A strong, unique password can help prevent unauthorized access to your WordPress site. However, attackers have clever ways to get around this. Therefore, this is not always enough to properly protect your site from attacks.
Fortunately, you can reduce the risk of hackers entering your site by moving your WordPress login page to a new URL. This puts you in a better position to defend against hackers and violent attacks.
This article will take a closer look at why you should consider changing your WordPress login URL. Then we will show you how to find your login URL and modify it in two different ways.
Why to modify the WordPress default login link
Since WordPress does not hide your login page, any user can find it, as long as they know how WordPress constructs its URL. The default structure of a login page looks like this:
https://example.com/wp-login.php
This means that when users insert your site name into the above URL structure, they should see a page in the browser that prompts them to log in to the back end of your site:
Of course, users will lack credentials to access your site.
For simplicity, many people like to stick to this default wp-login structure to log in to WordPress. However, if you leave it as it is, you are actually giving half of your login credentials to the attacker.
If your password is ordinary, weak, and easy to guess, it’s especially dangerous. In short, this is an unnecessary loophole and is easy to solve.
You can protect your login page more thoroughly by changing your WordPress login URL. Therefore, you can prevent unauthorized access to your website and reduce the risk of violent attacks.
How to find your WordPress and log in to URL
As we mentioned in the previous section, WordPress uses a standard login link structure that looks like this:
https://example.com/wp-login.php
So, all you have to do is add a suffix to your domain name, and then you should log in to your login page. You can also try to visit your WordPress dashboard to find your login page when you log out. Just type “yourwebsite.com/wp-admin” in the search bar and you will log in to the same login page.
Keep in mind, however, that some virtual hosts automatically change your WordPress login page for security reasons. Therefore, you may already have a custom login URL. We will show you how to find it in the next section.
How to find a custom WordPress login link
If your web host changes your login URL, you can usually find it in your email or in your control panel. Some hosts even include one-click links to the WordPress management panel, which may be useful.
However, if you cannot use one of these options to identify your custom login URL, you can find it manually. All you need to do is connect to your website using SFTP.
You can use a client like FileZilla. Remember, you will need your FTP credentials, which you can get from your virtual host. Then, open the root folder that contains the login link. This folder is usually marked as public_html (the server environment that seems to be used).
Locate and open the wp-login.php file and look at the string read as site_url. This will result in a line of code that specifies your custom login URL.
How to modify the WordPress login link
Now that you know where to find your WordPress login URL, let’s see how you can change it in two simple ways.
Method 1: change your WordPress login link with the plug-in
The easiest way to change your WordPress login URL is to use a plug-in. Fortunately, there are many plug-ins that can do this.
WPS Hide Login is a great choice because it is lightweight. It allows you to safely change your WordPress management login page to whatever you want.
Better yet, WPS hidden login also prevents all logged-in users from accessing the wp-admin directory and wp-login.php.
To get started, you need to install and activate the plug-in. Then, go to the settings & gt;WPS Hide Login:
Here, you can enter a new login URL and click Save changes. It’s that simple. This plugin also has a very active support forum, if you need any help, you can check it out.
Keep in mind that once this plugin is activated and you make changes, you will not be able to access your old login screen. Instead, you will be directed to the new login interface you created.
According to our example above, you now need to type “/ login” after your domain name to visit your website. Also, keep in mind that if you disable the plugin, your site will revert to using wp-admin and wp-login.php.
Method 2:Change your WordPress login link by editing your wp-login.php file
This second method is a bit tricky and is only suitable for experienced users. Therefore, before you begin the following steps, it is best to make a new backup of your website in case something goes wrong.
It is also important to know that when you update your theme, your changes may revert to the previous settings. However, you can avoid this problem by using a subtheme.
First, you need to access your root folder, which you can do through your file manager or using FTP. Again, you are looking for a folder called public_html.
Under the root directory, locate the wp-login.php folder. This is where the code for the login page of your site is generated:
Once you have found this file, you can download a copy of it to your computer. Then, open the folder with a text editor such as Sublime or Notepad++.
Ideally, it is best to use an editor that provides a search and replace tool. In this way, you can change all existing WordPress login URL instances more quickly.
If you can use it, use the search tool to find each instance of the wp_login_url string:
Then, change these strings to the new login links you want to use. Remember, you can keep it simple and direct, as long as it’s original (and different from the default). For example, you might prefer something like access.php or wp-new-login.
Once you are satisfied with your changes, save and close the editor. Then rename the file (such as access.php) with the new URL of your choice.
Now you can use your FTP client or file manager to upload new files to your root directory. Just select the modified login file from your computer. Then, use the “login_url” filter hook to register the new login file. This allows you to use any page as your login page, as long as it contains a login form.
To do this, navigate to wp-content & gt; themes and find your theme function file. Select your active theme and open the functions.php file.
Now that you are here, you can paste the following line of code into the file:
/ * * Change WP Login file URL using "login_url" filter hook * https://developer.wordpress.org/reference/hooks/login_url/ * / add_filter ('login_url',' custom_login_url', PHP_INT_MAX); function custom_login_url ($login_url) {$login_url = site_url ('wp-your-new-login-file-name.php',' login'); return $login_url;}
Then remember to save your changes.
It is important to test your new login before deleting old files. To do this, simply enter the domain name of your site and add your new login URL at the end. Then, if you see WordPress’s login form, you can delete the original wp-login.php file.
Other ways to protect the WordPress login process
Changing your WordPress login URL is good for strengthening the security of your website. However, that’s not all you can do. Here are some other ways to protect your WordPress login process.
1. Restrict login attempts
When you restrict login attempts, you can prevent hackers and robots from trying to access your site by trying hundreds of usernames and passwords. This is particularly important because violent attacks are the second most common type of online threat.
The easiest way to do this is to use one like Limit Login Attempts Reloaded.
This plugin starts working after it is activated on your website. By default, users have four login opportunities before being locked out of WordPress. However, you can access the settings of the plug-in to modify this:
Here, you can also determine how long the user will be locked out. On your dashboard, you will see how many violent attacks have been blocked by the plug-in. In addition, you can switch to the log tab and manually block specific IP addresses.
Implement two-step authentication
Two-step authentication requires users to submit more than their standard login credentials. Instead, the user is required to generate a second key in real time. This is usually a code sent via SMS SMS, email, or application:
Since robots and hackers cannot generate a second key, this is a good way to prevent unauthorized access to your site. One of the best ways to add this feature to your site is to use plug-ins like miniOrange:
Once activated, enter a new miniOrange 2-Factor link in your administrative area and findAccountPart. In order to configure the plug-in, you must register an account. It’s completely free. It only takes one minute. Then you will receive a code that enables you to verify your email.
At this stage, navigate toTwo Factor, using theSetup Two FactorLabel. Here, you can choose the authentication method you like. For example, you can use Google Validator applications, text messages, QR codes, or security questions:
Finally, if you switch to the settings, you can enable two-step authentication for all users, specific users, and display your two-step prompt on the login page.
3. Use CAPTCHA
CAPTCHA or reCAPTCHA provides an extra layer of security for your site. Typically, it is used to control access to sensitive pages. More importantly, it can prevent robots from creating spam on your website or accessing personal information through order forms or login forms.
Similarly, a plug-in is the easiest way to enable CAPTCHA on your website. With reCaptcha, you can add a simple CAPTCHA check box to any table you like:
You need to install and activate the plugin on WordPress. Then, register your website with Google to retrieve your Google API key. At WordPress, you can go toGoogle Captcha& gt;SettingsEnter your key and determine which forms should use CAPTCHA.
4. Implement strong password
It’s a good idea to change WordPress’s login URL so that you don’t use the easily guessed “admin” suffix. However, if you continue to use weak or repeated passwords, putting your account at greater risk of attack, your efforts will be in vain.
In fact, only 24% of American Internet users use a different password for each of their online accounts. At the same time, only 44% of users use password managers to securely generate and store passwords.
In the future, it is best to choose long passwords with uppercase and lowercase letters combined with numbers and special characters. We also recommend using a password manager such as LastPass to get additional sense of security:
It is also important to encourage users with access to use strong passwords. You can explain this in the welcome email that users receive when they sign up for your site.
Summary
Ensuring foolproof security on your WordPress site can be a challenge. Fortunately, you can do this by changing your WordPress login URL. In this way, your login page is almost impossible to find unless you provide your new, custom login URL to the user.
There are two ways to change the WordPress login to URL:
- Use a plug-in like WPS Hide Login.
- Edit your wp-login.php file.
