How and why you should change your WordPress website login URL
If you have a WordPress website, you need to secure your website against attackers.
Today, WordPress is dominating the website market. It means that almost 50% of existing sites are built on the WordPress platform.
Therefore, these websites could be vulnerable and weak against any attack. WordPress default login page is the same for all websites that are built on these platforms. If any of them keep the login page URL as it is, it will be easy for hackers to access the admin panel. But before diving into the topic, let us explain to you why hackers hack websites.
Why do hackers hack websites?
The first reason is about obtaining credit card information. Today, many shopping websites offer to keep credit card information in their database, so you can order easily next time without typing the required information again. These databases are essential for hackers because they can quickly access the most critical information about your credit cards.
But let's say you don't have credit card information on your website. Then the second reason is about stealing contact/personal information that can later be sold to unethical marketers.
There are a lot of cases similar to this argument as they had data leaks and millions of people affected (e.g., Google mail service, Apple iCloud service, etc.)
The other reason is that you can be hacked for usernames and passwords to control the server your website is hosted on. It means they can get your information and other websites’ data over the same server.
Another reason could be malvertising your website, which the hacker can later send spam or phishing emails to your subscribers. In addition, it can lead to SEO spam using your website’s authority, which hackers can promote fake information on Google or any other classified search engine.
Why change the WordPress login URL?
If you have a standard WordPress website, then most probably, the admin login panel's URL is the same as the default one. If so, then it is easy to guess and access the login page. In brief, to get to the login page, all you have to do is go to /wp-admin or wp-login.php.
You may think who is interested in the login page of your WordPress website.
You never know, but hackers try to guess login and password to take control of your website. If they can't access the admin panel, then the site's login page can see malicious login attempts on a startlingly regular basis.
As a result, with simple Brute-Force tools, hackers can bring down your whole website with ease by hitting it multiple times to guess your login password.
How to prevent malicious login attempts?
Even if you're not a WordPress expert, understanding how to hide the WordPress login page may help you keep your website safe. As we mentioned above, in most cases, hackers can access your website's login page through /wp-admin or /wp-login.php page. However, if you change the login page URL or hide it, hackers will not easily access your admin panel.
Of course, this security plan is only one option to secure your WordPress website. You need to take care of your website's element to make it more secure and robust over the internet.
But in this article, we will focus on changing the login page URL. There are two options that you can prevent attacks:
1. Change your WordPress login URL
2. Hide your wp-admin or wp-login page
You can hide or change your website’s login page through your website’s code. However, we do not recommend making any modification in the source code if you are familiar with.
Because you need to change several lines in the several elements to ensure that your website will function properly again, the good news is that several plugins can help you hide the login page URL safely.
You already know that when you want to access your WordPress website's backend, you need to add wp-admin at the end of your domain name. It usually looks like this:
WordPress offers an array of plugins that can be used to hide your login page URL. Each plugin has unique features that can enhance your WordPress website's security.
However, these plugins generally allow you to mask WordPress login URLs by redirecting them to another URL. Here are some best plugins that you can use for your website:
- WPS Hide Login
- WP Hide & Security Enhance
- iTheme Security
Once you download and install a plugin, activate it and follow recommended settings by the WordPress app. Different plugins have different methods to hide the login. Therefore, before installing and using the plugin, review the comments, tutorials and installation activities to determine your needs from the service.
WPS Hide Login Plugin
This article will talk about WPS Hide Login Plugin as it is the most straightforward and user-friendly login plugin out there. It has over 1 million active installations and an excellent user rating. This plugin makes it easy to use a custom URL after installation and activation by replacing the default login URL.
This plugin is a super light plugin that does not increase your site load time and protects SEO settings. In addition, it lets you quickly and safely change the login page URL to anything you want.
Theoretically, you may think that it changes default settings, but no. WPS Hide Login does not rename or modify any file in the core. It simply intercepts page requests and works on all WordPress websites. The admin page (wp-admin) directory becomes inaccessible; therefore, you must remember or save your new login page as a bookmark.
Moreover, if you want to bring everything back, it is also super easy. Deactivating the plugin will get your website back to the state it was before.
The plugin requires WordPress 4.1 or higher. Therefore, make sure that your WordPress version is compatible with the plugin requirements. If you use a page caching plugin (except WP Rocket), you have to add the new slug to the list of not to cache.
Installation of the plugin is the same as other plugins.
- Open your WordPress website and log in to the WP Admin dashboard.
- Click Plugins and then "Add New."
- Search for WPS Hide Login.
- Once you find it, click install and then activate it.
- Activation will redirect you to the settings. Change your admin page login URL here.
- You can change this option any time by going back to Settings – General – WPS Hide Login.
What if you forget your login URL?
Well, it can happen anytime. If you forget your login URL, you can restore your previous WordPress version if you backed up before. Another option is to go to your MySQL Database and look for the value of whl_page in the options table.
Finally, you can remove wps-hide-login folder from your plugins folder. This step will restore your previous settings, and you will access your admin dashboard using the wp-admin URL.
Hiding your WordPress login URL is an essential step for your website's security.
Setting up multiple security barriers to your WordPress website makes it difficult for hackers to break into your website. Implementing several security practices protects your website from brute-force attacks as well.
Simply hiding the URL is not always practical; therefore, we will have a particular article on WordPress website security.
Until then, stay tuned!