This is the first post in a new series on WordPress Security. Today we will discuss how you can change the default URL for logging into the WordPress administration page. The thing that is great about this tip is that it can be done without needing any access to the server that is hosting your website. A quick word of caution though, if you forget the new URL that you configure for your login page as explained later on in this post, you will be locked out of your websites administration page. This is obviously a very bad situation. The only way to fix it is to somehow gain access to the server hosting your website if you do not currently have access. I will explain at the end what to do if you are able to get access to the web server.
With security there is always a trade-off between usability and security. Typically the more secure a solution, the more difficult it can be to use a solution. For example, consider the following two passwords:
The first password is very easy to remember, unfortunately it is also very easy to crack, it is only 5 characters long, and it only has numbers in it all of which are in sequence from 1 to 5. The second password, on the other hand, is very secure. It is 20 characters long, it has numbers, characters and even symbols and there are no natural words in the password. These are all good practices to follow for creating a password but unfortunately the second password is also very hard to use because of how difficult it is to remember it. Thankfully there are tools out there like lastpass.com that mean you can use much more secure passwords and not have to remember them all. This is also why default WordPress passwords look a lot more like the second example than the first. Therefore, the first and probably most important tip regarding how to secure your website is actually to have a good secure admin password but that should go without saying!
In addition to having a secure admin password, you can take an additional step to secure access to the website login page. You can do this by changing the URL that you use to get to the login page from the default to something different. This is using a principle called “obfuscation”. Obfuscation can be defined as, “the action of making something obscure, unclear, or unintelligible”. In the case of our example, if someone doesn’t know where to go to log into the administration portion of you’re website then they can’t try and break into it. You’ve made the access obscure by changing the URL from the default value that everyone knows to a value that no one knows except yourself. The login page is still accessible it’s just in a place that is unexpected. Obfuscation is a common technique to use in security. Another example of applying obfuscation with regard to security is changing the default SSH port from 22 to something else on a server. This means that when a hacker tries to scan your server for port 22, they will not find it and move onto an easier target that still has port 22 exposed.
WPS Hide Login Plugin
So you may be wondering, how to change the default URL that is used to login to a WordPress website? Well, you guessed it, there is a plugin that you can install to apply this change and it’s called WPS Hide Login. The default URL that a WordPress website uses for logging in is example.com/wp-login.php. This plugin allows you to change wp-login.php to whatever value you would like. Therefore, you can change it to something like example.com/my-login. After you install the plugin, you are given some additional setting options at the bottom of Settings -> General where you indicate what you’d like this new URL to be. Here is an example of what that configuration looks like with new-login-value being what replaces wp-login.php:
Once you’ve applied this change you will no longer be able to access the administration login page from the wp-login.php page so it’s very important to write down or bookmark this new URL so you don’t forget it, otherwise it can be difficult to get back into your website which would be a huge issue.
What to do if you lock yourself out
First you have to have access to the server hosting your website such that you can rename/delete folders and files from the server. Assuming you have access you will need to do the following to restore your access to the website admin login page:
- Log into your web server and go to the following relative path of your WordPress install: wp-content/plugins
- rename the folder for the plugin in the plugins directory to something else besides wps-hide-login
- open a browser and try the original URL with wp-login.php (i.e. www.example.com/wp-login.php), if that does not work then append wp-admin to your website root domain (i.e. www.example.com/wp-admin). One of these should bring up the option for you to log in at which point your access has been restored.
If you need help working on a WordPress website or if you need someone to write custom software for you we would love to help. Feel free to request a free quote from us and we’ll get back to you as soon as possible!