For the past few years the Shield Security plugin for WordPress has been demonstrating its ability to thwart attempts to compromise websites, with its many layers of protection.
One the most important of these layers is the user login protection system. Shield locks down your WordPress login against automated bots and brute force login attacks.
It does this using simple techniques. Rather that use complex analyses of IP addresses and the like, it takes advantage of how humans use websites versus automated bots.
The result is a highly effective system that protects WordPress websites like no other.
Hide The WordPress Login URL – wp-login.php
One of the core tenants of Shield is to never make file system changes – never touch WordPress core files, or write to the .htaccess.
This feature is no different. We don’t touch your wp-login.php, nor do we block it using .htaccess rules. We simply prevent it from being loaded directly using the standard WordPress login url – wp-login.php
Simply the Shield plugin with the URL you want to use as your login, and that’s what you’ll use thereafter.
You will of course need to remember that login URL, because if you forget it, you’ll not being able to login. WordPress will never tell you what it is. In fact, it’ll deny all knowledge of its existence and you’ll reach a 404 page, as if it doesn’t exist.
The same is true for your WordPress Admin (wp-admin). If you attempt to access this and you’re not logged in, you’ll be shown a 404 error. It wont automatically redirect you to the WordPress login screen (which is standard WordPress behavior).
How exactly do we rename the WordPress login page?
It’s a fairly simple process, but basically involves hooking into wherever WordPress normally loads wp-login.php. The wp-login.php is the only file within the WordPress core that handles the WordPress user sign-on process.
Therefore, without direct access to that file, no-one can log into your WordPress sites.
What better way to prevent login to your WordPress site than to hide your WordPress login page altogether.
The new plugin option can be found under the “Login Guard” module of the Shield Security plugin.
Simply supply a string of text (letters and numbers are supported) and this will immediately become your new login URL.
Please note: We do not rename or touch the original wp-login.php file.
How to change your WordPress Login URL
Take this website for example. The address is
If I put “mysecreturl” into the option to rename the WordPress login page, then my new login url will be:
This option only permits letters and numbers, and only when Permalinks are enabled for your site.
Important points to note about your hidden login URL
Simply supplying anything in this option will enable your secret login URL. When you do this, you need to understand that a few things will change in the behavior of your website:
- Normally when you try access your WordPress admin area you are automatically forwarded to the login page. To ensure your login page remains hidden, you will receive a 404 page not found error instead. It will appear as if your WordPress admin doesn’t exist! But it does – you must log in to your site to see it.
- If you try to access your old wp-login.php page, you will also receive a 404 page not found error. Again, this is used to mask the fact that the file exists.
- If you have plugins that use hard-coded redirects to your wp-login.php, these will fail to redirect you correctly. Please contact the author to explain that they should use the native “site_url()” function within WordPress.
- This feature is not tested with WordPress Multisite – if you have issues, please provide feedback to help.
Please provide suggestions!
This plugin feature was only implemented upon the repeated requests from several users of the plugin. You make this plugin what it is, and any ideas, feedback, or suggestions you may have are necessary to keep this plugin up-to-date and relevant.
Thank you to everyone who has made suggestions and helped with testing of this plugin.