How to Change WordPress Login URL Without Using Plugins

Learn how to change the WordPress login URL securely without relying on third-party plugins. This step-by-step guide walks you through editing your theme’s functions.php file to keep your WordPress site safe from potential login page attacks.

Table of Contents

Introduction

The default WordPress login URLs, /wp-admin or /wp-login.php, are well-known and often targeted by hackers attempting brute force attacks. By customizing your login URL, you can significantly reduce unauthorized login attempts and strengthen your site’s security. In this guide, we’ll show you how to change the WordPress login URL without using any plugins, keeping your site fast and secure.

Why Should You Change WordPress Login URL?

One of the easiest ways to protect your site from unwanted login attempts is to hide the default login URL. Hackers often use automated scripts to target common login URLs like /wp-login.php, but by changing it to a custom URL, you immediately decrease the likelihood of such attacks.

Changing the WordPress login URL helps you:

  • Avoid brute force attacks targeting the default login page.
  • Reduce login attempts by bots.
  • Keep your site more secure without the need for additional plugins.

By changing the WordPress login URL, you’re taking a proactive step toward improving the security of your site.

Change WordPress Login URL

Requirements: Use a Child Theme for Customization

Before making changes to your theme files, it’s crucial to use a child theme. Directly modifying your theme’s functions.php file without a child theme could result in losing your customizations when the theme gets updated.

If you haven’t already created a child theme, refer to this guide on how to create a child theme in WordPress. Using a child theme will protect your changes and ensure that any theme updates won’t overwrite your modifications.

Step 1: Backup Your WordPress Site

Before proceeding, always create a backup of your WordPress site. This ensures that you can easily restore your site if something goes wrong during the process.

You can use plugins like UpdraftPlus, All-in-One WP Migration and Backup or Duplicator to create a full backup, or manually download your files and database via cPanel or an FTP client.

Step 2: Open Your Child Theme’s functions.php File

Next, you’ll need to access your child theme’s functions.php file. This file allows you to add custom code that will modify the behavior of your WordPress site.

You can access this file through:

  • FTP clients like FileZilla.
  • cPanel’s File Manager.
  • The WordPress Theme Editor in the admin dashboard (Appearance > Theme File Editor).

Step 3: Add the Code to Change the WordPress Login URL

To change your WordPress login URL, add the following code snippet to your child theme’s functions.php file. This code will replace the default login URL with a custom one of your choice.

// Add this code to your child theme's functions.php file

function custom_login_url($login_url, $redirect, $force_reauth) {
    return home_url('my-custom-login', 'relative');
}
add_filter('login_url', 'custom_login_url', 10, 3);

function handle_custom_login_and_redirects() {
    $current_url = $_SERVER['REQUEST_URI'];
    
    // Handle custom login URL
    if ($current_url == '/my-custom-login' || $current_url == '/my-custom-login/') {
        require_once(ABSPATH . 'wp-login.php');
        exit();
    }
    
    // Redirect wp-admin and wp-login.php to home when not logged in
    if (!is_user_logged_in() && ($current_url == '/wp-admin' || $current_url == '/wp-admin/' || $current_url == '/wp-login.php')) {
        wp_safe_redirect(home_url(), 302);
        exit();
    }
    
    // Redirect logged-in users trying to access login page to admin dashboard
    if (is_user_logged_in() && ($current_url == '/my-custom-login' || $current_url == '/my-custom-login/')) {
        wp_safe_redirect(admin_url(), 302);
        exit();
    }
}
add_action('init', 'handle_custom_login_and_redirects', 1);

function custom_login_form_action() {
    return esc_url(home_url('my-custom-login', 'relative'));
}
add_filter('login_form_action', 'custom_login_form_action');

// Ensure password reset and registration work with custom URL
function custom_login_url_for_actions($login_url, $redirect, $force_reauth) {
    $action = isset($_GET['action']) ? $_GET['action'] : '';
    if ($action == 'resetpass' || $action == 'rp' || $action == 'register') {
        $login_url = add_query_arg('action', $action, $login_url);
    }
    return $login_url;
}
add_filter('login_url', 'custom_login_url_for_actions', 11, 3);

Here’s what this code does:

  1. A single function handle_custom_login_and_redirects() manages all URL handling and redirects, simplifying the code structure.
  2. This function is set to run very early in the WordPress process using the init hook with priority 1.
  3. $_SERVER['REQUEST_URI'] is used to check the current URL, which is more direct than WordPress’s internal routing.
  4. wp_safe_redirect() is used for all redirects, as it’s the secure, WordPress-recommended method for redirections.

By using wp_safe_redirect(), the code adheres to WordPress best practices and ensures that all redirects are handled in a secure and consistent manner.

Replace /my-custom-login/ with the custom login URL you’d like to use. This will now serve as your new login URL, effectively hiding the default /wp-login.php page.

Step 4: Test Your New Login URL

After adding the code, log out of your WordPress dashboard and attempt to log back in using your new URL. For example, if you set the custom login URL as /my-custom-login/, navigate to https://yourdomain.com/my-custom-login/ to log in.

If the new login page loads successfully, your changes have been applied correctly.

Step 5: Update Bookmarks and Notify Admins

Once you successfully change the WordPress login URL, it’s important to update any bookmarks or saved links pointing to the default login page. If you have other administrators or users on your WordPress site, notify them of the new URL so they don’t encounter a 404 error when attempting to log in.

Troubleshooting Common Issues

1. 404 Error on Custom Login URL

If you encounter a 404 error when trying to access your new login page, double-check that the code in your functions.php file is correct and that you replaced /my-custom-login/ with your desired URL.

2. Unable to Access WordPress Admin

In rare cases, you may lose access to the WordPress admin area after changing the login URL. If this happens, access your site via FTP or cPanel, navigate to your theme’s functions.php, and temporarily remove the code snippet to regain access.

Benefits of Changing the WordPress Login URL

  • Enhanced Security: Brute force attackers and bots will no longer be able to target your default login page.
  • No Extra Plugins: You achieve added security without the need for additional plugins, which can slow down your site.
  • Customizable: You have full control over the URL and can easily modify it to fit your needs.

By changing your WordPress login URL, you’re implementing a smart security tactic that helps shield your site from unwanted access attempts.

Conclusion

With just a few lines of code added to your child theme’s functions.php file, you can easily change the WordPress login URL and enhance your site’s security without relying on third-party plugins. This simple change reduces the chances of unauthorized login attempts and keeps your WordPress site safe.

Share this post