replace function I can use to hunt down every instance of “wp-login” and replace it quickly.
4. Delete the wp-login.php File
Now you can delete wp-login.php. Don’t worry, you will still have your backup in case something goes horribly wrong.
5. Test Out Your New Login URL
Now you should be able to login by navigating to your new URL. In my case, it’s localhost/test/wordpress/ site-login-month-year.php . Any http requests to the /wp-login.php, or /wp-admin directories will lead visitors to a 404 not-found page.
As you know, this article is about how you can change the WordPress URL login without using any plugin. Hopefully, you could understand the whole process and that you will now regularly review your website access security. If you have any sort of problem, feel free to contact us and I’ll be right back to you to help keep your site secure and of course super fast.