Security WordPress

How to Rename the Default Login URL of WordPress?

In cryptography, Brute force is a sophisticated attack technique, which is used to guess the passphrase of various types of online as well as offline accounts. This technique is generally utilized to guess the passwords which are shorter in length. When it comes to guessing lengthy passwords, a hacker may use a more sophisticated attack technique known as Dictionary Attack, because brute force takes a whole lot of time (in months and sometimes in years) in guessing lengthy passwords. Keep in mind that no matter how much time brute force takes to guess a password, chances are very high that it will always succeed, while for dictionary attack there is no guarantee of success!

A hacker may use above mentioned techniques on your blog’s login page i.e. /wp-login.php to guess the password of your administrator account. For example, if your administrator account username is set as admin or Admin or ADMIN, then chances are very high that a hacker might be able to guess your password very easily.

When a hacker starts guessing password using above mentioned techniques, he may constantly hit your /wp-login.php page from several different IP addresses. This may also result in high CPU and RAM usage on your server and your host may start sending you warning emails. In order to get rid of this problem you should rename your dashboard’s login URL to something else.

For this install Rename wp-login.php plugin for your self-hosted installation. Once the plugin has been successfully installed, activate it and you will be automatically redirected to your WordPress’s Permalinks Settings page:


On this page you are required to enter your alternate login URL slug which you want to use with your blog instead of /wp-login.php. Once entered click on save changes button and your blog’s login page will now be served via the URL you just entered above.

After this /wp-login.php will start serving 404 Not Found HTTP header to all your blog visitors as well as to various types of good and bad crawlers. Although keep in mind that if a hacker still keeps on hitting your site’s /wp-login.php page (which is now returning 404 error), your CPU/RAM usage may still spike on your server. To solve this problem you can return a 403 forbidden error for /wp-login.php page for everyone:


A 403 forbidden HTTP header tells your visitor’s browser as well as search engine bots that your server is currently available and understands your request, but it denies to take any further action on it. In short your server have permanently denied access to the requested resource.

In order to show a 403 forbidden error for your blog’s /wp-login.php page, login to your cPanel account and click on File Manager’s icon. cPanel’s interface will now ask you to which directory you’d like to go in File Manager? Select Home Directory present at the top of the box and click on GO button:

home directory

A new window/tab will open and you will be able to see all the contents of your home directory in it. In this directory you will see a .htaccess file present. Right click on it and then select Edit or Code Edit:


File Manager will now ask you to select the encoding using which you want to open the file in your browser. Select the encoding as UTF-8 from the drop down menu and click on edit button:


The file will now open in a new code editor window, where you are required to enter following lines of code in it:

<Files “wp-login.php”>

Order Allow,Deny

Deny from all


Once you have entered above lines of code, click on save changes button present at top right corner of the screen and it’s all done.

Important Notes:

  • The plugin don’t modify any core files of your installation. It also don’t enter any custom re-write rules in your .htaccess file. If you ever want to uninstall the plugin, then feel free to do so without any worries.
  • If you are using cache plugins like WP Super Cache, W3 Total Cache, Hyper Cache etc. with your installation, then you should enter your new login slug to the list of pages that the plugin should not cache.
  • If you ever uninstall the plugin from your installation, then your login URL will again become and the custom login URL will now start serving a 404 not found error. If you do so, then make sure that you also remove the Order Allow, Deny code, which you entered so that a 403 forbidden error can be returned, from your .htaccess file.